While Traefik excels at auto-discovering Docker containers through labels, some services like the Unifi Controller require a different approach. The Unifi Controller uses self-signed certificates and runs on HTTPS, making it a perfect candidate for Traefik’s file-based configuration with insecureSkipVerify.
Prerequisites
- Traefik installed and configured (see my Traefik Essentials Setup post)
- Unifi Controller running and accessible on your network
Traefik Configuration
Enable File Provider
First, ensure Traefik can read dynamic configuration files. Add the following to your Traefik container in docker-compose.yml:
Command arguments:
1command:
2 - "--providers.file.directory=/etc/traefik/dynamic"
3 - "--providers.file.watch=true"
4 # ... your other Traefik argumentsVolume mounts:
1volumes:
2 - /var/run/docker.sock:/var/run/docker.sock:ro
3 - traefik:/certs
4 - ./config:/etc/traefik/dynamic:roThe --providers.file.directory tells Traefik where to find dynamic configuration files, and --providers.file.watch=true enables automatic reloading when files change. The ./config directory will hold our dynamic configuration files.
Create Dynamic Configuration File
Create a new file at ./config/unifi.yml with the following configuration:
1http:
2 routers:
3 unifi:
4 rule: "Host(`unifi.lab.example.com`)"
5 service: unifi-service
6 entryPoints:
7 - websecure
8 tls:
9 certResolver: le
10
11 services:
12 unifi-service:
13 loadBalancer:
14 servers:
15 - url: "https://192.168.1.1"
16 serversTransport: unifi-transport
17
18 serversTransports:
19 unifi-transport:
20 insecureSkipVerify: trueConfiguration Breakdown
Router Configuration:
rule: The domain that will route to your Unifi Controller (adjust to match your setup)service: References the service definition belowentryPoints: Uses the secure HTTPS entry pointtls.certResolver: Uses Let’s Encrypt for valid SSL certificates
Service Configuration:
url: The IP address and protocol of your Unifi ControllerserversTransport: References the custom transport configuration
Servers Transport:
insecureSkipVerify: true: Required because Unifi uses self-signed certificates internally
How It Works
When you navigate to unifi.lab.example.com:
- DNS Resolution: Your DNS resolves the domain to your Traefik server
- SSL Termination: Traefik presents a valid SSL certificate to your browser
- Backend Connection: Traefik connects to the Unifi Controller’s HTTPS interface at
192.168.1.1 - Certificate Bypass: The
insecureSkipVerifysetting allows Traefik to accept Unifi’s self-signed certificate - Secure Access: You access your Unifi Controller with a valid SSL certificate, no browser warnings
This file-based approach gives you full control over services that can’t use Docker labels, while still benefiting from Traefik’s reverse proxy capabilities and automatic SSL certificate management.