I was tired of breaking my Traefik mTLS config, so I built a GUI for it

If you've ever tried to set up mutual TLS (mTLS) with Traefik, you know the feeling. You get it working. Something changes. You dig back into YAML, reference the docs, check the cert paths, wonder if it's the entrypoint config or the dynamic config or the certificate store. An hour later you're back where you started.

I run Traefik at home to expose a bunch of self-hosted services — some on my LAN only, some to the internet, some requiring client certificates for extra security. After one too many "why is mTLS broken again" sessions, I decided to build something that would make this manageable once and not have to think about it again.

The result is traefik-gui: a lightweight web GUI for managing Traefik, packaged as a single Docker container.

What it does

The core features:

mTLS certificate management is the reason this exists. You can create and manage client certificates from the UI. When you create a cert for a device or user, you download a zip containing all the formats you'd need (PEM, P12, etc.) plus a README explaining how to install it — on a phone, browser, or system. No more OpenSSL one-liners.
Access log viewer lets you tail and browse Traefik access logs without SSHing into your server. When something's not routing right, this is usually the first place you look.
Static config editor means you can edit traefik.yml from the browser.
Dynamic file config gives you both simple forms for common use cases and raw YAML editing for everything else.

The opinionated part

This tool makes assumptions. It assumes you're:

• Using file-based dynamic configuration (not Kubernetes or Consul)
• Wanting to expose services on both your LAN and the internet
• Managing your own certificates (not relying solely on Let's Encrypt ACME)

Those assumptions are baked into the UI — there are two entrypoints, mTLS is supported on one of them, and the forms are designed around that workflow. If your setup matches, it feels polished. If it doesn't, there are more flexible tools out there (Mantrae, Traefikr — both worth looking at).

Getting started

Single container, no database, Go backend:

# docker-compose.yml
services:
  traefik-gui:
    image: ghcr.io/deputynl/traefik-gui:latest
    container_name: traefik-gui
    restart: unless-stopped
    environment:
      TRAEFIK_CONFIG_PATH: /etc/traefik/traefik.yml
      TRAEFIK_API_URL: http://traefik:8080
      TRAEFIK_GUI_USER: ${TRAEFIK_GUI_USER:-admin}
      TRAEFIK_GUI_PASSWORD: ${TRAEFIK_GUI_PASSWORD:-admin}
      TRAEFIK_ACME_PATH: /etc/traefik/acme.json
      TRAEFIK_CONTAINER_NAME: traefik
    volumes:
      - /etc/traefik:/etc/traefik          # read+write for config changes
      - traefik-mtls:/etc/traefik/mtls     # CA, CA key + client certs, persisted across restarts
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
    ports:
      - 8888:8888

networks:
  traefik:
    external: true

volumes:
  traefik-mtls:

Open http://localhost:8888 and you're in.

Why Go, why single container

Go compiles to a single binary with no runtime dependencies, which made packaging as a minimal container straightforward. The whole thing is one docker run away from working. No Node, no Python, no database to manage.

What's next

It's a hobby project, but I use it daily and intend to keep maintaining it. If you run into issues or have ideas, issues and PRs are welcome on GitHub.

→ github.com/deputynl/traefik-gui (MIT)

If you're running Traefik at home and have questions about mTLS setup, happy to help in the comments.