diff --git a/traefik/config.yml b/traefik/config.yml
new file mode 100644
index 0000000..1d0d414
--- /dev/null
+++ b/traefik/config.yml
@@ -0,0 +1,51 @@
+http:
+ #region routers 
+  routers:
+    example:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`example.local.domain.name`)"
+      middlewares:
+        - default-headers
+        - https-redirectscheme
+      tls: {}
+      service: example
+#endregion
+
+#region services
+  services:
+    example:
+      loadBalancer:
+        servers:
+          - url: "http://ip:port/"
+        passHostHeader: true
+#endregion
+
+  middlewares:
+    https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    default-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      ipAllowList:
+        sourceRange:
+        - "local ip subnet"
+
+    secured:
+      chain:
+        middlewares:
+        - default-whitelist
+        - default-headers
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
new file mode 100644
index 0000000..4d24402
--- /dev/null
+++ b/traefik/traefik.yml
@@ -0,0 +1,53 @@
+api:
+  dashboard: true
+  debug: true
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.name
+            sans:
+              - '*.domain.name'
+              - '*.local.domain.name'
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: email@domain.name
+      storage: acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+  maxSize: 10
+  maxBackups: 5
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  fields:
+    names:
+      StartUTC: drop
\ No newline at end of file