Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt

Use this file to discover all available pages before exploring further.

Every application deployed in Dokploy is automatically exposed to the internet through Traefik, a modern reverse proxy and load balancer. Dokploy manages the full lifecycle of Traefik configuration: it generates routing rules when you add a domain, requests and renews Let’s Encrypt TLS certificates automatically, and provides first-class UI controls for editing the raw configuration when you need to go beyond the defaults.

How Dokploy Uses Traefik

When you create an application and assign a domain, Dokploy writes a dynamic configuration file for Traefik into /etc/dokploy/traefik/dynamic/. Traefik watches this directory and hot-reloads routing rules without any restart. The generated config wires together:
  • An HTTP router — matches incoming requests by Host header and forwards them to the right Docker service
  • A TLS certificate resolver — requests a Let’s Encrypt certificate for the domain automatically
  • Any middleware attached to the application (redirects, basic auth, custom headers, etc.)
Traefik runs as a Docker service (dokploy-traefik) managed by Dokploy itself. It listens on ports 80 (HTTP) and 443 (HTTPS) by default.

Traefik Dashboard

The built-in Traefik dashboard gives a real-time view of routers, services, and middleware. It is disabled by default and listens on port 8080 when enabled. Enable the dashboard:
Settings → Web Server → Traefik Dashboard → Enable
This calls settings.toggleDashboard, which:
  1. Checks that port 8080 is not already in use on the host
  2. Adds 8080:8080/tcp to the Traefik Docker service port mappings
  3. Recreates the Traefik service in the background
Check whether the dashboard port is open: settings.haveTraefikDashboardPortEnabled reads the current port list for dokploy-traefik and returns true if port 8080 is published.
The Traefik dashboard is unauthenticated by default. Do not expose port 8080 publicly without adding basic-auth middleware or restricting access at the firewall level.

Reading and Updating Traefik Config

Dokploy exposes three layers of Traefik configuration, each editable independently:
The static config controls global Traefik behaviour — entry points, certificate resolvers, log level, and access logs.
OperationAPI call
Readsettings.readTraefikConfigreadMainConfig()
Writesettings.updateTraefikConfigwriteMainConfig(config)
After saving, reload Traefik for changes to take effect (see Reloading Traefik).

Traefik Environment Variables

Traefik’s runtime environment (for DNS challenge credentials, log levels, etc.) can be read and updated without touching the static config file:
Settings → Web Server → Traefik → Environment Variables
OperationAPI callDescription
Readsettings.readTraefikEnvReturns the current dokploy-traefik environment variables
Writesettings.writeTraefikEnvApplies new environment variables and recreates the Traefik service
writeTraefikEnv internally calls writeTraefikSetup, which prepares the new environment alongside the existing port list and recreates the Docker service in the background — the request returns immediately while the update proceeds asynchronously.

Custom Traefik Files

For advanced use cases (custom providers, static TLS certificates, additional dynamic config), you can manage the raw files in the Traefik config directory directly:
OperationAPI callDescription
Browse directorysettings.readDirectoriesLists files and folders under MAIN_TRAEFIK_PATH
Read a filesettings.readTraefikFileReturns the contents of any file in the config tree
Write a filesettings.updateTraefikFileWrites (or overwrites) a file at the specified path
These operations respect Dokploy’s permission system — the caller must hold the traefikFiles.read or traefikFiles.write permission. Example: creating a custom dynamic config file for a TCP passthrough router:
# /etc/dokploy/traefik/dynamic/my-tcp-router.yml
tcp:
  routers:
    my-tcp:
      entryPoints:
        - web
      rule: "HostSNI(`*`)"
      service: my-tcp-service
  services:
    my-tcp-service:
      loadBalancer:
        servers:
          - address: "192.168.1.10:5432"
Save this file via settings.updateTraefikFile and Traefik will pick it up automatically.

Port Management

By default, Traefik publishes ports 80 and 443. You can add arbitrary additional ports to expose TCP or UDP services (e.g., databases, game servers) through Traefik’s entrypoints.
OperationAPI callDescription
List portssettings.getTraefikPortsreadPorts("dokploy-traefik")Returns all currently published ports
Update portssettings.updateTraefikPortswriteTraefikSetup(...)Replaces the port list and recreates the service
updateTraefikPorts checks each new port for conflicts before applying the change. If a port is already in use by another container, it returns a CONFLICT error. Example port definition:
{
  "targetPort": 8443,
  "publishedPort": 8443,
  "protocol": "tcp"
}

Reloading Traefik

Some configuration changes (environment variables, port bindings) require recreating the Traefik Docker service. Others (dynamic config file updates) are picked up automatically by Traefik’s file provider without a restart. To force a reload after static config changes:
Settings → Web Server → Traefik → Reload
This calls settings.reloadTraefik, which triggers reloadDockerResource("dokploy-traefik") in the background. The function returns immediately; the dashboard polls /api/health to confirm Traefik is back up.

Application-Level Traefik Config

Every application in Dokploy has its own Traefik dynamic config file. You can view and edit it from the application’s Advanced → Traefik Config tab.
OperationAPI callNotes
Readapplication.readTraefikConfigReturns the current per-app config file
Writeapplication.updateTraefikConfigOverwrites the file; Traefik hot-reloads immediately
This is useful for adding custom response headers, rate limiting, or circuit-breaker middleware to a single application without affecting others. Example per-app config with security headers:
http:
  middlewares:
    my-app-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true

  routers:
    my-app:
      middlewares:
        - my-app-headers

Middleware

Middleware transforms HTTP requests and responses as they pass through Traefik. Dokploy pre-configures two common middleware chains:

HTTP → HTTPS Redirect

Automatically redirects all plaintext HTTP requests to their HTTPS equivalent. Configured in the redirects router and applied globally to all Dokploy-managed domains.

Basic Auth

Protects an endpoint with username/password authentication. Managed via the security router and configurable per-application from the Security tab.
You can define additional middleware in settings.updateMiddlewareTraefikConfig and reference it from any application config by name.

Advanced: Custom Traefik Providers

Traefik supports multiple configuration providers (file, Docker, Consul, etc.) running simultaneously. To add a custom file provider that lives outside the default directory:
1

Edit the main (static) config

Read the current config with settings.readTraefikConfig, then add a providers.file entry:
providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/dokploy/traefik/dynamic
    watch: true
  # Add a second directory or individual file:
  # file:
  #   filename: /etc/traefik/custom/extra.yml
2

Save and reload

Save with settings.updateTraefikConfig, then reload Traefik via settings.reloadTraefik.
3

Place your config file

Use settings.updateTraefikFile to write the dynamic config file into the watched directory. Traefik will detect it automatically.

Minimal Traefik dynamic config reference

http:
  routers:
    my-router:
      entryPoints:
        - websecure          # 443/HTTPS
      rule: "Host(`example.com`)"
      service: my-service
      tls:
        certResolver: letsencrypt

  services:
    my-service:
      loadBalancer:
        servers:
          - url: "http://my-container:3000"

  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true

Build docs developers (and LLMs) love