Running on Linux (without Docker)
Traefik Manager is a standard Python/Flask application and runs natively on any Linux system with Python 3.11+. No container runtime required.
Requirements
- Python 3.11 or newer
pip- A running Traefik instance reachable from the same host
- Write access to your Traefik
dynamic.yml
Install
1. Clone the repository
git clone https://github.com/chr0nzz/traefik-manager.git /opt/traefik-manager
cd /opt/traefik-manager2. Create a virtual environment and install dependencies
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt gunicorn3. Download vendor assets and build CSS
sudo bash scripts/setup-assets.shThis downloads Monaco, fonts, icons, and other vendored JS libraries, then compiles Tailwind CSS. These are excluded from the Git repository (they are built into the Docker image at build time). sudo is needed to install the tailwindcss binary to /usr/local/bin if it is not already present.
4. Create the data directories
mkdir -p /var/lib/traefik-manager/backups4. Test run
CONFIG_PATH=/etc/traefik/dynamic.yml \
BACKUP_DIR=/var/lib/traefik-manager/backups \
SETTINGS_PATH=/var/lib/traefik-manager/manager.yml \
COOKIE_SECURE=false \
/opt/traefik-manager/venv/bin/gunicorn \
--bind 0.0.0.0:5000 \
--workers 1 \
--chdir /opt/traefik-manager \
app:appOpen http://your-server:5000 - the setup wizard will guide you through the rest.
Systemd service
Running as a systemd service gives you automatic start on boot and restart on crash.
1. Create a dedicated user (recommended)
useradd --system --no-create-home --shell /usr/sbin/nologin traefik-managerGive it read/write access to the files it needs:
# Write access to dynamic.yml and its directory (for backups/config)
chown traefik-manager: /etc/traefik/dynamic.yml
chown traefik-manager: /var/lib/traefik-manager
chown traefik-manager: /var/lib/traefik-manager/backups
# Read-only optional mounts (if using Certs/Plugins/Logs tabs)
# The user just needs read access to these files2. Create the service unit
Create /etc/systemd/system/traefik-manager.service:
[Unit]
Description=Traefik Manager
After=network.target
[Service]
Type=simple
User=traefik-manager
WorkingDirectory=/opt/traefik-manager
Environment=HOME=/opt/traefik-manager
ExecStart=/opt/traefik-manager/venv/bin/gunicorn \
--bind 0.0.0.0:5000 \
--workers 1 \
--log-level info \
app:app
# Paths
Environment=CONFIG_PATH=/etc/traefik/dynamic.yml
Environment=BACKUP_DIR=/var/lib/traefik-manager/backups
Environment=SETTINGS_PATH=/var/lib/traefik-manager/manager.yml
# Set to true if running behind a reverse proxy with HTTPS
Environment=COOKIE_SECURE=false
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target3. Enable and start
systemctl daemon-reload
systemctl enable --now traefik-manager4. Check it is running
systemctl status traefik-manager
journalctl -u traefik-manager -fOptional monitoring mounts
The Certs, Plugins, and Logs tabs work the same as with Docker - just point the env vars at your existing files:
# In the [Service] section of the systemd unit:
# Certs tab - path to acme.json
Environment=ACME_JSON_PATH=/etc/traefik/acme.json
# Plugins + Static Config tab - path to traefik.yml
Environment=STATIC_CONFIG_PATH=/etc/traefik/traefik.yml
# Logs tab - path to access.log
Environment=ACCESS_LOG_PATH=/logs/access.logMake sure traefik-manager user has read access to each file:
chmod o+r /etc/traefik/acme.json
chmod o+r /etc/traefik/traefik.yml # use write access instead if using Static Config editor
chmod o+r /var/log/traefik/access.logAccess logs are often owned by root or a adm/syslog group. If chmod o+r is not appropriate for your setup, add the user to the owning group instead:
usermod -aG adm traefik-managerStatic config editor
The Static Config tab lets you edit traefik.yml directly from the UI. After saving, Traefik Manager can restart Traefik automatically.
Requirements
Give traefik-manager write access to traefik.yml and set RESTART_METHOD in the service unit.
chown traefik-manager: /etc/traefik/traefik.ymlMethod 1: Poison pill (recommended)
Traefik Manager writes a signal file. A watcher script monitors it and restarts Traefik. No Docker socket access needed.
Add to the [Service] section of your unit file:
Environment=RESTART_METHOD=poison-pill
Environment=SIGNAL_FILE_PATH=/var/lib/traefik-manager/signals/restart.sigCreate a watcher script at /usr/local/bin/traefik-restart-watcher.sh:
#!/bin/sh
SIGNAL=/var/lib/traefik-manager/signals/restart.sig
mkdir -p "$(dirname "$SIGNAL")"
while true; do
if [ -f "$SIGNAL" ]; then
systemctl restart traefik
rm -f "$SIGNAL"
fi
sleep 2
doneMake it executable:
chmod +x /usr/local/bin/traefik-restart-watcher.shCreate /etc/systemd/system/traefik-restart-watcher.service:
[Unit]
Description=Traefik restart watcher
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/traefik-restart-watcher.sh
Restart=on-failure
[Install]
WantedBy=multi-user.targetEnable it:
systemctl daemon-reload
systemctl enable --now traefik-restart-watcherMethod 2: Direct Docker socket
If Traefik is running as a Docker container, mount the Docker socket and give traefik-manager access to it.
usermod -aG docker traefik-managerAdd to the [Service] section:
Environment=RESTART_METHOD=socket
Environment=TRAEFIK_CONTAINER=traefikEnvironment variables
| Variable | Values | Default | Description |
|---|---|---|---|
RESTART_METHOD | socket, poison-pill | proxy | How to restart Traefik after a static config change |
TRAEFIK_CONTAINER | container name | traefik | Docker container name to restart (socket method) |
SIGNAL_FILE_PATH | path | /signals/restart.sig | Signal file path for the poison-pill method |
Config file setup
Single config file (default)
The default setup. Point CONFIG_PATH at your dynamic config file:
# In the [Service] section of the systemd unit:
Environment=CONFIG_PATH=/etc/traefik/dynamic.ymlMultiple config files
Mount more than one Traefik dynamic config and manage them all from one UI. A Config File picker appears automatically in the route and middleware forms when more than one file is loaded.
Comma-separated list of config file paths. Use this when you want to name exactly which files are managed.
# In the [Service] section of the systemd unit:
# Single config file (default):
# Environment=CONFIG_PATH=/etc/traefik/dynamic.yml
# Multiple config files:
Environment=CONFIG_PATHS=/etc/traefik/routes.yml,/etc/traefik/services.ymlMake sure traefik-manager user has read/write access to each file.
See the Environment Variables reference for the full priority order.
Behind a reverse proxy (nginx or Traefik)
When serving Traefik Manager over HTTPS through a reverse proxy, set COOKIE_SECURE=true in the service unit and remove the direct port binding.
nginx
server {
listen 443 ssl;
server_name manager.example.com;
ssl_certificate /etc/letsencrypt/live/manager.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/manager.example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Traefik (file provider)
Add to your dynamic.yml:
http:
routers:
traefik-manager:
rule: "Host(`manager.example.com`)"
entrypoints: [https]
tls:
certResolver: cloudflare
service: traefik-manager
services:
traefik-manager:
loadBalancer:
servers:
- url: "http://127.0.0.1:5000"Password reset
Without Docker, use the flask CLI directly from the install directory:
cd /opt/traefik-manager
SETTINGS_PATH=/var/lib/traefik-manager/manager.yml \
venv/bin/flask reset-passwordWith --disable-otp if you have also lost access to your TOTP app:
cd /opt/traefik-manager
SETTINGS_PATH=/var/lib/traefik-manager/manager.yml \
venv/bin/flask reset-password --disable-otpUpdating
cd /opt/traefik-manager
git pull
source venv/bin/activate
pip install -r requirements.txt gunicorn
sudo bash scripts/setup-assets.sh
systemctl restart traefik-managerRun setup-assets.sh on every update - new versions may add new vendor libraries or reference new Tailwind CSS classes that are not in the previously compiled stylesheet.
Uninstall
systemctl disable --now traefik-manager
rm /etc/systemd/system/traefik-manager.service
systemctl daemon-reload
rm -rf /opt/traefik-manager
# Keep /var/lib/traefik-manager if you want to preserve your settings and backups