My boring Blog

Mauro Frigerio blog

Enable HTTP/3 in traefik v3

22-05-2024 3 min read Article

The recent major release v3 of Traefik, brought new features or concretized some. Such as certificates via Tailscale and HTTP3. In this short guide, I want to present an example of configuration to use HTTP3 in Traefik. The change is not drastic, because the functionality already existed as experimental in the old version.


  • Linux machine with docker and compose (otherwise you wouldn’t be here)
  • a domain
  • with which a valid TLS certificate (HTTPS) can be obtained.
  • in the example I use the domain, DNS and certificates from


  1. create the files docker-compose.yml and tls.yml with the contents of the following chapters

  2. edit the docker-compose.yml file specifically: the folder path for traefik and replace the server IP address (command ip a) with your own

  3. create a cert folder to save TLS certificates from

  4. download the certificates with the following command (the -d option is not present):

sudo docker compose up helper
  1. create the traefik and whoami containers.
sudo docker compose up -d traefik

sudo docker compose up -d whoami
  1. test the functioning

Docker compose (docker-compose.yml)


    image: traefik:v3.0
    container_name: traefik
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.file.filename=/tls.yml"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http3"
      - "--entrypoints.web.address=:80"
      - ""
      - 80:80
      - 443:443/tcp
      - 443:443/udp
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - PATH/TO/cert:/etc/ssl/traefik
      - PATH/TO/tls.yml:/tls.yml

    image: containous/whoami:latest
    container_name: whoami
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(``)"  # change 1-2-3-4 with you server IP
      - "[0].main=*"
      - "traefik.http.routers.whoami.entrypoints=websecure"

    image: alpine
    command: sh -c "cd /etc/ssl/traefik
      && wget -O cert.pem
      && wget -O privkey.pem"
      - PATH/TO/cert:/etc/ssl/traefik

File provider di traefik (tls.yml)

        certFile: /etc/ssl/traefik/cert.pem
        keyFile: /etc/ssl/traefik/privkey.pem
    - certFile: /etc/ssl/traefik/cert.pem
      keyFile: /etc/ssl/traefik/privkey.pem

How to test

I recommend that you test the operation with Chrome or a derivative browser (I use Brave). On Firefox I have not yet been able to get HTTP3 to work.

Open developer tools or right-click and choose the inspect option. Open the network tab and reload the page. In the table you can see the various files downloaded, in the protocol column you can seeif your server provides http2= h2 or http3= h3. If you have opened the page before changing the traefik configuration it may be advisable to restart the browser.

Common issues

  • Invalid or expired certificate: verify that the TLS certificate for our router is active in the traefik dashboard. If the certificate is right but expired, check for an updated one. If it cannot wait then use Tailscale or purchase your own domain.
  • the domain * does not work: allows various notations, but for certificates, IP addresses should not be written with a period, but with a line (“-”). You can test that the domain is working properly by trying to access the traefik dashboard with the address (pay attention to http not https and replace 1-2-3-4 with the correct IP address).
  • I followed all the steps, but the certificate is always wrong: .pem files must be saved with special rights. Use the helper container to download them with the correct rights.