Setting up a local reverse proxy on Proxmox with Traefik and Cloudflare
After setting up my AI homelab and various other services in a previous blog post, my friend Nader and I experimented with how to access some of these services using a domain instead of the IP address without exposing our home IP or opening ports.
In this blog post, I will guide you through setting up a local reverse proxy on Proxmox with Traefik v3 and Cloudflare. This setup will allow you to access your services with a domain name and also secure them with SSL certificates.
What is a reverse proxy?
A reverse proxy is a server that sits between clients and servers. It forwards client requests to the appropriate backend server and then returns the server’s response to the client. This allows you to host multiple services on a single server and route traffic based on the domain name.
In this simplified diagram, the user wants to access “MyService.MyDomain.tld”, the requests goes through the DNS resolver, which gets a local IP address from Cloudflare and then the reverse proxy forwards the request to the correct service.
My Proxmox setup
On my Proxmox setup I have a few LXC containers running various services. I have a dedicated LXC container for Traefik v3, which is an underprivileged Alpine Linux container with Docker installed. This setup is, in my opinion, the most stable way to run Traefik on Proxmox.
If you want to replicate the setup I used the ttek script to create the LXC container. You should accept the docker compose installation and the script will install Docker and Docker Compose for you.
Setting up Traefik on Docker
From this point on the setup is heavily inspired by the excellent video tutorial of Techno Tim. Inside the Traefik LXC container, create a folder for the Traefik configuration
Configuring Traefik v3 with our services
Get your Cloudflare DNS API key with a restricted scope for the zone you want to use.
Add a docker-compose.yml
file with the following content:
In the data
folder we need 3 files:
Add a traefik.yml
file with the following content:
Add a config.yml
file with the following content:
Add a blank acme.json
file:
At start this file will be empty, but Traefik will populate it with the SSL certificates it gets from certbot and the DNS verification through Cloudflare.
Setting up your domain with Cloudflare
Before running Traefik, it’s essential to configure your domain’s DNS settings on Cloudflare to ensure that your services are accessible via your domain name and secured with SSL. Here are the steps to set up the necessary DNS records:
-
Log in to your Cloudflare account and select the domain you want to configure.
-
Navigate to the DNS section of your Cloudflare dashboard.
-
Add the following DNS records:
- A Record: This should point to the local IP address of your Traefik container. Set the name to
@
to represent your root domain (e.g.,MyDomain.TLD
). - CNAME Record: Create a CNAME record for each subdomain that points to your root domain. For example, if you have a service accessible at
MyService.MyDomain.TLD
, create a CNAME record with the nameMyService
and the valueMyDomain.TLD
.
- A Record: This should point to the local IP address of your Traefik container. Set the name to
-
Ensure Proxy Status: Set the proxy status to ‘DNS Only’ for these records.
-
SSL/TLS Configuration:
- Go to the SSL/TLS section of your Cloudflare dashboard.
- Ensure that the SSL/TLS encryption mode is set to ‘Full (strict)’. This ensures that the connection between Cloudflare and your server is secure.
Starting Traefik
In your root folder `/traefik, run the following command to start the Traefik container:
At this point you should be able to access the Traefik dashboard at https://traefik.MyDomain.TLD
with the username/password you set in the docker-compose.yml
file.
Conclusion
Setting up a local reverse proxy using Proxmox, Traefik, and Cloudflare enhances the security and accessibility of your services. By following the steps outlined in this guide, you can achieve a robust setup that protects your services with SSL certificates and makes them accessible via domain names instead of IP addresses.
If you found this guide useful you can also check the previous ones about Using venv, pyvenv-autoenv, and macOS and Abstracting local development environments through containers.