Let's be honest: it's always nicer to have nice URLs for our services than to use addresses like localhost:8384. This guide will get you to being able to reach your Syncthing with sync.localhost or whatever address tickles your fancy with the help of Traefik.

Install Traefik

First, we need to install Traefik. This is pretty easy if you are on Linux. For example, on Arch-derived distributions:

sudo pacman -Sy traefik

Configure Traefik

We'll configure Traefik in a way that allows you to easily extend the configuration for other services.

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443

providers:
  file:
    directory: /etc/traefik/config.d
    watch: true

serversTransport:
  insecureSkipVerify: true

Now we can add a directory /etc/traefik/config.d and put in service configuration files in this directory. This allows us to expand without changing the core configuration.

Syncthing is often configured with its own HTTPS certificate. Traefik won't be able to verify, so we will implicitely trust it.

Configure Syncthing Router

Put the following configuration in /etc/traefik/config.d/syncthing.yaml:

http:
  routers:
    syncthing-router:
      entryPoints: [websecure]
      service: syncthing
      rule: Host(`sync.localhost`)

  services:
    syncthing:
      loadBalancer:
        servers:
          - url: https://localhost:8384/

It goes without saying that you can use another hostname or rule for the router.

Start and Enable Traefik

With systemd these are two single lines:

sudo systemctl start traefik
sudo systemctl enable traefik

After starting, check that everything is ok:

sudo systemctl status traefik

Test Traefik Router

In order for Traefik to do the routing correctly, we need to get our browser to use the configured hostname. We can easily do this by adding the following to our /etc/hosts file:

127.0.0.1 sync.localhost

If this is good enough for you, then you can stop now. Otherwise you can consider using dnsmasq for wildcard support.

Add Persistent Certificate

The default certificate that Traefik automatically generates for you is only stored in memory, so on any restart of the service, a new certificate is generated. This means you have to re-trust the certificate the next time you visit the address. We can fix this by generating our own certificates and instructing Traefik to use those.

Create a directory /etc/traefik/certs/ and run the following command in that directory (as root):

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes \
  -keyout localhost.key \
  -out localhost.cert \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,DNS:*.localhost,IP:127.0.0.1"

Then add the following content to /etc/traefik/config.d/tls.yaml:

tls:
  certificates:
    - certFile: /etc/traefik/certs/localhost.cert
      keyFile: /etc/traefik/certs/localhost.key
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/localhost.cert
        keyFile: /etc/traefik/certs/localhost.key

It is important that this configuration is not part of the main traefik.yaml, otherwise it won't work and Traefik won't even tell you why. This tripped me up initially.