Reverse Proxy Configuration for Traefik with Docker Compose

[louisprp]

My StremThru + Traefik Setup (Direct-Link Only, Fully Locked Down)

I wanted to share a configuration I’ve been using to run StremThru behind Traefik with everything locked down by default. I intentionally block all public access and only expose the exact paths StremThru needs, and only when valid user data is provided. Since I’m relying on an upstream Torrentio instance configured with a Real-Debrid API token, all streams come through as direct links with cached RD sources. That means StremThru essentially works as a small multi-user password-protected proxy. It may be a bit overkill, but it’s been working very well.

One thing I’m not completely certain about is whether there are edge cases where StremThru might still accept requests with missing or empty userData, depending on how the decoding behaves internally.

If anyone (especially the project author) sees anything wrong, has improvements, or knows a more lightweight approach, I’d love to hear it. Maybe there’s a cleaner way to achieve the same limited-exposure setup.

---

Traefik (docker-compose.yml)

services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    environment:
      - DNS_API_TOKEN=${DNS_API_TOKEN}
      - TZ=${TZ}
      - LEGO_DISABLE_CNAME_SUPPORT=true
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy

      # EntryPoints
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --entryPoints.websecure.http.tls=true
      - --entryPoints.websecure.http.tls.certResolver=le
      - --entryPoints.web.http.redirections.entryPoint.to=websecure
      - --entryPoints.web.http.redirections.entryPoint.scheme=https

      # ACME / Let's Encrypt
      - --certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json

      # DNS-01 challenge
      - --certificatesresolvers.le.acme.dnschallenge=true
      - --certificatesresolvers.le.acme.dnschallenge.provider=your-dns-provider
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    ports:
      - "80:80"
      - "443:443"

networks:
  proxy:
    external: true

Notes

Traefik exposes nothing by default, and I selectively allow only the StremThru endpoints that are actually needed for streaming. Since I’m only serving direct links, I don’t want anything else reachable from the outside.

---

StremThru (docker-compose.yml)

services:
  stremthru:
    image: muniftanjim/stremthru
    container_name: stremthru
    restart: unless-stopped
    env_file: .env
    volumes:
      - ./data:/data

    networks:
      - proxy

    labels:
      - "traefik.enable=true"

      # /stremio/wrap/{userData}/manifest.json
      - "traefik.http.routers.stremio-wrap-manifest.rule=Host(`${STREMTHRU_HOST}`) && PathRegexp(`^/stremio/wrap/[^/]+/manifest\\.json$`)"
      - "traefik.http.routers.stremio-wrap-manifest.service=stremthru"

      # /stremio/wrap/{userData}/{resource}/{contentType}/{id}
      - "traefik.http.routers.stremio-wrap-resource.rule=Host(`${STREMTHRU_HOST}`) && PathRegexp(`^/stremio/wrap/[^/]+/[^/]+/[^/]+/[^/]+$`)"
      - "traefik.http.routers.stremio-wrap-resource.service=stremthru"

      # /stremio/wrap/{userData}/{resource}/{contentType}/{id}/{extra}
      - "traefik.http.routers.stremio-wrap-resource-extra.rule=Host(`${STREMTHRU_HOST}`) && PathRegexp(`^/stremio/wrap/[^/]+/[^/]+/[^/]+/[^/]+/[^/]+$`)"
      - "traefik.http.routers.stremio-wrap-resource-extra.service=stremthru"

      # /v0/proxy/{token}
      - "traefik.http.routers.proxy-token.rule=Host(`${STREMTHRU_HOST}`) && PathRegexp(`^/v0/proxy/[^/]+$`)"
      - "traefik.http.routers.proxy-token.service=stremthru"

      # /v0/proxy/{token}/{filename}
      - "traefik.http.routers.proxy-token-file.rule=Host(`${STREMTHRU_HOST}`) && PathRegexp(`^/v0/proxy/[^/]+/[^/]+$`)"
      - "traefik.http.routers.proxy-token-file.service=stremthru"

      # Internal container port
      - "traefik.http.services.stremthru.loadbalancer.server.port=8080"

networks:
  proxy:
    external: true

Notes

Each allowed endpoint is explicitly defined. Everything else remains inaccessible. This ensures users can stream, but nothing can be probed or browsed externally.

---

StremThru Environment (.env)

# For Traefik (change for your domain)
STREMTHRU_HOST=subdomain.example.com

# Where StremThru thinks it is (from *inside* the app)
STREMTHRU_BASE_URL=http://localhost

# StremThru listens on this port INSIDE its container
STREMTHRU_PORT=8080

# One StremThru user (this is used for /v0/proxy auth etc.)
STREMTHRU_PROXY_AUTH=user1:password1

# Make that user admin (for the web UI, addon config etc.)
STREMTHRU_AUTH_ADMIN=user1

# Real-Debrid mapping
STREMTHRU_STORE_AUTH=*:realdebrid:<api-token>

# Proxy everything
STREMTHRU_STORE_CONTENT_PROXY=*:true

STREMTHRU_FEATURE=stremio_wrap

Notes

I use a single admin + proxy user for now. Torrentio + RD is configured upstream, so StremThru just receives direct RD links and proxies them cleanly.

The initial setup can be made without the full lockdown. After you can also simply base64-encode whatever you need for userData and verify that streaming works. Make sure that the upstream Torrentio addon includes the RD token, otherwise no direct links will be returned. From there, you can tighten things down like I did if you want the network perimeter locked from the start.