Portainer Documentation
Official WebsiteGet 5 Nodes of BE Free
Search…
2.14
Welcome
What's new in version 2.14
Release Notes
Getting Started
Introduction
Portainer architecture
Requirements and prerequisites
Install Portainer
Upgrading Portainer
Using Portainer
Home
Docker/Swarm
Kubernetes
Azure ACI
Nomad
Edge Compute
Account settings
Administering Portainer
Users
Environments
Registries
Licenses
Authentication logs
Settings
Frequently Asked Questions
Portainer Concepts
Installing
Upgrading
Troubleshooting
Contributing
Advanced Topics
CLI configuration options
App templates
The Portainer Edge Agent
Access control
Reset the admin user's password
Security and compliance
Encrypting the Portainer database
Using your own SSL certificate with Portainer
Using Portainer with reverse proxies
Deploying Portainer behind Traefik Proxy
Deploying Portainer behind nginx reverse proxy
Helm chart configuration options
Kubernetes roles and bindings
Deprecated and removed features
API
Accessing the Portainer API
API documentation
API usage examples
Get More Help
YouTube
Slack
Discord
Open a support request
Contribute to Portainer
Contribute
Build instructions
Powered By GitBook
Deploying Portainer behind Traefik Proxy
​Traefik Proxy is a reverse proxy and load balancing solution focused on micro services.

Deploying in a Docker Standalone scenario

To deploy Portainer behind Traefik Proxy in a Docker standalone scenario you must use a Docker Compose file. In the following docker-compose.yml you will find the configuration for Portainer Traefik with SSL support and the Portainer Server.
Business Edition
Community Edition
1
version: "3.3"
2
​
3
services:
4
traefik:
5
container_name: traefik
6
image: "traefik:latest"
7
command:
8
- --entrypoints.web.address=:80
9
- --entrypoints.websecure.address=:443
10
- --providers.docker
11
- --log.level=ERROR
12
- --certificatesresolvers.leresolver.acme.httpchallenge=true
13
- --certificatesresolvers.leresolver.acme.email=your-email #Set your email address here, is for the generation of SSL certificates with Let's Encrypt.
14
- --certificatesresolvers.leresolver.acme.storage=./acme.json
15
- --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
16
ports:
17
- "80:80"
18
- "443:443"
19
volumes:
20
- "/var/run/docker.sock:/var/run/docker.sock:ro"
21
- "./acme.json:/acme.json"
22
labels:
23
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
24
- "traefik.http.routers.http-catchall.entrypoints=web"
25
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
26
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
27
​
28
portainer:
29
image: portainer/portainer-ee:latest
30
command: -H unix:///var/run/docker.sock
31
restart: always
32
volumes:
33
- /var/run/docker.sock:/var/run/docker.sock
34
- portainer_data:/data
35
labels:
36
# Frontend
37
- "traefik.enable=true"
38
- "traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)"
39
- "traefik.http.routers.frontend.entrypoints=websecure"
40
- "traefik.http.services.frontend.loadbalancer.server.port=9000"
41
- "traefik.http.routers.frontend.service=frontend"
42
- "traefik.http.routers.frontend.tls.certresolver=leresolver"
43
​
44
# Edge
45
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
46
- "traefik.http.routers.edge.entrypoints=websecure"
47
- "traefik.http.services.edge.loadbalancer.server.port=8000"
48
- "traefik.http.routers.edge.service=edge"
49
- "traefik.http.routers.edge.tls.certresolver=leresolver"
50
​
51
​
52
volumes:
53
portainer_data:
Copied!
1
version: "3.3"
2
​
3
services:
4
traefik:
5
container_name: traefik
6
image: "traefik:latest"
7
command:
8
- --entrypoints.web.address=:80
9
- --entrypoints.websecure.address=:443
10
- --providers.docker
11
- --log.level=ERROR
12
- --certificatesresolvers.leresolver.acme.httpchallenge=true
13
- --certificatesresolvers.leresolver.acme.email=your-email #Set your email address here, is for the generation of SSL certificates with Let's Encrypt.
14
- --certificatesresolvers.leresolver.acme.storage=./acme.json
15
- --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
16
ports:
17
- "80:80"
18
- "443:443"
19
volumes:
20
- "/var/run/docker.sock:/var/run/docker.sock:ro"
21
- "./acme.json:/acme.json"
22
labels:
23
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
24
- "traefik.http.routers.http-catchall.entrypoints=web"
25
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
26
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
27
​
28
portainer:
29
image: portainer/portainer-ce:latest
30
command: -H unix:///var/run/docker.sock
31
restart: always
32
volumes:
33
- /var/run/docker.sock:/var/run/docker.sock
34
- portainer_data:/data
35
labels:
36
# Frontend
37
- "traefik.enable=true"
38
- "traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)"
39
- "traefik.http.routers.frontend.entrypoints=websecure"
40
- "traefik.http.services.frontend.loadbalancer.server.port=9000"
41
- "traefik.http.routers.frontend.service=frontend"
42
- "traefik.http.routers.frontend.tls.certresolver=leresolver"
43
​
44
# Edge
45
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
46
- "traefik.http.routers.edge.entrypoints=websecure"
47
- "traefik.http.services.edge.loadbalancer.server.port=8000"
48
- "traefik.http.routers.edge.service=edge"
49
- "traefik.http.routers.edge.tls.certresolver=leresolver"
50
​
51
​
52
volumes:
53
portainer_data:
Copied!
Before you run this file in Docker, you will need to create the acme.json file that will store the SSL certificates. Once it has been created, you can define the file path in the following sections in the Docker Compose file:
In the volumes and command section of the Traefik Proxy container:
1
- "./acme.json:/acme.json"
Copied!
1
- --certificatesresolvers.leresolver.acme.storage=./acme.json
Copied!
You also need to enter your email address for Let's Encrypt registration.
1
- --certificatesresolvers.leresolver.acme.email=your-email
Copied!
Next, customize some labels in the Traefik container. The following labels need to be updated with the URL that you want use to access Portainer:
1
- "traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)"
Copied!
1
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
Copied!
Once this is done, you're ready to deploy Portainer:
1
docker-compose up -d
Copied!
After the images have been downloaded and deployed you will able to access Portainer from the URL you defined earlier, for example: https://portainer.yourdomain.com.

Deploying in a Docker Swarm scenario

To deploy Portainer behind Traefik Proxy in a Docker Swarm scenario you must use a Docker Compose file. In the following docker-compose.yml you will find the configuration for Portainer Traefik with SSL support and the Portainer Server.
This deployment assumes you are running one manager node. If you are using multiple managers we advise reading this FAQ entry before proceeding.
Before deploying the Docker Compose file, you need to create two elements: networks and volumes.
First, create two overlay networks:
1
docker network create -d overlay agent_network
Copied!
1
docker network create -d overlay public
Copied!
Then create the volume:
1
docker volume create portainer_data
Copied!
Save this recipe as portainer.yml:
Business Edition
Community Edition
1
version: '3.2'
2
​
3
services:
4
traefik:
5
image: "traefik:latest"
6
command:
7
- --entrypoints.web.address=:80
8
- --entrypoints.websecure.address=:443
9
- --providers.docker=true
10
- --providers.docker.swarmMode=true
11
- --providers.docker.exposedbydefault=false
12
- --providers.docker.network=public
13
- --api
14
- --log.level=ERROR
15
ports:
16
- "80:80"
17
- "443:443"
18
networks:
19
- public
20
volumes:
21
- "/var/run/docker.sock:/var/run/docker.sock:ro"
22
​
23
agent:
24
image: portainer/agent:latest
25
environment:
26
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
27
# deployed inside an overlay network
28
AGENT_CLUSTER_ADDR: tasks.agent
29
# AGENT_PORT: 9001
30
# LOG_LEVEL: debug
31
volumes:
32
- /var/run/docker.sock:/var/run/docker.sock
33
- /var/lib/docker/volumes:/var/lib/docker/volumes
34
networks:
35
- agent_network
36
deploy:
37
mode: global
38
placement:
39
constraints: [node.platform.os == linux]
40
​
41
portainer:
42
image: portainer/portainer-ee:latest
43
command: -H tcp://tasks.agent:9001 --tlsskipverify
44
volumes:
45
- data:/data
46
networks:
47
- public
48
- agent_network
49
deploy:
50
mode: replicated
51
replicas: 1
52
placement:
53
constraints: [node.role == manager]
54
labels:
55
- "traefik.enable=true"
56
- "traefik.http.routers.portainer.rule=Host(`portainer.yourdomain.com`)"
57
- "traefik.http.routers.portainer.entrypoints=web"
58
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
59
- "traefik.http.routers.portainer.service=portainer"
60
# Edge
61
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
62
- "traefik.http.routers.edge.entrypoints=web"
63
- "traefik.http.services.edge.loadbalancer.server.port=8000"
64
- "traefik.http.routers.edge.service=edge"
65
​
66
networks:
67
public:
68
external: true
69
agent_network:
70
external: true
71
​
72
volumes:
73
data:
Copied!
1
version: '3.2'
2
​
3
services:
4
traefik:
5
image: "traefik:latest"
6
command:
7
- --entrypoints.web.address=:80
8
- --entrypoints.websecure.address=:443
9
- --providers.docker=true
10
- --providers.docker.swarmMode=true
11
- --providers.docker.exposedbydefault=false
12
- --providers.docker.network=public
13
- --api
14
- --log.level=ERROR
15
ports:
16
- "80:80"
17
- "443:443"
18
networks:
19
- public
20
volumes:
21
- "/var/run/docker.sock:/var/run/docker.sock:ro"
22
​
23
agent:
24
image: portainer/agent:latest
25
environment:
26
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
27
# deployed inside an overlay network
28
AGENT_CLUSTER_ADDR: tasks.agent
29
# AGENT_PORT: 9001
30
# LOG_LEVEL: debug
31
volumes:
32
- /var/run/docker.sock:/var/run/docker.sock
33
- /var/lib/docker/volumes:/var/lib/docker/volumes
34
networks:
35
- agent_network
36
deploy:
37
mode: global
38
placement:
39
constraints: [node.platform.os == linux]
40
​
41
portainer:
42
image: portainer/portainer-ce:latest
43
command: -H tcp://tasks.agent:9001 --tlsskipverify
44
volumes:
45
- data:/data
46
networks:
47
- public
48
- agent_network
49
deploy:
50
mode: replicated
51
replicas: 1
52
placement:
53
constraints: [node.role == manager]
54
labels:
55
- "traefik.enable=true"
56
- "traefik.http.routers.portainer.rule=Host(`portainer.yourdomain.com`)"
57
- "traefik.http.routers.portainer.entrypoints=web"
58
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
59
- "traefik.http.routers.portainer.service=portainer"
60
# Edge
61
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
62
- "traefik.http.routers.edge.entrypoints=web"
63
- "traefik.http.services.edge.loadbalancer.server.port=8000"
64
- "traefik.http.routers.edge.service=edge"
65
​
66
networks:
67
public:
68
external: true
69
agent_network:
70
external: true
71
​
72
volumes:
73
data:
Copied!
Finally, customize these labels to match the URL that you want to use to access Portainer:
1
- "traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)"
Copied!
1
- "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
Copied!
You can now deploy Portainer by executing the following:
1
docker stack deploy portainer -c portainer.yml
Copied!
To check the deployment, run docker service ls. You should see an output similar to the following:
1
ID NAME MODE REPLICAS IMAGE PORTS
2
lt21zrypsll6 portainer_agent global 1/1 portainer/agent:latest
3
m6912ynwdcd7 portainer_portainer replicated 1/1 portainer/portainer-ee:latest
4
tw2nb4i640e4 portainer_traefik replicated 1/1 traefik:latest *:80->80/tcp, *:443->443/tcp
Copied!
Once the services are running, you will able to access Portainer from the URL you defined earlier, for example: portainer.yourdomain.com.
Advanced Topics - Previous
Using Portainer with reverse proxies
Next
Deploying Portainer behind nginx reverse proxy
Last modified 12d ago
Copy link
Edit on GitHub
Contents
Deploying in a Docker Standalone scenario
Deploying in a Docker Swarm scenario