Putting Proxmox web interface behind Traefik reverse proxy is slightly tricky. This guide shows, how to access Proxmox VE WebUI via Traefik reverse proxy and fully qualified domain name.
By default, Proxmox VE uses a self-signed SSL certificate, which is secure but not officially recognized by certificate authorities. Therefore, you see a insecure connection warning in many browsers.
When you use the internal LAN IP of the Proxmox VE server in the Traefik file provider that defines the proxy, either a self-signed certificate is served or the valid SSL certificate on Proxmox does not match the URL (internal IP instead of a fully qualified domain name that the certificate was generated for).
By default, in all my setups (and probably yours too if you have followed my guides), I run Traefik with the following option commented out (default):
#- --serversTransport.insecureSkipVerify=true
This means Traefik will check if the SSL connection to the origin (Proxmox in this case) is secure and valid. This results in Internal Server Error in the web browser.
Obviously, the easy fix is to disable verification of insecure SSL connections by enabling/uncommenting the above option in Traefik Docker compose, like so:
- --serversTransport.insecureSkipVerify=true
This option and the following Traefik file provider saved inside the rules folder, you should allow you to reach Proxmox Web Interface via Traefik.
Note that I assumed you used my Docker and Traefik guides as the base and with Cloudflare as the DNS provider. Otherwise:
Replace {{env "DOMAINNAME_CLOUD_SERVER"}} with your domain name or define DOMAINNAME_CLOUD_SERVER environmental variable in Traefik docker compose.
Replace chain-no-auth with the middleware name in your setup.
Replace https://192.168.1.100:8006 with the URL to your Proxmox VE web interface.
Proxmox Web Interface should now be behind Traefik and be accessible via https://pve.example.com, but with a bit more restrictive security.
The downside of this method is that insecureSkipVerify option is enabled for all services within Traefik, which can be a minor security risk.
Enabling Traefik for Proxmox Web Interface Securely
A more secure way to put Proxmox VE behind Traefik is to disable/comment-out the insecureSkipVerify=true option and slightly modify the Traefik file provider for Proxmox as shown below:
Essentially what we are doing here is to enable insecureSkipVerify only for the services using this file provider, which is only Proxmox as defined under services:.
This should also allow you to reach Proxmox Web Interface using the fully qualified domain name https://pve.example.com.
In my case, I even use chain-oauth middleware to add Google Oauth authentication for additional layer of security. Or, you could use Authelia instead.
Closing Thoughts
Putting Proxmox web interface behind Traefik, instead of using Proxmox's builtin SSL ACME Let's Encrypt SSL certificate method, allows to avoid forwarding port 8006 on the router/internet gateway to the Proxmox host.
But if Traefik is down, you lose access to the Proxmox Web interface. This is where an overlay mesh network such as Zerotier-One or Tailscale comes in handy. You could also use your own Wireguard network to VPN into your home environment to access Proxmox Web Interface
Finally, this procedure is applicable to all services that use a self-signed certification. Another great example is the Ubiquiti Unifi Controller. I might publish a separate guide specific to Unifi Controller.
For now, I hope that this guide not only showed but also explained how to put Proxmox Web Interface behind Traefik Reverse Proxy, securely.
Anand is a self-learned computer enthusiast, hopeless tinkerer (if it ain't broke, fix it), a part-time blogger, and a Scientist during the day. He has been blogging since 2010 on Linux, Ubuntu, Home/Media/File Servers, Smart Home Automation, and related HOW-TOs.
