Skip to content

Environment Variables

All supported environment variables for Traefik Manager.

Override variables vs env-only

Variables marked ✅ override the corresponding manager.yml field on every restart - the env var always wins. Variables marked - are env-only and never written to manager.yml. To manage a setting through the UI instead, remove the env var and the value saved in manager.yml will be used.


Quick Reference

Connection & Traefik

VariableDefaultOverrideDescription
TRAEFIK_API_URLhttp://traefik:8080traefik_api_urlTraefik API URL
TRAEFIK_API_USER(unset)traefik_api_userUsername for Traefik API basic auth
TRAEFIK_API_PASSWORD(unset)traefik_api_passwordPassword for Traefik API basic auth (stored encrypted)

Authentication

VariableDefaultOverrideDescription
COOKIE_SECUREfalse-Mark session cookie as Secure - required for HTTPS
AUTH_ENABLEDtrueauth_enabledSet to false to disable built-in login entirely
ADMIN_PASSWORD(unset)password_hashAdmin password in plain text (hashed at runtime)

Routes & Domains

VariableDefaultOverrideDescription
DOMAINSexample.comdomainsComma-separated base domains for the Add Route form
CERT_RESOLVERcloudflarecert_resolverDefault ACME resolver name. Use none for external certs

Config Files

VariableDefaultOverrideDescription
CONFIG_DIR(unset)-Directory - all .yml files loaded automatically
CONFIG_PATHS(unset)-Comma-separated list of config file paths
CONFIG_PATH/app/config/dynamic.yml-Single config file (default)
BACKUP_DIR/app/backups-Directory for timestamped config backups
SETTINGS_PATH/app/config/manager.yml-Path to the TM settings file

Static Config & Restart

VariableDefaultOverrideDescription
STATIC_CONFIG_PATH/app/traefik.yml-Traefik static config - required for Plugins tab and Static Config editor
RESTART_METHOD(unset)-proxy, socket, or poison-pill
TRAEFIK_CONTAINERtraefik-Container name for proxy and socket restart methods
DOCKER_HOST(unset)-Docker socket URL - set to tcp://socket-proxy:2375 for proxy method
SIGNAL_FILE_PATH/signals/restart.sig-Signal file path for poison-pill method

Monitoring

VariableDefaultOverrideDescription
ACME_JSON_PATH/app/acme.json-Path to acme.json for the Certificates tab
ACCESS_LOG_PATH/app/logs/access.log-Path to access log for the Logs tab
CROWDSEC_LAPI_URL(unset)crowdsec_lapi_urlCrowdSec LAPI base URL (e.g. http://crowdsec:8080)
CROWDSEC_API_KEY(unset)crowdsec_api_keyCrowdSec bouncer API key, reads decisions (stored encrypted)
CROWDSEC_MACHINE_ID(unset)crowdsec_machine_idCrowdSec machine login, enables the Alerts view and unban
CROWDSEC_MACHINE_PASSWORD(unset)crowdsec_machine_passwordPassword for the machine login (stored encrypted)

Agents

VariableDefaultOverrideDescription
AGENT_API_RATE_LIMIT30-Max requests/minute on /api/agents/* endpoints in TM (per IP)

Security

VariableDefaultOverrideDescription
SECRET_KEY(auto-generated)-Flask session signing key
OTP_ENCRYPTION_KEY(auto-generated)-Fernet key for encrypting TOTP secrets

Connection & Traefik

TRAEFIK_API_URL

Default: http://traefik:8080Overrides: traefik_api_url in manager.yml

The URL of the Traefik API. Must be reachable from the host running Traefik Manager.

yaml
environment:
  - TRAEFIK_API_URL=http://traefik:8080

TRAEFIK_API_USER

Default: (unset)
Overrides: traefik_api_user in manager.yml

Username for HTTP Basic Auth on the Traefik API. Set this when api.insecure: false and basic auth is configured on the Traefik dashboard. Must be set together with TRAEFIK_API_PASSWORD.

Can also be configured via Settings → Connection without a restart.


TRAEFIK_API_PASSWORD

Default: (unset)
Overrides: traefik_api_password in manager.yml (stored encrypted)

Password for HTTP Basic Auth on the Traefik API. Stored encrypted at rest. Leave blank to keep the existing value when updating other settings.

Can also be configured via Settings → Connection without a restart.


Authentication

Default: falseenv-only - not stored in manager.yml.

Set to true when Traefik Manager is served over HTTPS.

yaml
environment:
  - COOKIE_SECURE=true

WARNING

If you are behind a reverse proxy with HTTPS and do not set this, logins will fail silently.


AUTH_ENABLED

Default: trueOverrides: auth_enabled in manager.yml

Set to false to disable the built-in login entirely. Use when TM is protected by an external auth provider (Authentik, Authelia, Traefik basicAuth, etc.).

yaml
environment:
  - AUTH_ENABLED=false

DANGER

When disabled, the UI is fully open. Only use this behind another authentication layer.


ADMIN_PASSWORD

Default: (unset)Overrides: password_hash in manager.yml

Set the admin password in plain text. Hashed with bcrypt at runtime. Useful for scripted deployments.

yaml
environment:
  - ADMIN_PASSWORD=mysecretpassword

INFO

When set, the in-UI password change and flask reset-password have no effect. Remove the variable to switch back to manager.yml-managed passwords.


Routes & Domains

DOMAINS

Default: example.comOverrides: domains in manager.yml

Comma-separated list of base domains shown in the Add Route form.

yaml
environment:
  - DOMAINS=example.com,home.lab

CERT_RESOLVER

Default: cloudflareOverrides: cert_resolver in manager.yml

One or more ACME cert resolver names, comma-separated. The first is the default for new routes. Each route can override this individually in the Add/Edit Route form.

Set to none if you manage certificates externally (cert files, internal CA, tls.yml). Routes will use tls: {} with no certResolver.

yaml
environment:
  - CERT_RESOLVER=letsencrypt

  - CERT_RESOLVER=letsencrypt, cloudflare

  - CERT_RESOLVER=none

Config Files

CONFIG_DIR, CONFIG_PATHS, CONFIG_PATH

env-only - not stored in manager.yml.

Traefik Manager can manage one or many dynamic config files. Three variables control this in priority order:

CONFIG_DIR  >  CONFIG_PATHS  >  CONFIG_PATH

Only one should be set. When multiple config files are loaded, a Config File dropdown appears in the Add/Edit Route and Middleware modals. CONFIG_DIR also includes a + New file... option to create files on the fly.


CONFIG_DIR

Default: (unset)

Point to a directory and every .yml file inside it is loaded automatically.

yaml
environment:
  - CONFIG_DIR=/app/config/traefik
volumes:
  - /host/traefik/config:/app/config/traefik

CONFIG_PATHS

Default: (unset)

Comma-separated list of full config file paths. Good for 2-5 named files.

yaml
environment:
  - CONFIG_PATHS=/app/config/routes.yml,/app/config/services.yml
volumes:
  - /host/routes.yml:/app/config/routes.yml
  - /host/services.yml:/app/config/services.yml

CONFIG_PATH

Default: /app/config/dynamic.yml

Single config file. Default for most setups.

yaml
environment:
  - CONFIG_PATH=/data/traefik/dynamic.yml
volumes:
  - /path/to/traefik/dynamic.yml:/data/traefik/dynamic.yml

BACKUP_DIR

Default: /app/backups

Directory where timestamped backups are stored before every config save.

yaml
environment:
  - BACKUP_DIR=/data/backups
volumes:
  - /path/to/backups:/data/backups

SETTINGS_PATH

Default: /app/config/manager.yml

Path to the Traefik Manager settings file.

yaml
environment:
  - SETTINGS_PATH=/data/manager.yml
volumes:
  - /path/to/manager.yml:/data/manager.yml

Static Config & Restart

STATIC_CONFIG_PATH

Default: /app/traefik.yml

Path to Traefik's static config (traefik.yml or traefik.toml). Required for the Plugins tab and Static Config editor. Mount read-write (no :ro) to allow editing. Can also be set via Settings → System Monitoring → File Paths without a restart.

yaml
environment:
  - STATIC_CONFIG_PATH=/app/traefik.yml
volumes:
  - /path/to/traefik.yml:/app/traefik.yml

RESTART_METHOD

Default: (unset)

How TM restarts Traefik after static config changes. Required for the Restart button in the Static Config editor.

ValueDescription
proxyVia a Docker socket proxy sidecar (recommended)
socketVia a directly mounted Docker socket
poison-pillWrites a signal file; Traefik's healthcheck detects it and restarts
yaml
environment:
  - RESTART_METHOD=proxy

See Static Config for full compose snippets for each method.


TRAEFIK_CONTAINER

Default: traefik

The name of the Traefik container to restart. Used by the proxy and socket restart methods.

yaml
environment:
  - TRAEFIK_CONTAINER=traefik

DOCKER_HOST

Default: (unset - uses /var/run/docker.sock)

Docker socket URL. Set to tcp://socket-proxy:2375 when using the proxy restart method.

yaml
environment:
  - DOCKER_HOST=tcp://socket-proxy:2375

SIGNAL_FILE_PATH

Default: /signals/restart.sig

Signal file path for the poison-pill restart method. Must be on a shared volume between TM and Traefik.

yaml
environment:
  - SIGNAL_FILE_PATH=/signals/restart.sig

Monitoring

ACME_JSON_PATH

Default: /app/acme.json

Path to Traefik's acme.json. Required for the Certificates tab. Can also be set via Settings → System Monitoring → File Paths without a restart.

yaml
environment:
  - ACME_JSON_PATH=/letsencrypt/acme.json
volumes:
  - /path/to/acme.json:/letsencrypt/acme.json:ro

ACCESS_LOG_PATH

Default: /app/logs/access.log

Path to Traefik's access log. Required for the Logs tab. Enable access logging in your Traefik static config first:

yaml
accessLog:
  filePath: /var/log/traefik/access.log
yaml
environment:
  - ACCESS_LOG_PATH=/logs/access.log
volumes:
  - /path/to/access.log:/logs/access.log:ro

CROWDSEC_LAPI_URL

Default: (unset)
Overrides: crowdsec_lapi_url in manager.yml

Base URL of the CrowdSec Local API. Required to enable the CrowdSec tab. The value set in Settings → System Monitoring → CrowdSec takes priority over this env var; the env var is used as a fallback when the settings field is blank.

yaml
environment:
  - CROWDSEC_LAPI_URL=http://crowdsec:8080

CROWDSEC_API_KEY

Default: (unset)
Overrides: crowdsec_api_key in manager.yml (stored encrypted)

CrowdSec bouncer API key, used to read decisions. Generate one with cscli bouncers add traefik-manager inside the CrowdSec container. The settings field value takes priority over this env var.

yaml
environment:
  - CROWDSEC_API_KEY=your-bouncer-key

CROWDSEC_MACHINE_ID / CROWDSEC_MACHINE_PASSWORD

Default: (unset)
Overrides: crowdsec_machine_id / crowdsec_machine_password in manager.yml (password stored encrypted)

CrowdSec machine credentials. Required to read alerts and to unban (delete decisions) from the CrowdSec tab - bouncer keys get 403 access forbidden on those endpoints. Decisions only need CROWDSEC_API_KEY. Create a machine with cscli machines add traefik-manager --auto and copy the login / password from local_api_credentials.yaml. The settings field values take priority over these env vars.

yaml
environment:
  - CROWDSEC_MACHINE_ID=traefik-manager
  - CROWDSEC_MACHINE_PASSWORD=your-machine-password

If the password contains a $, escape it as $$ in docker-compose.yml.


Security

SECRET_KEY

Default: (auto-generated and persisted as .secret_key alongside SETTINGS_PATH)

Flask session signing key. Set this to keep sessions alive across container restarts without re-login.

yaml
environment:
  - SECRET_KEY=your-random-32-byte-hex-string

Generating a key

bash
python3 -c "import secrets; print(secrets.token_hex(32))"

OTP_ENCRYPTION_KEY

Default: (auto-generated and stored as .otp_key alongside SETTINGS_PATH)

Fernet key for encrypting TOTP secrets at rest in manager.yml.

yaml
environment:
  - OTP_ENCRYPTION_KEY=your-32-byte-url-safe-base64-key

Generating a key

bash
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

WARNING

If you lose this key, existing TOTP secrets become unreadable and 2FA must be re-enrolled. Back up .otp_key alongside your config volume.