Using Traefik as Reverse Proxy¶
Best Choice
- No special settings required in combination with modern web applications
- WebSocket proxying automatically works
- Traefik can create and update Let's Encrypt HTTPS certificates for you
Our example shows a working configuration, excluding general PhotoPrism config options documented in Setup Using Docker Compose:
compose.yaml
services:
traefik:
image: traefik:v3.1
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "./traefik.yaml:/etc/traefik/traefik.yaml"
- "./traefik/data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
photoprism:
image: photoprism/photoprism:latest
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.photoprism.rule=Host(`example.com`)"
- "traefik.http.routers.photoprism.tls=true"
- "traefik.http.routers.photoprism.tls.certresolver=myresolver"
volumes:
- "./originals:/photoprism/originals"
- "./storage:/photoprism/storage"
environment:
PHOTOPRISM_SITE_URL: "https://example.com/"
PHOTOPRISM_DISABLE_TLS: "true"
traefik.yaml
log:
level: INFO
global:
sendAnonymousUsage: false
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
exposedByDefault: false
watch: true
api:
insecure: false
dashboard: false
debug: false
certificatesResolvers:
myresolver:
acme:
email: [email protected]
storage: /data/certs.json
httpChallenge:
entryPoint: web
Further examples and a description of the config options can be found in the documentation.
Why Use a Proxy?¶
If you install PhotoPrism on a public server outside your home network, always run it behind a secure HTTPS reverse proxy. Your files and passwords will otherwise be transmitted in clear text and can be intercepted by anyone, including your provider, hackers, and governments. Backup tools and file sync apps may refuse to connect as well.
Help improve these docs! You can contribute by clicking to send a pull request with your changes.