Environment Variables
All supported environment variables for Traefik Manager.
Override variables vs env-only
Variables marked ✅ override the corresponding manager.yml field on every restart - the env var always wins. Variables marked - are env-only and never written to manager.yml. To manage a setting through the UI instead, remove the env var and the value saved in manager.yml will be used.
Quick Reference
Connection & Traefik
| Variable | Default | Override | Description |
|---|---|---|---|
TRAEFIK_API_URL | http://traefik:8080 | ✅ traefik_api_url | Traefik API URL |
TRAEFIK_API_USER | (unset) | ✅ traefik_api_user | Username for Traefik API basic auth |
TRAEFIK_API_PASSWORD | (unset) | ✅ traefik_api_password | Password for Traefik API basic auth (stored encrypted) |
Authentication
| Variable | Default | Override | Description |
|---|---|---|---|
COOKIE_SECURE | false | - | Mark session cookie as Secure - required for HTTPS |
AUTH_ENABLED | true | ✅ auth_enabled | Set to false to disable built-in login entirely |
ADMIN_PASSWORD | (unset) | ✅ password_hash | Admin password in plain text (hashed at runtime) |
Routes & Domains
| Variable | Default | Override | Description |
|---|---|---|---|
DOMAINS | example.com | ✅ domains | Comma-separated base domains for the Add Route form |
CERT_RESOLVER | cloudflare | ✅ cert_resolver | Default ACME resolver name. Use none for external certs |
Config Files
| Variable | Default | Override | Description |
|---|---|---|---|
CONFIG_DIR | (unset) | - | Directory - all .yml files loaded automatically |
CONFIG_PATHS | (unset) | - | Comma-separated list of config file paths |
CONFIG_PATH | /app/config/dynamic.yml | - | Single config file (default) |
BACKUP_DIR | /app/backups | - | Directory for timestamped config backups |
SETTINGS_PATH | /app/config/manager.yml | - | Path to the TM settings file |
Static Config & Restart
| Variable | Default | Override | Description |
|---|---|---|---|
STATIC_CONFIG_PATH | /app/traefik.yml | - | Traefik static config - required for Plugins tab and Static Config editor |
RESTART_METHOD | (unset) | - | proxy, socket, or poison-pill |
TRAEFIK_CONTAINER | traefik | - | Container name for proxy and socket restart methods |
DOCKER_HOST | (unset) | - | Docker socket URL - set to tcp://socket-proxy:2375 for proxy method |
SIGNAL_FILE_PATH | /signals/restart.sig | - | Signal file path for poison-pill method |
Monitoring
| Variable | Default | Override | Description |
|---|---|---|---|
ACME_JSON_PATH | /app/acme.json | - | Path to acme.json for the Certificates tab |
ACCESS_LOG_PATH | /app/logs/access.log | - | Path to access log for the Logs tab |
CROWDSEC_LAPI_URL | (unset) | ✅ crowdsec_lapi_url | CrowdSec LAPI base URL (e.g. http://crowdsec:8080) |
CROWDSEC_API_KEY | (unset) | ✅ crowdsec_api_key | CrowdSec bouncer API key, reads decisions (stored encrypted) |
CROWDSEC_MACHINE_ID | (unset) | ✅ crowdsec_machine_id | CrowdSec machine login, enables the Alerts view and unban |
CROWDSEC_MACHINE_PASSWORD | (unset) | ✅ crowdsec_machine_password | Password for the machine login (stored encrypted) |
Agents
| Variable | Default | Override | Description |
|---|---|---|---|
AGENT_API_RATE_LIMIT | 30 | - | Max requests/minute on /api/agents/* endpoints in TM (per IP) |
Security
| Variable | Default | Override | Description |
|---|---|---|---|
SECRET_KEY | (auto-generated) | - | Flask session signing key |
OTP_ENCRYPTION_KEY | (auto-generated) | - | Fernet key for encrypting TOTP secrets |
Connection & Traefik
TRAEFIK_API_URL
Default: http://traefik:8080Overrides: traefik_api_url in manager.yml
The URL of the Traefik API. Must be reachable from the host running Traefik Manager.
environment:
- TRAEFIK_API_URL=http://traefik:8080TRAEFIK_API_USER
Default: (unset)
Overrides: traefik_api_user in manager.yml
Username for HTTP Basic Auth on the Traefik API. Set this when api.insecure: false and basic auth is configured on the Traefik dashboard. Must be set together with TRAEFIK_API_PASSWORD.
Can also be configured via Settings → Connection without a restart.
TRAEFIK_API_PASSWORD
Default: (unset)
Overrides: traefik_api_password in manager.yml (stored encrypted)
Password for HTTP Basic Auth on the Traefik API. Stored encrypted at rest. Leave blank to keep the existing value when updating other settings.
Can also be configured via Settings → Connection without a restart.
Authentication
COOKIE_SECURE
Default: falseenv-only - not stored in manager.yml.
Set to true when Traefik Manager is served over HTTPS.
environment:
- COOKIE_SECURE=trueWARNING
If you are behind a reverse proxy with HTTPS and do not set this, logins will fail silently.
AUTH_ENABLED
Default: trueOverrides: auth_enabled in manager.yml
Set to false to disable the built-in login entirely. Use when TM is protected by an external auth provider (Authentik, Authelia, Traefik basicAuth, etc.).
environment:
- AUTH_ENABLED=falseDANGER
When disabled, the UI is fully open. Only use this behind another authentication layer.
ADMIN_PASSWORD
Default: (unset)Overrides: password_hash in manager.yml
Set the admin password in plain text. Hashed with bcrypt at runtime. Useful for scripted deployments.
environment:
- ADMIN_PASSWORD=mysecretpasswordINFO
When set, the in-UI password change and flask reset-password have no effect. Remove the variable to switch back to manager.yml-managed passwords.
Routes & Domains
DOMAINS
Default: example.comOverrides: domains in manager.yml
Comma-separated list of base domains shown in the Add Route form.
environment:
- DOMAINS=example.com,home.labCERT_RESOLVER
Default: cloudflareOverrides: cert_resolver in manager.yml
One or more ACME cert resolver names, comma-separated. The first is the default for new routes. Each route can override this individually in the Add/Edit Route form.
Set to none if you manage certificates externally (cert files, internal CA, tls.yml). Routes will use tls: {} with no certResolver.
environment:
- CERT_RESOLVER=letsencrypt
- CERT_RESOLVER=letsencrypt, cloudflare
- CERT_RESOLVER=noneConfig Files
CONFIG_DIR, CONFIG_PATHS, CONFIG_PATH
env-only - not stored in manager.yml.
Traefik Manager can manage one or many dynamic config files. Three variables control this in priority order:
CONFIG_DIR > CONFIG_PATHS > CONFIG_PATHOnly one should be set. When multiple config files are loaded, a Config File dropdown appears in the Add/Edit Route and Middleware modals. CONFIG_DIR also includes a + New file... option to create files on the fly.
CONFIG_DIR
Default: (unset)
Point to a directory and every .yml file inside it is loaded automatically.
environment:
- CONFIG_DIR=/app/config/traefik
volumes:
- /host/traefik/config:/app/config/traefikCONFIG_PATHS
Default: (unset)
Comma-separated list of full config file paths. Good for 2-5 named files.
environment:
- CONFIG_PATHS=/app/config/routes.yml,/app/config/services.yml
volumes:
- /host/routes.yml:/app/config/routes.yml
- /host/services.yml:/app/config/services.ymlCONFIG_PATH
Default: /app/config/dynamic.yml
Single config file. Default for most setups.
environment:
- CONFIG_PATH=/data/traefik/dynamic.yml
volumes:
- /path/to/traefik/dynamic.yml:/data/traefik/dynamic.ymlBACKUP_DIR
Default: /app/backups
Directory where timestamped backups are stored before every config save.
environment:
- BACKUP_DIR=/data/backups
volumes:
- /path/to/backups:/data/backupsSETTINGS_PATH
Default: /app/config/manager.yml
Path to the Traefik Manager settings file.
environment:
- SETTINGS_PATH=/data/manager.yml
volumes:
- /path/to/manager.yml:/data/manager.ymlStatic Config & Restart
STATIC_CONFIG_PATH
Default: /app/traefik.yml
Path to Traefik's static config (traefik.yml or traefik.toml). Required for the Plugins tab and Static Config editor. Mount read-write (no :ro) to allow editing. Can also be set via Settings → System Monitoring → File Paths without a restart.
environment:
- STATIC_CONFIG_PATH=/app/traefik.yml
volumes:
- /path/to/traefik.yml:/app/traefik.ymlRESTART_METHOD
Default: (unset)
How TM restarts Traefik after static config changes. Required for the Restart button in the Static Config editor.
| Value | Description |
|---|---|
proxy | Via a Docker socket proxy sidecar (recommended) |
socket | Via a directly mounted Docker socket |
poison-pill | Writes a signal file; Traefik's healthcheck detects it and restarts |
environment:
- RESTART_METHOD=proxySee Static Config for full compose snippets for each method.
TRAEFIK_CONTAINER
Default: traefik
The name of the Traefik container to restart. Used by the proxy and socket restart methods.
environment:
- TRAEFIK_CONTAINER=traefikDOCKER_HOST
Default: (unset - uses /var/run/docker.sock)
Docker socket URL. Set to tcp://socket-proxy:2375 when using the proxy restart method.
environment:
- DOCKER_HOST=tcp://socket-proxy:2375SIGNAL_FILE_PATH
Default: /signals/restart.sig
Signal file path for the poison-pill restart method. Must be on a shared volume between TM and Traefik.
environment:
- SIGNAL_FILE_PATH=/signals/restart.sigMonitoring
ACME_JSON_PATH
Default: /app/acme.json
Path to Traefik's acme.json. Required for the Certificates tab. Can also be set via Settings → System Monitoring → File Paths without a restart.
environment:
- ACME_JSON_PATH=/letsencrypt/acme.json
volumes:
- /path/to/acme.json:/letsencrypt/acme.json:roACCESS_LOG_PATH
Default: /app/logs/access.log
Path to Traefik's access log. Required for the Logs tab. Enable access logging in your Traefik static config first:
accessLog:
filePath: /var/log/traefik/access.logenvironment:
- ACCESS_LOG_PATH=/logs/access.log
volumes:
- /path/to/access.log:/logs/access.log:roCROWDSEC_LAPI_URL
Default: (unset)
Overrides: crowdsec_lapi_url in manager.yml
Base URL of the CrowdSec Local API. Required to enable the CrowdSec tab. The value set in Settings → System Monitoring → CrowdSec takes priority over this env var; the env var is used as a fallback when the settings field is blank.
environment:
- CROWDSEC_LAPI_URL=http://crowdsec:8080CROWDSEC_API_KEY
Default: (unset)
Overrides: crowdsec_api_key in manager.yml (stored encrypted)
CrowdSec bouncer API key, used to read decisions. Generate one with cscli bouncers add traefik-manager inside the CrowdSec container. The settings field value takes priority over this env var.
environment:
- CROWDSEC_API_KEY=your-bouncer-keyCROWDSEC_MACHINE_ID / CROWDSEC_MACHINE_PASSWORD
Default: (unset)
Overrides: crowdsec_machine_id / crowdsec_machine_password in manager.yml (password stored encrypted)
CrowdSec machine credentials. Required to read alerts and to unban (delete decisions) from the CrowdSec tab - bouncer keys get 403 access forbidden on those endpoints. Decisions only need CROWDSEC_API_KEY. Create a machine with cscli machines add traefik-manager --auto and copy the login / password from local_api_credentials.yaml. The settings field values take priority over these env vars.
environment:
- CROWDSEC_MACHINE_ID=traefik-manager
- CROWDSEC_MACHINE_PASSWORD=your-machine-passwordIf the password contains a
$, escape it as$$indocker-compose.yml.
Security
SECRET_KEY
Default: (auto-generated and persisted as .secret_key alongside SETTINGS_PATH)
Flask session signing key. Set this to keep sessions alive across container restarts without re-login.
environment:
- SECRET_KEY=your-random-32-byte-hex-stringGenerating a key
python3 -c "import secrets; print(secrets.token_hex(32))"OTP_ENCRYPTION_KEY
Default: (auto-generated and stored as .otp_key alongside SETTINGS_PATH)
Fernet key for encrypting TOTP secrets at rest in manager.yml.
environment:
- OTP_ENCRYPTION_KEY=your-32-byte-url-safe-base64-keyGenerating a key
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"WARNING
If you lose this key, existing TOTP secrets become unreadable and 2FA must be re-enrolled. Back up .otp_key alongside your config volume.