Setting up Traefik with Cloudflare

Question

I am trying to setup traefik using a combination of this guide, and the code found here.

I am using docker-compose with Unraid, so far I have the following code:

traefik.toml:

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[acme]
email = "user@domain.com"
storage = "acme.json"
entryPoint = "https"
#OnHostRule = true
#onDemand = true
[acme.dnsChallenge]
  provider = "cloudflare"
[[acme.domains]]
   main = "domain.name"
[[acme.domains]]
   main = "*.domain.name"

docker-compose.yml:

services:

  traefik:
    image: traefik:latest
    command: --web --docker --docker.watch --docker.domain=${DOMAIN} \
             --docker.exposedbydefault=false --acme.domains=${DOMAIN}
    container_name: traefik
    hostname: traefik
    networks:
      br0:
        ipv4_address: 192.168.1.253
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${CONFIG}/traefik/acme.json:/acme.json
      - ${CONFIG}/traefik/traefik.toml:/etc/traefik/traefik.toml
      - ${CONFIG}/traefik/.htpasswd:/etc/traefik/.htpasswd:ro
    environment:
      - CF_API_EMAIL=user@domain.com
      - CF_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXX
    labels:
      traefik.enable: "true"
      traefik.frontend.rule: "Host:monitor.${DOMAIN}"
      traefik.port: "8080"
      traefik.frontend.auth.basic: "${HTPASSWD}"
      com.ouroboros.enable: "true"
    restart: unless-stopped

  ouroboros:
    image: pyouroboros/ouroboros
    container_name: ouroboros
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - PGID
      - PUID
      - TZ
      - CLEANUP=true
      - INTERVAL=86400  # 24hrs
      - SELF_UPDATE=true
      - LABELS_ONLY=true
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    hostname: plex
    networks:
      br0:
        ipv4_address: 192.168.1.252
    volumes:
      - ${CONFIG}/plex:/config
      - ${DATA}/TV:/media/tv
      - ${DATA}/Movies:/media/movies
      - ${DATA}/Music:/media/music
      - ${DATA}/Anime:/media/anime
    environment:
      - PGID
      - PUID
      - TZ
      - VERSION=latest
    labels:
      traefik.enable: "true"
      traefik.port: "32400"
      traefik.frontend.rule: "Host:plex.${DOMAIN}"
      com.ouroboros.enable: "true"
    restart: unless-stopped

  plexpy:
    image: linuxserver/tautulli:latest
    container_name: tautulli
    hostname: tautulli
    networks:
      br0:
        ipv4_address: 192.168.1.251
    volumes:
      - ${CONFIG}/plexpy:/config
      - ${CONFIG}/plex/Library/Application Support/Plex Media Server/Logs:/logs:ro
    environment:
      - PGID
      - PUID
      - TZ
    labels:
      traefik.enable: "true"
      traefik.port: "8181"
      traefik.frontend.rule: "Host:tautulli.${DOMAIN}"
      traefik.frontend.auth.basic: "${HTPASSWD}"
      com.ouroboros.enable: "true"
    restart: unless-stopped

  heimdall:
    image: duhio/heimdall-https:latest
    container_name: heimdall
    hostname: heimdall
    networks:
      br0:
        ipv4_address: 192.168.1.250
    volumes:
      - ${CONFIG}/heimdall:/config
    environment:
      - PGID
      - PUID
      - TZ
    labels:
      traefik.enable: "true"
      traefik.port: "80"
      traefik.frontend.rule: "Host:${DOMAIN}"
      traefik.frontend.auth.basic: "${HTPASSWD}"
      com.ouroboros.enable: "true"
    restart: unless-stopped

  ombi:
    image: linuxserver/ombi
    container_name: ombi
    hostname: ombi
    networks:
      br0:
        ipv4_address: 192.168.1.249
    volumes:
      - ${CONFIG}/ombi:/config
    environment:
      - PGID
      - PUID
      - TZ
    labels:
      traefik.enable: "true"
      traefik.port: "3579"
      traefik.frontend.rule: "Host:ombi.${DOMAIN}"
      com.ouroboros.enable: "true"
    restart: unless-stopped

# br0 is an existing Unraid macvlan
networks:
  br0:
    external: true

When I used OnHostRule = true I could get plex.domain.name working with https but none of the other subdomains.

UPDATE: I have concluded that the issue is that the wildcard domains not working, after talking to a redditor he was not sure that the wildcards would work when manually specifying the network in the docker-compose.yml with static IP's, so far I have been unable to confirm this.

Digging further I think this may be an issue at the Cloudflare level, source here and report here.

Answer 1

Edit: This configuration is now out of date for Traefik 2.0 and beyond

---

I have wildcards working with Cloudflare. Here is my configuration:

Part of my traefik.toml file

[acme]
  acmeLogging = true
  email = "me@email.com"
  storage = "/acme.json"
  onHostRule = true
  entryPoint = "https"
  [acme.dnsChallenge]
    provider = "cloudflare"

  [[acme.domains]]
    main = "sub.domain.com"
  [[acme.domains]]
    main = "*.sub.domain.com"

And then in my docker-compose.yml file from which I start my traefik service, I specify an env file:

env_file: ./traefik.env

In this file I have the following environment variables:

CLOUDFLARE_EMAIL=value1
CLOUDFLARE_API_KEY=value2
CF_API_EMAIL=value1
CF_API_KEY=value2

I hope from my examples you'll have something to experiment with and find success!

I heavily recommend adding debug=true in your traefik.toml file as it will display logs which indicate whether or not the cloudflare setup was successful and for which domains.