This setup uses a docker-compose based syncthing setup and Traefik as reverse proxy. HTTP basic auth is used to prevent unauthorized access to the syncthing web UI. Alternatively, you can use the built-in password protection.
See Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges for my HTTPS setup for Traefik.
version: "3"
services:
syncthing:
image: syncthing/syncthing
hostname: Syncthing-Myserver
environment:
- PUID=1000
- PGID=1000
volumes:
- ./syncthing_data:/var/syncthing
ports: # NOTE: 8384 not forwarded, this is handled by traefik
- "22000:22000"
- "21027:21027/udp"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncthing.rule=Host(`syncthing.myserver.net`)"
- "traefik.http.routers.syncthing.entrypoints=websecure"
- "traefik.http.routers.syncthing.tls.certresolver=cloudflare"
- "traefik.http.routers.syncthing.tls.domains[0].main=myserver.net"
- "traefik.http.routers.syncthing.tls.domains[0].sans=*.myserver.net"
- "traefik.http.services.syncthing.loadbalancer.server.port=8384"
- "traefik.http.routers.syncthing.middlewares=syncthing-auth"
# Auth (this is shared with the server). NOTE: generate with "htpasswd -n admin" and REPLACE EVERY "$" by "$$" IN THE OUTPUT!
- "traefik.http.middlewares.syncthing-auth.basicauth.users=admin:$$apr1$$ehr8oqEZ$$tHoOVLG19oHdUe81IeePo1
"