ClawHub

Traefik

Avoid common Traefik mistakes — router priority, TLS configuration, Docker labels syntax, and middleware ordering.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 720 · 2 current installs · 2 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md is focused on Traefik configuration, router/middleware/service semantics, TLS/ACME notes, and debugging—exactly what the skill name and description promise. There are no unrelated dependencies, credentials, or binaries requested.
Instruction Scope
Instructions are limited to configuration guidance (labels, entryPoints, middleware order, ACME notes, logging, etc.). The file does not instruct the agent to read arbitrary host files, access environment variables, phone home, or perform actions outside Traefik configuration scope.
Install Mechanism
There is no install specification and no code files; the skill is instruction-only. That minimizes risk because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables or credentials. It references Let's Encrypt/ACME behavior (which in practice requires configuration such as an email and reachable ports), but it does not request unrelated secrets or credentials.
Persistence & Privilege
always is false, no install actions, and the skill does not request persistent agent privileges or modify other skills' configurations.
Assessment
This skill is a read-only Traefik best-practices guide and appears internally consistent. Before relying on any configuration change: (1) cross-check with the official Traefik docs for your Traefik version, (2) when enabling ACME/Let's Encrypt provide a valid contact email and ensure ports (80/443) or DNS challenge are correctly configured, and (3) never expose the dashboard in production without authentication. Because this is guidance only, it will not change your system by itself, but applying the suggested settings will require you to edit Traefik configs and possibly open ports—do that only on trusted systems and backups.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971nkdnpa51ycv2p2a2s56cfx80w8d5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔀 Clawdis
OSLinux · macOS · Windows

SKILL.md

Router Basics

  • Router must have rule AND service — missing either = not working
  • Rule priority: longer rules win by default — explicit priority to override
  • Host() is case-insensitive — Host(\example.com`)` matches Example.com
  • Multiple hosts: Host(\a.com`) || Host(`b.com`)` — OR logic

Docker Labels Syntax

  • Labels on container, not compose service level — deploy.labels for Swarm
  • Backticks for rules in Docker Compose — Host(\example.com`)` with escaping
  • Enable per-container: traefik.enable=true — if exposedByDefault=false
  • Service name auto-generated from container — or set explicitly with traefik.http.services.myservice.loadbalancer.server.port=80

TLS and Certificates

  • EntryPoint websecure needs TLS config — otherwise plain HTTP on 443
  • Let's Encrypt: certificatesResolvers.myresolver.acme.email required — registration fails without
  • HTTP challenge needs port 80 open — DNS challenge for wildcard or closed 80
  • tls=true on router activates TLS — tls.certresolver=myresolver for auto-cert
  • Staging ACME for testing — caServer to staging URL, avoids rate limits

EntryPoints

  • Define in static config — --entrypoints.web.address=:80
  • Redirect HTTP to HTTPS at entrypoint level — cleaner than per-router middleware
  • Router binds to entrypoint with entryPoints=web,websecure — comma-separated list

Middlewares

  • Chain order matters — first middleware wraps all following
  • Middleware defined once, used by many routers — middlewares=auth,compress
  • Common: stripPrefix, redirectScheme, basicAuth, rateLimit
  • BasicAuth: use htpasswd format — escape $ in Docker Compose with $$

Service Configuration

  • loadbalancer.server.port when container exposes multiple — Traefik can't guess
  • Health check: healthcheck.path=/health — removes unhealthy from rotation
  • Sticky sessions: loadbalancer.sticky.cookie.name=srv_id — for stateful apps

Common Mistakes

  • Router without entryPoint — defaults may not be what you expect
  • Forgetting traefik.docker.network with multiple networks — Traefik picks wrong one
  • ACME storage not persisted — certificates regenerated, hits rate limit
  • Dashboard exposed without auth — api.insecure=true is dangerous in production
  • PathPrefix without StripPrefix — backend receives full path, may 404
  • Services on different ports — each needs explicit port label

File Provider

  • watch=true for hot reload — otherwise restart Traefik on changes
  • Can coexist with Docker provider — useful for external services
  • Define routers, services, middlewares in YAML — same concepts as labels

Debugging

  • --log.level=DEBUG for troubleshooting — verbose but helpful
  • Dashboard shows routers, services, middlewares — verify configuration
  • --api.insecure=true for local dev only — secure with auth in production

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…