Skip to main content
All application stacks use Traefik for ingress. Traefik is therefore a core sitectl service namespace rather than an app-specific helper.

Status

Check the Traefik container or ingress settings: 
sitectl traefik status
sitectl traefik ingress-status

TLS Modes

Switch the active context between supported TLS modes: 
sitectl traefik tls http
sitectl traefik tls mkcert --domain local.example.test
sitectl traefik tls letsencrypt --email ops@example.org
sitectl traefik tls self-managed --cert-file ./cert.pem --key-file ./privkey.pem
The command updates the shared ingress env contract:
  • URI_SCHEME
  • TLS_PROVIDER
  • TRAEFIK_TLS_ENABLED
  • ACME_EMAIL and ACME_URL when provided for Let’s Encrypt
When a docker-compose.tls.yml override exists and the context is named, sitectl adds or removes that override from the context’s compose file list as the TLS mode changes. For mkcert, sitectl generates certs/cert.pem and certs/privkey.pem. For self-managed, sitectl installs the provided certificate and key to the same standard paths.

Bot Mitigation

Switch bot mitigation on or off: 
sitectl traefik bot-mitigation on --turnstile-site-key "$TURNSTILE_SITE_KEY" --turnstile-secret-key "$TURNSTILE_SECRET_KEY"
sitectl traefik bot-mitigation off
The command writes BOT_MITIGATION, TRAEFIK_BOT_MITIGATION, and optional Turnstile values to the context env file. Application route templates attach those settings to app-specific middleware. For app-level component toggles, plugins should use the core Traefik helper instead of carrying their own captcha-protect implementation. The plugin supplies its router name, route config path, and any app-specific middleware values: 
opts := coretraefik.BotMitigationOptions{
  RouterName:       "ojs",
  RouterConfigPath: "conf/traefik/ojs.yml",
  Middleware: coretraefik.CaptchaProtectMiddlewareOptions{
    ProtectRoutes: "^/(issues|articles)",
  },
}

def := coretraefik.BotMitigation(opts)
err := coretraefik.ApplyBotMitigation(projectDir, coretraefik.BotMitigationStateOn, opts)
ISLE uses this path for the Drupal router. Other app plugins can set values such as ProtectRoutes, ExcludeRoutes, GoodBots, or ChallengeURL while still reusing the same local plugin install, Turnstile environment defaults, and Traefik middleware rendering. Standalone Traefik Compose projects may still exist, but the shared command surface belongs to core sitectl, not to a dedicated Traefik CLI plugin.

Reference

tls

Switch Traefik TLS mode: http, mkcert, letsencrypt, or self-managed 
sitectl traefik tls MODE
FlagDefaultDescription
--acme-urlACME directory URL to set when using letsencrypt
--cert-filePublic certificate file to install for self-managed TLS
--domainDomain to use for mkcert; defaults to DOMAIN from the env file or localhost
--emailACME email to set when using letsencrypt
--env-fileEnv file to update; defaults to the first context env-file or .env
--key-filePrivate key file to install for self-managed TLS
--tls-compose-filedocker-compose.tls.ymlTLS compose override to add/remove from the context when it exists

bot-mitigation

Switch Traefik bot mitigation on or off 
sitectl traefik bot-mitigation STATE
FlagDefaultDescription
--env-fileEnv file to update; defaults to the first context env-file or .env
--turnstile-secret-keyCloudflare Turnstile secret key to write to the env file
--turnstile-site-keyCloudflare Turnstile site key to write to the env file

status

Show the compose service container status 
sitectl traefik status
FlagDefaultDescription
--servicetraefikCompose service name

ingress-status

Show Traefik ingress TLS and bot-mitigation settings 
sitectl traefik ingress-status
FlagDefaultDescription
--env-fileEnv file to update; defaults to the first context env-file or .env