🦀 ClawHub
Traefik
by @ivangdavila
Avoid common Traefik mistakes — router priority, TLS configuration, Docker labels syntax, and middleware ordering.
TERMINAL
clawhub install traefik📖 About This Skill
name: Traefik description: Avoid common Traefik mistakes — router priority, TLS configuration, Docker labels syntax, and middleware ordering. metadata: {"clawdbot":{"emoji":"🔀","os":["linux","darwin","win32"]}}
Router Basics
rule AND service — missing either = not workingpriority to overrideHost() is case-insensitive — Host(\example.com\) matches Example.comHost(\a.com\) || Host(\b.com\) — OR logicDocker Labels Syntax
deploy.labels for SwarmHost(\example.com\) with escapingtraefik.enable=true — if exposedByDefault=falsetraefik.http.services.myservice.loadbalancer.server.port=80TLS and Certificates
websecure needs TLS config — otherwise plain HTTP on 443certificatesResolvers.myresolver.acme.email required — registration fails withouttls=true on router activates TLS — tls.certresolver=myresolver for auto-certcaServer to staging URL, avoids rate limitsEntryPoints
--entrypoints.web.address=:80entryPoints=web,websecure — comma-separated listMiddlewares
middlewares=auth,compressstripPrefix, redirectScheme, basicAuth, rateLimithtpasswd format — escape $ in Docker Compose with $$Service Configuration
loadbalancer.server.port when container exposes multiple — Traefik can't guesshealthcheck.path=/health — removes unhealthy from rotationloadbalancer.sticky.cookie.name=srv_id — for stateful appsCommon Mistakes
traefik.docker.network with multiple networks — Traefik picks wrong oneapi.insecure=true is dangerous in productionFile Provider
watch=true for hot reload — otherwise restart Traefik on changesDebugging
--log.level=DEBUG for troubleshooting — verbose but helpful--api.insecure=true for local dev only — secure with auth in production