After recently installing a Unifi network in my homelab, I wanted a solution to access my services on domain names with valid certificates, no one likes the browser errors from self-signed certs. Unifi has the ability to create local DNS records, and with Traefik as a reverse proxy and Cloudflare as the DNS provider, a match made in heaven was born.
Setup Traefik
For the initial Traefik and Cloudflare API setup, check out my Traefik Essentials Setup post.
Unifi Local DNS
To route traffic from your local devices to Traefik, we need to create a DNS record in the Unifi system. Instead of creating individual records for each service, we’ll use a wildcard DNS record. For this example, we’ll use *.lab.example.com.
Create DNS Record
In your Unifi controller:
- Navigate to Settings → Policy Table
- Click Create New Policy
- Select DNS as the policy type
- Enter the domain name:
*.lab.example.com - Enter the IP address of your server running Traefik
- Click Add to save
This wildcard record will route all subdomains under lab.example.com to your Traefik instance, which will then handle the SSL certificates and reverse proxy routing.
Service Labels
Traefik uses Docker labels to discover services and configure routing. Add the following labels to each container you want to expose through Traefik:
1labels:
2 - "traefik.enable=true"
3 - "traefik.http.routers.<your-service>.entrypoints=websecure"
4 - "traefik.http.routers.<your-service>.rule=Host(`${APP_URL}`)"
5 - "traefik.http.routers.<your-service>.tls=true"
6 - "traefik.http.routers.<your-service>.tls.certresolver=le"
7 - "traefik.http.routers.<your-service>.tls.domains[0].main=${DOMAIN_MAIN}"
8 - "traefik.http.routers.<your-service>.tls.domains[0].sans=${DOMAIN_WILDCARD}"
9 - "traefik.http.services.<your-service>.loadbalancer.server.port=8080"Configuration notes:
- Replace
<your-service>with a unique name for your service (e.g.,portainer,homepage) - Set the following environment variables in your
.envfile or docker-compose:${APP_URL}: The full domain for this service (e.g.,portainer.lab.example.com)${DOMAIN_MAIN}: Your main domain (e.g.,example.com)${DOMAIN_WILDCARD}: The wildcard domain (e.g.,*.lab.example.com)
8080: Replace with the port your container exposes internally
The wildcard certificate will automatically be generated by Traefik using the Cloudflare DNS challenge, covering all services under your wildcard domain.
Accessing the Traefik Dashboard
To access the Traefik dashboard with a valid SSL certificate, you need to enable the API and add labels to the Traefik container itself.
Enable Traefik API
First, ensure the API is enabled in your Traefik configuration. In your traefik.yml or static configuration, set:
1api:
2 insecure: false
3 dashboard: trueSetting insecure: false ensures the dashboard is only accessible through defined routers, not on port 8080.
Add Dashboard Labels
Add the following labels to your Traefik container in your docker-compose.yml:
1labels:
2 - "traefik.enable=true"
3 - "traefik.http.routers.traefik.entrypoints=websecure"
4 - "traefik.http.routers.traefik.rule=Host(`${APP_URL}`)"
5 - "traefik.http.routers.traefik.tls=true"
6 - "traefik.http.routers.traefik.tls.certresolver=le"
7 - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN_MAIN}"
8 - "traefik.http.routers.traefik.tls.domains[0].sans=${DOMAIN_WILDCARD}"
9 - "traefik.http.routers.traefik.service=api@internal"The api@internal service is a special Traefik service that routes to the built-in dashboard. Set your APP_URL environment variable to something like traefik.lab.example.com, and you’ll be able to access the dashboard securely with a valid SSL certificate.
How It Works
When you navigate to portainer.lab.example.com in your browser:
- DNS Resolution: Your Unifi DNS resolves the domain to your Traefik server’s local IP address
- Traffic Routing: Traefik receives the request and routes it to the appropriate container based on the host rule
- SSL Certificate: Traefik serves the connection with a valid wildcard SSL certificate obtained through Cloudflare’s DNS challenge
No more browser warnings, just secure, local access to all your homelab services!