Use the Traefik binary without docker

This post explain you how to install and configure Traefik without docker.

Traefik is a reverse proxy designed to play with containers (docker or Kubernetes). However, it is possible to use Traefik with its binary and take advantage of its features in systems which don’t have containers.

Goal: Install the Traefik’s binary

Environment: Debian 13, Traefik 3.6.

Execution context:

bash
jho@vmi866042:/etc/traefik$ tree
.
├── dynamic
│   ├── general.yml
│   ├── routersservices.yml
├── traefik.yml
├── acme.json

Result of the “tree” command in the /etc/traefik folder

  • path where are every folder and files : /etc/traefik
  • path of the principal configuration file for Traefik : /etc/traefik/traefik.yml
  • folder where are every dynamic configuration files : /etc/traefik/dynamic
  • path of the file which is used to store SSL certificates for let’s encrypt (or other provider) : /etc/traefik/acme.json
  • folder to store logs : /var/log/

The interest of using the binary instead of the container can be discussed for a long time, but it’s not the objective here. No presentation around Traefik in this documentation, you can read it the Traefik presentation .

System preparation#

Start by downloading the binary from the official GitHub repository : https://github.com/traefik/traefik/releases . I’ll use the 3.6.0 version in a VM, which is a Debian 13. Tests were done too, with success in an Ubuntu 24.04.

bash
cd /tmp && wget https://github.com/traefik/traefik/releases/download/v3.6.0/traefik_v3.6.0_linux_amd64.tar.gz && tar xzvf traefik_v3.6.0_linux_amd64.tar.gz

To quickly test its functions, start the binary and look at the listening port on your machine:

bash
./traefik
ss -ntlp # should give this informations :

LISTEN  0       128                  *:80                  *:*      users:(("traefik",pid=450,fd=3))

Without configuration file or option, Traefik will listen (by default) on the port 80/TCP. There is no automatic redirection, no TLS section, no redirection to your internal services, no dashboard…

Let’s copy the binary to a system path with the needed rights:

bash
cp /tmp/traefik /usr/local/bin/.
chown traefik: /usr/local/bin/traefik
chmod +x /usr/local/bin/traefik

User root is required. Traefik needs elevated system privileges to listen on system ports like 80 and 443.

Like docker version, Traefik is owned by the user “traefik” — its default folder is /etc/traefik for its configuration files. After downloading the binary, you have to create this configuration (example):

bash
groupadd traefik
useradd -g traefik --no-user-group -d /etc/traefik --no-create-home -s /usr/sbin/nologin -r traefik

mkdir -p /etc/traefik/dynamic
chown -R traefik: /etc/traefik/.

touch /var/log/traefik.log && chown traefik: /var/log/traefik.log

In my precedent configuration files for Traefik, I used to use the path /etc/traefik/dynamic to store dynamic configuration files.

Log file are in the folder/var/log, which is the default path. Principal configuration file of Traefik is in the folder /etc/traefik.

Traefik preparation#

Create the configuration file “/etc/traefik/traefik.yml”:

bash
---
global:
  sendAnonymousUsage: false
  checkNewVersion: false

api:
  dashboard: true

log:
  filePath: "/var/log/traefik.log"
  format: json
  level: "ERROR"

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    watch: true
  file:
    directory: "/dynamic"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

I comment the block about the automatic redirection from HTTP to HTTPS. This bloc is not mandatory for the first start.

Now, create the systemd service file at /etc/systemd/system/traefik.service:

bash
# /etc/systemd/system/traefik.service
[Unit]
Description=Traefik
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/traefik
AssertPathExists=/etc/traefik/traefik.yml

[Service]
Type=notify
User=traefik
Group=traefik
Restart=on-failure
TimeoutStopSec=300
ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml
WatchdogSec=1s
LimitNPROC=1
# allow writing of acme.json
ReadWritePaths=/etc/traefik/acme.json /var/log/traefik.log

ProtectSystem=strict
PrivateTmp=true
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true

[Install]
WantedBy=multi-user.target

Give it the right permissions and reload systemd:

bash
chown root: /etc/systemd/system/traefik.service
chmod 644 /etc/systemd/system/traefik.service
systemctl daemon-reload
systemctl enable --now traefik.service

Now, Traefik is up and ready to forward some requests. The configuration file traefik.yml I typed in this post is simple but ready to go.

To access to the dashboard, open your navigator and type the IP of Traefik with its port 8080. Now it’s time to configure your services…!

P1 Article info
// manifest
Tags
#Traefik
Author
Julien HOMMET
Published
Reading time
3 minutes
Word count
604 words
Category
Tuto
Last modified

Stay Updated

Subscribe to the RSS feed or follow for new articles.

RSS Feed GitHub

Related articles

No image
#traefik

Traefik, a service to rules them all

Traefik is an open-source reverse-proxy and load-balancer HTTP, TCP and UDP. This article give you some information about it.

Read more

Latest in #traefik