Reverse-Proxy Setup with Traefik:v3.2 w/Dashboard, traefik-forward-auth, & WhoAmI

I am setting up my VPS Server (Ubuntu-24) and wanted an enhanced version of the traefik setup I ran in the past, but this time with the traefik-forward-auth service to protect any application behind Google's O-Auth linked to my domain

Compose.yaml

services:
  traefik:
    image: traefik:v3.2
    restart: unless-stopped
    command:
      # entrypoints
      - --api # Enables dashboard, secure method
      # - --log.level=TRACE
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      # docker provider                 
      - --providers.docker=true
      - --providers.docker.network=web
      - --providers.docker.exposedbydefault=false # require containers to define `traefik.enable=true` to be exposed
      # letsEncrypt
      - --certificatesresolvers.letsencryptresolver.acme.email=${EMAIL}
      - --certificatesresolvers.letsencryptresolver.acme.storage=/acme.json
      - --certificatesresolvers.letsencryptresolver.acme.tlschallenge=true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # So that Traefik can listen to the Docker events
      - ${TRAEFIK_DIR}/acme.json:/acme.json # stores ACME (HTTPS) certificates
    labels:
      # basic
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=websecure # https
      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`) # host
      - traefik.http.routers.traefik.service=api@internal # expose the traefik dashboard
      - traefik.http.routers.traefik.tls.certresolver=letsencryptresolver # tls
      - traefik.http.routers.traefik.middlewares=traefik-forward-auth # oauth
    networks:
      - default
      - web
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=${FA_CLIENT_ID}
      - PROVIDERS_GOOGLE_CLIENT_SECRET=${FA_CLIENT_SECRET}
      - SECRET=${FA_SECRET}
      # - INSECURE_COOKIE=true # is required if not using a https entrypoint
      - COOKIE_DOMAIN=${DOMAINNAME}
      - AUTH_HOST=auth.${DOMAINNAME}
      # - LOG_LEVEL=debug
      - WHITELIST=ricardo@${DOMAINNAME}
    labels:
      # basic
      - traefik.enable=true
      - traefik.http.routers.traefik-forward-auth.entrypoints=websecure # https
      - traefik.http.routers.traefik-forward-auth.tls.certresolver=letsencryptresolver # tls
      - traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth # oauth
      # specific
      - traefik.http.routers.traefik-forward-auth.rule=Host(`auth.${DOMAINNAME}`)
      - traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181
      - traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181
      - traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User
    networks:
      - default
      - web
  whoami:
    image: traefik/whoami # A container that exposes an API to show its IP address
    labels:
    # basic
    - traefik.enable=true
    - traefik.http.routers.whoami.entrypoints=websecure # https
    - traefik.http.routers.whoami.tls.certresolver=letsencryptresolver # tls
    - traefik.http.routers.whoami.middlewares=traefik-forward-auth # oauth  
    # specific
    - traefik.http.routers.whoami.rule=Host(`whoami.${DOMAINNAME}`) 
    networks:
        - default
        - web  
networks:
  web:
    external: true

compose.yaml

With this, I can now expose any container just by adding some basic traefik labels. Ideally, this should be converted to that the static configuration moved into a config-file (traefik.yaml), but that will be the next revision.