Automated reverse proxy management through MikroTik interface
MikroTik Proxy Manager is an automated solution for managing reverse proxy servers through the MikroTik RouterOS interface. Adding hosts via Winbox automatically creates dynamic Traefik configuration with Let's Encrypt SSL certificate support.
The system consists of two containers running in RouterOS Container:
- Traefik - Reverse proxy with automatic SSL management
- MikroTik Proxy Manager - Python application for configuration synchronization
- 🔄 Automatic creation of Traefik configuration
- 🌐 DNS management for proxy hosts
- 🔒 SSL certificates via Let's Encrypt or custom certificates (including Cloudflare configuration example)
- 🖥️ Simple management through Winbox, CLI, or REST API
- 📊 Monitoring and logging
- RouterOS with container support (arm64, x86)
- Domain name
- Public IP address (optional, required for Let's Encrypt)
- USB storage or internal memory for configuration storage (Recommended for real mikrotik devices)
- Skills: Linux, Networking, MikroTik RouterOS, Debugging (If you've set it up and launched, congratulations, you're great. It's much easier to do this on Linux than on RouterOS)
Before starting, prepare your MikroTik router with container support and API SSL settings. Follow the RouterOS Container Guide for detailed instructions.
Simple guide
Note: This setup uses Let's Encrypt HTTP Challenge (port 80) by default
Create necessary directories on your RouterOS device:
If you user USB storage, check format must be
EXT4
# /file add name=usb1 type=directory
/file add name=usb1/configs type=directory
/file add name=usb1/traefik type=directory
# Prepare container dir
/file add usb1/docker/traefik type=directory
/file add usb1/docker/mpm type=directory
Fetch the static Traefik default configuration:
/tool fetch url="https://raw.githubusercontent.com/akmalovaa/mikrotik-proxy-manager/refs/heads/main/traefik/traefik.yml" mode=https dst-path="usb1/traefik/traefik.yml"
create acme.json path usb1/traefik/acme.json
### Step 3: Configure Container Mounts
Set up mount points for containers:
```routeros
/container mounts
add name=traefik_static src=/usb1/traefik dst=/etc/traefik
add name=traefik_dynamic src=/usb1/configs dst=/configs
add name=mpm_config src=/usb1/configs dst=/srv/configs
add name=traefik_acme src=/usb1/traefik/acme.json dst=/acme.json
Set up API credentials for MikroTik connection:
/container envs
add key=MIKROTIK_HOST name=mpm value=192.168.88.1
add key=MIKROTIK_USER name=mpm value=user-api
add key=MIKROTIK_PASSWORD name=mpm value=password
add key=REVERSE_PROXY_IP name=mpm value=10.0.0.1 # change to your Traefik container IP address `veth1`
# add key=TLS_CERT_RESOLVER name=mpm value=cloudflare # If you want to use Cloudflare DNS challenge
/container add remote-image=mirror.gcr.io/traefik:v3.5.1 interface=veth1 root-dir=usb1/docker/traefik mounts=traefik_static,traefik_dynamic start-on-boot=yes logging=yes
If you want to use Cloudflare DNS challenge instead of HTTP challenge:
Click to expand Cloudflare configuration
- Use the configuration from
traefik/traefik_cloudflare.yml - Add your Cloudflare API token:
/container envs
add key=CF_DNS_API_TOKEN name=traefik value=your-cloudflare-api-token
add key=TLS_CERT_RESOLVER name=mpm value=cloudflare
/container add remote-image=mirror.gcr.io/traefik:v3.5.1 envlist=traefik interface=veth2 root-dir=usb1/docker/traefik mounts=traefik_static,traefik_dynamic start-on-boot=yes logging=yes
/container add remote-image=ghcr.io/akmalovaa/mikrotik-proxy-manager:latest envlist=mpm interface=veth1 root-dir=usb1/docker/mpm mounts=mpm_config logging=yes start-on-boot=yes
# Process exited with status 1
/container add remote-image=ghcr.io/akmalovaa/mikrotik-proxy-manager:2.1.0 envlist=mpm interface=veth1 logging=yes mounts=mpm_config root-dir=/usb1/docker/mpm start-on-boot=yes
Start your containers and verify they're running:
/container start [find name~"traefik"]
/container start [find name~"mpm"]
Once the containers are running, you can manage proxy configurations through multiple methods. The system monitors /ip/proxy/access entries and automatically generates Traefik configurations.
The system currently parses these proxy access parameters:
- DST-HOST - Target hostname/domain
- DST-ADDRESS - Destination IP address
- DST-PORT - Destination port
- Open Winbox and navigate to IP → Proxy → Access
- Add a new proxy access rule with your desired configuration
Add proxy configuration via CLI:
/ip proxy access
add dst-host=test.example.com dst-address=192.168.88.10 dst-port=80
Add proxy configuration via RouterOS REST API:
curl -k -X PUT "https://192.168.88.1/rest/ip/proxy/access" \
-u 'username:password' \
-H "Content-Type: application/json" \
-d '{"dst-address": "192.168.88.10", "dst-host": "test.example.com", "dst-port": "80"}'After adding proxy entries, you can verify the generated configurations:
-
Check generated config files:
-
Verify SSL certificates:
-
Monitor container logs:
/container log print
Set up the development environment:
# Install dependencies
uv sync
# Run the application locally
uv run python -m mikrotik_proxy_managerFor development with Docker containers:
# Build and run development containers
docker-compose -f dev_compose.yaml up --buildExample commands for testing containers in RouterOS:
# Deploy whoami test service
/container add remote-image=ghcr.io/traefik/whoami:latest interface=veth2 root-dir=/docker/whoami logging=yes
# Deploy NGINX for testing
/container add remote-image=mirror.gcr.io/nginx:latest interface=veth1 root-dir=usb1/docker/nginx logging=yes
# Python container for debugging
/container add remote-image=mirror.gcr.io/python:3.13.7-slim interface=veth1 root-dir=usb1/docker/python logging=yes cmd="tail -f /dev/null"
⚠️ SECURITY WARNINGRunning third-party container images on your router can pose security risks.
- Ensure you trust the container images you deploy
- Regularly update containers to patch security vulnerabilities
- Monitor container activity and network traffic
- Use strong passwords for API access
- Consider network segmentation for container traffic
If your router is compromised, malicious containers could be used to install harmful software on your router and spread across your network.
- Use strong API credentials for MikroTik access
- Regularly update container images
- Monitor logs for suspicious activity
- Limit container network access where possible
- Use firewall rules to restrict container communication
- Add Crowdsec application security features
- Implement configuration validation
- Add monitoring dashboard
- Support for custom SSL certificates
- Enhanced logging and alerting
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
If you encounter any issues or have questions, please open an issue on GitHub.
traefik:: {"level":"error","error":"unable to get ACME account: permissions 644 for acme.json are too open, please use 600","resolver":"cloudflare","time":"2025-09-08T20:02:11Z","message":"The ACME resolve is skipped from the resolvers list"}
container/shell number=X
chmod 600 acme.json
restart container
Run container with cmd="tail -f /dev/null" and check network inside container
container/shell number=X
ip addr show or cat /proc/net/route
Check work network and change your RouterOS settings bridge or veth or ip address
An example from the official documentation:
Create a new veth interface and assign an IP address in a range that is unique in your network:
/interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1
⚠️ WARNINGDo not use IP addresses from the network
172.17.0.0/24for containers to avoid conflicts indocker composeon a remote server due to problems with the reverse route.
If you use USB storage and have problems with reading/writing files, check your USB storage format. Recommended format EXT4
Error no space to extract layer: Check eject USB and reinsert
Disable and enable logging for container
And disable container config used RAM High