Skip to content

Instantly share code, notes, and snippets.

@hivelogic2018

hivelogic2018/traefik_dynamic.md

Last active August 25, 2025 06:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hivelogic2018/6c7f44148aeaa56ce812b59a21e3bea0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hivelogic2018/6c7f44148aeaa56ce812b59a21e3bea0 to your computer and use it in GitHub Desktop.
Download ZIP
Traefik
Raw
traefik_dynamic.md

is traefik_dynamic.yaml usually needed? while I already have command: --trusted-origins docker.infra.zingastay.com

traefik_dynamic.yaml

http:

serversTransports:

portainer-transport:

insecureSkipVerify: true

Is a traefik_dynamic.yaml file necessary when you already have command: --trusted-origins docker.infra.zingastay.com? The answer is yes, they serve different purposes. Here's a breakdown of why both are typically used.

The Role of traefik_dynamic.yaml

Traefik configuration is split into two parts: static and dynamic.

  • Static Configuration is defined in your traefik.yaml file. This configures Traefik's core settings at startup, such as entry points, log levels, and certificate resolvers.
  • Dynamic Configuration defines the rules for your services, including routers, services, and middlewares. It can be loaded from a file like traefik_dynamic.yaml or directly from service labels, and it can be updated without restarting Traefik.

The serversTransports block you provided is part of Traefik's dynamic configuration. It is used to define how Traefik communicates with backend services. In your case, insecureSkipVerify: true is an instruction for Traefik to ignore TLS certificate validation when connecting to the portainer service. This is a common practice for internal communication where you trust the network.

The --trusted-origins Flag

The command: --trusted-origins docker.infra.zingastay.com flag is not a Traefik configuration at all. It is a command-line argument for the Portainer service. This flag is a security feature within Portainer itself, telling it to only allow API requests from the specified origin. It prevents cross-site request forgery (CSRF) attacks and other security vulnerabilities by ensuring that only trusted web clients can interact with the Portainer API.

Conclusion

You need both. The traefik_dynamic.yaml file (or equivalent configuration via labels in compose.yaml) is essential for Traefik to properly route traffic and manage TLS verification for its internal communication with backend services like Portainer. The --trusted-origins flag is a separate and necessary security measure for the Portainer application itself. They address two distinct concerns within your containerized environment.

Raw
traefik_dynamic.yaml
# traefik_dynamic.yaml
http:
routers:
portainer-router:
rule: "Host(`portainer.intra.zingastay.com`)"
entrypoints:
- "websecure"
service: "portainer-service"
middlewares:
- "auth-portainer@file" # Using the auth-portainer middleware from the file provider
tls: {} # This enables TLS for this router
services:
portainer-service:
loadbalancer:
servers:
- url: "http://portainer:9000"
serversTransport: "portainer-transport@file" # Use the serversTransport defined below
middlewares:
auth-portainer:
basicAuth:
users:
- "admin:$apr1$h9tYQh/e$s/j9TqS0jIqYjQxL1/f/0" # This is a placeholder, you should replace this with a secure hash
serversTransports:
portainer-transport:
insecureSkipVerify: true
Raw
traefik_dynamic2.yaml
# traefik_dynamic.yaml
http:
routers:
traefik-dashboard:
rule: "Host(`traefik.infra.zingastay.com`)"
service: api@internal
tls:
certResolver: cloudflare
teleport-https:
entryPoints:
- "websecure"
rule: "Host(`teleport.zingastay.com`) || HostRegexp(`(.*)\\.infra.zingastay\\.com`)"
service: teleport@docker
tls:
certResolver: cloudflare
domains:
- main: "infra.zingastay.com"
sans:
- "*.infra.zingastay.com"
serversTransports:
portainer-transport:
insecureSkipVerify: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment