Mist

Appearance

Traefik Setup

Configure Traefik reverse proxy for Mist.

Overview

Traefik v3.1 is installed automatically with the Mist installation script. It provides:

  • Automatic SSL/TLS certificate management via Let's Encrypt
  • Reverse proxy for all deployed applications
  • HTTP to HTTPS redirection
  • Docker label-based routing
  • Dynamic configuration updates

Installation Location

Traefik is installed in /opt/mist/ with the following structure:

/opt/mist/
├── traefik-compose.yml        # Docker Compose configuration
├── traefik-static.yml          # Static Traefik configuration
└── letsencrypt/
    └── acme.json               # SSL certificates storage

Docker Compose Configuration

/opt/mist/traefik-compose.yml:

yaml
services:
  traefik:
    image: traefik:v3.1
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"      # HTTP
      - "443:443"    # HTTPS
      - "8081:8080"  # Traefik dashboard
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
      - "/var/lib/mist/traefik:/etc/traefik/dynamic:ro"
      - "./traefik-static.yml:/etc/traefik/traefik.yml:ro"
    networks:
      - traefik-net

networks:
  traefik-net:
    external: true

Static Configuration

/opt/mist/traefik-static.yml:

yaml
api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
    network: traefik-net
    endpoint: "unix:///var/run/docker.sock"
  file:
    directory: /etc/traefik/dynamic
    watch: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  le:
    acme:
      email: admin@example.com  # Set during installation
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

log:
  level: INFO

Dynamic Configuration

Mist automatically generates dynamic Traefik configuration in /var/lib/mist/traefik/dynamic.yml based on deployed applications and domains.

This file is auto-generated and updated when:

  • Applications are deployed
  • Domains are added or removed
  • SSL certificates are issued

WARNING

Do not manually edit files in /var/lib/mist/traefik/. They are auto-generated by Mist.

SSL/TLS Configuration

Mist automatically configures Traefik for SSL/TLS with Let's Encrypt integration.

Automatic SSL Setup

When you add a domain to your application, Mist automatically:

  1. Updates dynamic Traefik configuration
  2. Adds Docker labels to application containers
  3. Traefik requests SSL certificate from Let's Encrypt via HTTP-01 challenge
  4. Sets up HTTP to HTTPS redirect
  5. Enables automatic certificate renewal (every 60 days)

Certificate Resolver

The Let's Encrypt certificate resolver is configured in /opt/mist/traefik-static.yml:

yaml
certificatesResolvers:
  le:
    acme:
      email: your-email@example.com  # Set during installation
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

Certificate Storage

Certificates are stored in /opt/mist/letsencrypt/acme.json.

bash
# View certificate file
ls -la /opt/mist/letsencrypt/acme.json

# Backup certificates
sudo cp /opt/mist/letsencrypt/acme.json /backup/acme.json.$(date +%Y%m%d)

Important

The acme.json file must have 600 permissions for security:

bash
sudo chmod 600 /opt/mist/letsencrypt/acme.json

How SSL Works in Mist

  1. Domain Added: User adds domain to application via Mist UI
  2. Container Deployed: Mist deploys container with Traefik labels:
    yaml
    traefik.enable=true
traefik.http.routers.{app-id}.rule=Host(`domain.com`)
traefik.http.routers.{app-id}.entrypoints=websecure
traefik.http.routers.{app-id}.tls.certresolver=le
  3. Certificate Request: Traefik automatically requests certificate from Let's Encrypt
  4. HTTP Challenge: Let's Encrypt verifies domain ownership via HTTP-01 challenge
  5. Certificate Issued: Certificate stored in acme.json and served by Traefik
  6. Auto-Renewal: Traefik automatically renews certificates before expiry

Verifying SSL Configuration

Check Traefik logs for certificate operations:

bash
docker logs traefik 2>&1 | grep -i certificate
docker logs traefik 2>&1 | grep -i acme

Look for messages like:

  • Serving default certificate
  • Certificate obtained for domain
  • Renewing certificate

Check certificate status in Mist UI:

  • Navigate to application Domains tab
  • Certificate status shows as "Active" when issued

Learn more about SSL automation →

Dashboard Access

Traefik dashboard is available at:

http://your-server-ip:8081

The dashboard shows:

  • Active routers and services
  • Middleware configuration
  • SSL certificate status
  • Real-time metrics

Security

The dashboard is configured with insecure: true for easy access. In production environments:

  • Restrict access via firewall rules
  • Use SSH tunneling for remote access
  • Or disable the dashboard entirely
bash
# Restrict to localhost only (recommended)
sudo ufw deny 8081
sudo ufw allow from 127.0.0.1 to any port 8081

# Access via SSH tunnel
ssh -L 8081:localhost:8081 user@your-server
# Then browse to http://localhost:8081

Network Configuration

Mist uses the traefik-net Docker network for routing:

bash
# Verify network exists
docker network inspect traefik-net

# View connected containers
docker network inspect traefik-net --format='{{range .Containers}}{{.Name}} {{end}}'

All application containers are automatically connected to traefik-net when deployed with domains.

Troubleshooting

Check Traefik Status

bash
# Verify Traefik is running
docker ps | grep traefik

# Check container health
docker inspect traefik --format='{{.State.Status}}'

View Logs

bash
# All logs
docker logs traefik

# Follow logs in real-time
docker logs -f traefik

# Search for errors
docker logs traefik 2>&1 | grep -i error

# Certificate-related logs
docker logs traefik 2>&1 | grep -i acme
docker logs traefik 2>&1 | grep -i certificate

Verify Configuration

bash
# Check Traefik version
docker exec traefik traefik version

# Verify static configuration
cat /opt/mist/traefik-static.yml

# Check dynamic configuration
cat /var/lib/mist/traefik/dynamic.yml

Common Issues

Port conflicts:

bash
# Check if ports 80, 443, 8081 are in use
sudo netstat -tulpn | grep -E ':(80|443|8081)'

Certificate issues:

bash
# Check acme.json permissions
ls -la /opt/mist/letsencrypt/acme.json
# Should be: -rw------- (600)

# Reset certificates (if needed)
sudo rm /opt/mist/letsencrypt/acme.json
sudo touch /opt/mist/letsencrypt/acme.json
sudo chmod 600 /opt/mist/letsencrypt/acme.json
docker restart traefik

Network issues:

bash
# Verify traefik-net exists
docker network ls | grep traefik-net

# Recreate network if needed
docker network create traefik-net
docker restart traefik

Restart Traefik

bash
cd /opt/mist
docker compose -f traefik-compose.yml restart

For more details, see Traefik Documentation.

Coming Soon

The following Traefik features are planned:

  • Wildcard SSL Certificates - Single certificate for *.domain.com
  • Custom Certificate Upload - Use your own SSL certificates
  • Advanced Rate Limiting - Request throttling per domain
  • IP Whitelisting - Restrict access by IP address
  • Basic Authentication - Password-protect applications via Traefik
  • Custom Headers - Set security headers (HSTS, CSP, etc.)

Released under the MIT License.

Copyright © 2025 Mist PaaS