Traefik Manager

Appearance

Star

Environment Variables

All supported environment variables for Traefik Manager. Variables marked Override take priority over the corresponding manager.yml field.

Quick reference

VariableDefaultOverrideDescription
COOKIE_SECUREfalse-Mark session cookie as Secure (required for HTTPS)
AUTH_ENABLEDtrueauth_enabledDisable built-in login entirely
ADMIN_PASSWORD(unset)password_hashAdmin password in plain text (hashed at runtime)
DOMAINSexample.comdomainsComma-separated base domains
CERT_RESOLVERcloudflarecert_resolverDefault ACME resolver name
TRAEFIK_API_URLhttp://traefik:8080traefik_api_urlTraefik API URL
CONFIG_DIR(unset)-Directory - load all .yml files in it as config files
CONFIG_PATHS(unset)-Comma-separated list of config file paths
CONFIG_PATH/app/config/dynamic.yml-Single config file (legacy, backwards-compatible)
BACKUP_DIR/app/backups-Directory for timestamped config backups
SETTINGS_PATH/app/config/manager.yml-Path to the Traefik Manager settings file
OTP_ENCRYPTION_KEY(auto-generated)-Fernet key for encrypting the TOTP secret at rest

Reference

Default: false

Set to true when Traefik Manager is served over HTTPS. Marks the session cookie as Secure, which is required by browsers for cookies on HTTPS origins.

yaml
environment:
  - COOKIE_SECURE=true

WARNING

If you are behind a reverse proxy with HTTPS and do not set this, logins will fail silently - the session cookie will not be sent by the browser.

AUTH_ENABLED

Default: trueOverrides: auth_enabled in manager.yml

Set to false to disable the built-in login entirely. Use this when Traefik Manager is protected by an external auth provider (Authentik, Authelia, Traefik basicAuth, etc.).

yaml
environment:
  - AUTH_ENABLED=false

DANGER

When disabled, the UI is fully open. Only use this behind another authentication layer.

ADMIN_PASSWORD

Default: (unset)Overrides: password_hash in manager.yml

Set the admin password in plain text. It is hashed with bcrypt at runtime. Useful for scripted deployments where you do not want to pre-generate a hash.

yaml
environment:
  - ADMIN_PASSWORD=mysecretpassword

INFO

When this variable is set, the CLI flask reset-password command and the in-UI password change have no effect - the password always comes from this variable. Remove the variable to switch back to manager.yml-managed passwords.

DOMAINS

Default: example.comOverrides: domains in manager.yml

Comma-separated list of base domains shown in the Add Route form.

yaml
environment:
  - DOMAINS=example.com,home.lab

CERT_RESOLVER

Default: cloudflareOverrides: cert_resolver in manager.yml

One or more ACME cert resolver names, comma-separated. The first resolver is used as the default for new routes. Each route can override this individually in the Add/Edit Route form.

yaml
environment:
  - CERT_RESOLVER=letsencrypt

  - CERT_RESOLVER=letsencrypt, cloudflare

TRAEFIK_API_URL

Default: http://traefik:8080Overrides: traefik_api_url in manager.yml

The URL of the Traefik API. Must be reachable from the host running Traefik Manager.

yaml
environment:
  - TRAEFIK_API_URL=http://traefik:8080

Multi-config: CONFIG_DIR, CONFIG_PATHS, CONFIG_PATH

Traefik Manager can manage one or many dynamic config files. Three variables control this in priority order:

CONFIG_DIR  >  CONFIG_PATHS  >  CONFIG_PATH

Only one should be set. When multiple config files are loaded, a Config File dropdown appears in the Add/Edit Route and Middleware modals, and each route card shows a small file badge. When CONFIG_DIR is set, the dropdown also includes a + New file... option - type a filename and the app creates the file automatically in CONFIG_DIR.

CONFIG_DIR

Default: (unset)

Point to a directory and every .yml file inside it is loaded as a config file. Best for setups with many files where you don't want to list them all explicitly.

yaml
environment:
  - CONFIG_DIR=/app/config/traefik
volumes:
  - /host/traefik/config:/app/config/traefik
  # every *.yml in that directory is picked up automatically

CONFIG_PATHS

Default: (unset)

Comma-separated list of full config file paths. Good for 2-5 named files.

yaml
environment:
  - CONFIG_PATHS=/app/config/routes.yml,/app/config/services.yml
volumes:
  - /host/routes.yml:/app/config/routes.yml
  - /host/services.yml:/app/config/services.yml

CONFIG_PATH

Default: /app/config/dynamic.yml

Single config file. Existing behaviour - no changes needed for single-file setups.

yaml
environment:
  - CONFIG_PATH=/data/traefik/dynamic.yml
volumes:
  - /path/to/traefik/dynamic.yml:/data/traefik/dynamic.yml

BACKUP_DIR

Default: /app/backups

Directory where timestamped backups of dynamic.yml are stored before every save.

yaml
environment:
  - BACKUP_DIR=/data/backups
volumes:
  - /path/to/backups:/data/backups

SETTINGS_PATH

Default: /app/config/manager.yml

Path to the Traefik Manager settings file. Useful if you want to separate it from the dynamic config directory.

yaml
environment:
  - SETTINGS_PATH=/data/manager.yml
volumes:
  - /path/to/manager.yml:/data/manager.yml

OTP_ENCRYPTION_KEY

Default: (auto-generated and stored at /app/config/.otp_key)

Fernet symmetric key used to encrypt the TOTP secret at rest in manager.yml. If not set, a key is automatically generated on first start and written to .otp_key inside the config directory.

Set this variable if you want to manage the key yourself (e.g., from a secrets manager) or to ensure the key survives config volume replacement.

yaml
environment:
  - OTP_ENCRYPTION_KEY=your-32-byte-url-safe-base64-key

Generating a key

bash
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

INFO

If you lose this key, existing TOTP secrets become unreadable and 2FA will need to be re-enrolled. The .otp_key file is separate from manager.yml - back it up alongside your config volume.