← Back to Skills Marketplace
364
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install initial-traefik
Description
Initialize and configure Traefik reverse proxy with Docker. Install Traefik, configure Docker Compose, set up service routing via path prefix or host-based r...
README (SKILL.md)
Initial Traefik
Initialize and configure Traefik v3 reverse proxy with Docker Compose for service routing and load balancing.
Quick Start
1. Create Configuration
mkdir -p ~/.docker/compose
cd ~/.docker/compose
2. Create docker-compose.yml
Use assets/docker-compose.yml as template. Key configuration:
services:
traefik:
image: traefik:v3.0
container_name: traefik
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-dynamic.yml:/etc/traefik/dynamic.yml:ro
command:
- --api=true
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.directory=/etc/traefik
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --accesslog=true
- --metrics.prometheus=true
3. Create Dynamic Configuration
Use assets/traefik-dynamic.yml as template for service routing.
4. Start Traefik
docker compose up -d
5. Connect Services to Network
for container in \x3Cservice-names>; do
docker network connect compose_default $container
done
Routing Options
Option A: Path Prefix Routing (IP + Path)
Access services via http://\x3CIP>/\x3Cservice>:
http:
routers:
n8n:
rule: "PathPrefix(`/n8n`)"
service: n8n
entryPoints:
- web
middlewares:
- n8n-stripprefix
middlewares:
n8n-stripprefix:
stripPrefix:
prefixes:
- /n8n
services:
n8n:
loadBalancer:
servers:
- url: "http://n8n:5678"
Access: http://192.168.9.192/n8n
Option B: Host-Based Routing (.nip.io)
Access services via http://\x3Cservice>.\x3CIP>.nip.io:
http:
routers:
n8n:
rule: "Host(`n8n.192.168.9.192.nip.io`)"
service: n8n
entryPoints:
- web
services:
n8n:
loadBalancer:
servers:
- url: "http://n8n:5678"
Access: http://n8n.192.168.9.192.nip.io
Option C: Docker Labels
Configure routing directly in docker-compose.yml labels:
services:
traefik:
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.192.168.9.192.nip.io`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.entrypoints=web"
Enable Features
See references/features.md for complete feature list and configuration.
Common Tasks
Add New Service
-
Connect container to network:
docker network connect compose_default \x3Ccontainer-name> -
Add router to
traefik-dynamic.yml:routers: myservice: rule: "PathPrefix(`/myservice`)" service: myservice entryPoints: - web middlewares: - myservice-stripprefix services: myservice: loadBalancer: servers: - url: "http://\x3Ccontainer-name>:\x3Cport>"
Traefik auto-reloads configuration.
Check Status
docker logs traefik | grep -E "router|error"
docker exec traefik wget -q -O - http://localhost:8080/api/http/routers
Restart Traefik
docker restart traefik
References
- Features: See
references/features.mdfor all available features - Examples: See
references/examples.mdfor common configurations - Templates: See
assets/for configuration templates
Troubleshooting
- 404 errors: Check container is connected to
compose_defaultnetwork - Configuration not loading: Check
traefik-dynamic.ymlYAML syntax - Service not accessible: Verify container name and port in service configuration
- Dashboard not working: Ensure
--api.dashboard=trueis in command
Usage Guidance
This skill appears to do what it says (set up Traefik via Docker Compose) but includes insecure defaults you should fix before deploying:
- Mounting /var/run/docker.sock into a container gives that container high privileges over your host. Only do this on trusted hosts and understand the risk; a read-only mount flag does not reliably prevent privileged actions.
- The provided docker-compose enables an insecure dashboard (--api.insecure=true) and exposes the dashboard via a public hostname example (nip.io). If you run this on a network reachable from the internet, an attacker could access the Traefik admin UI. Remove --api.insecure=true, restrict the dashboard to an internal network or localhost, and protect it with authentication (basicAuth) or firewall rules.
- Replace example/basicAuth password hashes with your own securely generated credentials; do not reuse the example hash in production.
- If you need public TLS, configure ACME carefully (provide a valid email and secure storage for acme.json) and consider rate limits and domain ownership implications of using nip.io.
Recommended immediate changes before use: remove or restrict --api.insecure=true, bind the dashboard to an internal entrypoint, enable authenticated access, limit exposure of services via firewall, and understand the implications of mounting the Docker socket. If you want, I can provide a hardened docker-compose.yml and traefik-dynamic.yml with safer defaults.
Capability Analysis
Type: OpenClaw Skill
Name: initial-traefik
Version: 1.0.0
The skill is classified as suspicious due to the default configuration of `--api.insecure=true` in `assets/docker-compose.yml`. While the documentation in `references/features.md` explicitly states this is 'for dev only', deploying Traefik with an insecure API and dashboard by default creates a significant vulnerability, allowing unauthorized access to monitor and potentially reconfigure the proxy. Additionally, the skill mounts the Docker socket (`/var/run/docker.sock:ro`), which, even in read-only mode, grants powerful introspection capabilities into the host's Docker environment.
Capability Assessment
Purpose & Capability
Name and description match the assets and runtime instructions: docker-compose and a dynamic Traefik config are provided. The requested filesystem mounts and commands (docker compose up, docker network connect) are expected for running Traefik with Docker.
Instruction Scope
Instructions stay within the stated scope (install/configure Traefik). However the provided examples and docker-compose defaults enable an insecure dashboard (--api.insecure=true / exposed dashboard hostname) and instruct mounting /var/run/docker.sock into the traefik container. Those are functional for the goal but raise security concerns (dashboard exposure, high privilege via Docker socket).
Install Mechanism
This is an instruction-only skill with no install spec or external downloads. Nothing is written to disk by the skill itself beyond the user's creation of the compose files provided as templates.
Credentials
No environment variables or external credentials are requested (proportional). That said, the recommended mount of /var/run/docker.sock grants the Traefik container effective control over the Docker host (common for providers but high privilege). Example basicAuth uses a hardcoded bcrypt string in docs—fine as an example but users must replace it with real credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It's instruction-only and does not modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install initial-traefik - After installation, invoke the skill by name or use
/initial-traefik - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
initial-traefik 1.0.0 – Initial release
- Provides setup instructions for Traefik v3 reverse proxy with Docker Compose.
- Includes example Docker Compose and dynamic configuration templates.
- Covers multiple routing methods: path prefix, host-based (.nip.io), and Docker labels.
- Details enabling features like dashboard, metrics, logging, and tracing.
- Offers troubleshooting steps and references for further configuration.
Metadata
Frequently Asked Questions
What is initial-traefik?
Initialize and configure Traefik reverse proxy with Docker. Install Traefik, configure Docker Compose, set up service routing via path prefix or host-based r... It is an AI Agent Skill for Claude Code / OpenClaw, with 364 downloads so far.
How do I install initial-traefik?
Run "/install initial-traefik" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is initial-traefik free?
Yes, initial-traefik is completely free (open-source). You can download, install and use it at no cost.
Which platforms does initial-traefik support?
initial-traefik is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created initial-traefik?
It is built and maintained by le-shi (@le-shi); the current version is v1.0.0.
More Skills