refactor(docker): remove the bundled Traefik reverse proxy

.env.example

@@ -16,9 +16,6 @@ AUTO_START_SESSIONS=false
 
 # Domain Configuration
 DOMAIN=localhost
-# The dashboard is bundled into the API and served on the API port. This only sets the
-# public port for the optional Traefik proxy (with-proxy profile).
-DASHBOARD_PORT=2886
 
 # Host interface the dev compose binds the API/dashboard ports to. Defaults to 127.0.0.1
 # (localhost only). Set to 0.0.0.0 to reach the dev stack from another machine (e.g. a remote
@@ -35,22 +32,16 @@ DASHBOARD_PORT=2886
 # blocked) — set explicit origin(s) there, e.g. https://dashboard.yourdomain.com
 CORS_ORIGINS=*
 
-# SSL/TLS (enable for production with real domain)
-# TRAEFIK_ACME_EMAIL=admin@yourdomain.com
-# TRAEFIK_ACME_STORAGE=/letsencrypt/acme.json
+# SSL/TLS: terminate TLS at your own reverse proxy (nginx, Caddy, a cloud load
+# balancer, or a k8s Ingress) in front of the API — see docs/12-troubleshooting-faq.md.
 
 # Trusted reverse proxies (comma-separated IPs/CIDRs) whose X-Forwarded-For
 # header is trusted to determine the real client IP for API-key IP whitelisting.
 # Leave empty (default) to ignore X-Forwarded-For and use the direct socket
-# address, which prevents IP spoofing. If you run behind Traefik/nginx AND use
+# address, which prevents IP spoofing. If you run behind a reverse proxy AND use
 # per-key allowedIps restrictions, set this to the proxy's address/subnet, e.g.:
 # TRUSTED_PROXIES=172.18.0.0/16
 
-# =============================================================================
-# COMPONENTS (enable/disable container profiles)
-# =============================================================================
-PROXY_ENABLED=true                  # Enable Traefik proxy container
-
 # =============================================================================
 # ENGINE CONFIGURATION
 # =============================================================================

CHANGELOG.md

@@ -19,6 +19,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - The API's Content-Security-Policy now allows `https://fonts.googleapis.com` (`style-src`) and
   `https://fonts.gstatic.com` (`font-src`) so the dashboard's webfonts load now that it is served under the
   API's CSP. (#275)
+- **BREAKING — removed the bundled Traefik reverse proxy.** With the API serving both the UI and the API
+  on one port, the shipped Traefik service was a single-backend passthrough that added no value (it
+  terminated no TLS out of the box). Removed the `traefik` service, the `traefik/` configs, and the
+  `with-proxy` profile. For TLS / public exposure, put your own reverse proxy (nginx, Caddy, a cloud load
+  balancer, or a k8s Ingress) in front of the API — see `docs/12-troubleshooting-faq.md`. (#276)
 
 ### Added
 
@@ -29,8 +34,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - The dashboard moved from `:2886` (separate nginx container) to the API port `:2785`. Update bookmarks,
   monitoring, and any external reverse-proxy config accordingly. (#275)
-- The `with-dashboard` compose profile and the `DASHBOARD_ENABLED` env var are removed (the dashboard ships
-  with the API; ignored if still set). (#275)
+- The `with-dashboard` and `with-proxy` compose profiles are removed, and the `DASHBOARD_PORT`,
+  `PROXY_ENABLED`, and `DASHBOARD_ENABLED` env vars are gone (silently ignored if still set). `--profile
+  full` now starts the optional datastores (postgres, redis, minio). If you relied on the bundled Traefik
+  for TLS, front the API with your own reverse proxy. (#275, #276)
 
 ## [0.3.0] - 2026-06-18
 

README.md

@@ -187,20 +187,21 @@ docker compose up -d
 # With PostgreSQL database
 docker compose --profile postgres up -d
 
-# Full stack (PostgreSQL, Redis, Traefik)
+# Full stack (PostgreSQL, Redis, MinIO)
 docker compose --profile full up -d
 ```
 
-| Profile      | Services              |
-| ------------ | --------------------- |
-| `postgres`   | PostgreSQL database   |
-| `redis`      | Redis cache           |
-| `minio`      | S3-compatible storage |
-| `with-proxy` | Traefik reverse proxy |
-| `full`       | All services above    |
+| Profile    | Services              |
+| ---------- | --------------------- |
+| `postgres` | PostgreSQL database   |
+| `redis`    | Redis cache           |
+| `minio`    | S3-compatible storage |
+| `full`     | All services above    |
 
 > The dashboard is bundled into the API image and served by NestJS on the API port, so it
-> needs no profile - it is always available wherever `openwa-api` runs.
+> needs no profile — it is always available wherever `openwa-api` runs. For TLS/public exposure,
+> put your own reverse proxy (nginx, Caddy, a cloud load balancer, or a k8s Ingress) in front;
+> see the nginx example in `docs/12-troubleshooting-faq.md`.
 
 > **Development vs Production**
 >
@@ -213,10 +214,10 @@ docker compose --profile full up -d
 
 ## 🔌 Ports
 
-| Service         | Port            | Description                                     |
-| --------------- | --------------- | ----------------------------------------------- |
-| API & Dashboard | `2785`          | REST API + bundled web dashboard (same port)    |
-| Swagger         | `2785/api/docs` | Interactive API docs                            |
+| Service         | Port            | Description                                   |
+| --------------- | --------------- | --------------------------------------------- |
+| API & Dashboard | `2785`          | REST API + bundled web dashboard (same port)  |
+| Swagger         | `2785/api/docs` | Interactive API docs                          |
 | Dashboard (dev) | `2886`          | Vite dev server with hot reload (`npm run dev`) |
 
 ---

docker-compose.yml

@@ -27,32 +27,14 @@ services:
       - 'com.openwa.service=docker-proxy'
       - 'com.openwa.core=true'
 
-  # ===== CORE: Traefik Reverse Proxy =====
-  traefik:
-    image: traefik:v3.0
-    container_name: openwa-traefik
-    profiles: ['with-proxy', 'full']
-    restart: unless-stopped
-    networks:
-      - openwa-network
-    ports:
-      - '127.0.0.1:${DASHBOARD_PORT:-2886}:80'
-      - '127.0.0.1:8080:8080' # Traefik dashboard
-    volumes:
-      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
-    labels:
-      - 'com.openwa.service=proxy'
-      - 'com.openwa.core=true'
-
   # ===== CORE: OpenWA Backend API =====
   openwa-api:
     build:
       context: .
       dockerfile: Dockerfile
     container_name: openwa-api
     restart: unless-stopped
-    # App network for datastores/traefik/dashboard + the isolated network to reach
+    # App network for datastores + the isolated network to reach
     # docker-proxy (DOCKER_HOST). createService() in docker.service.ts attaches
     # orchestrated containers to the literal `openwa-network`, so its name is fixed.
     networks:
@@ -171,14 +153,14 @@ services:
       - 'com.openwa.core=true'
 
   # The dashboard SPA is now bundled into the openwa-api image and served by NestJS on the
-  # same port (2785) - there is no separate dashboard container. Reach it at the openwa-api
-  # port directly, or via Traefik (above) when the with-proxy profile is enabled.
+  # same port (2785) — there is no separate dashboard container. Reach it at the openwa-api
+  # port directly; put your own TLS reverse proxy (nginx/Caddy/cloud LB) in front if needed.
 
   # ===== OPTIONAL: Built-in PostgreSQL =====
   postgres:
     image: postgres:16-alpine
     container_name: openwa-postgres
-    profiles: ['postgres']
+    profiles: ['postgres', 'full']
     restart: unless-stopped
     networks:
       - openwa-network
@@ -206,7 +188,7 @@ services:
   redis:
     image: redis:7-alpine
     container_name: openwa-redis
-    profiles: ['redis']
+    profiles: ['redis', 'full']
     restart: unless-stopped
     networks:
       - openwa-network
@@ -228,7 +210,7 @@ services:
   minio:
     image: minio/minio
     container_name: openwa-minio
-    profiles: ['minio']
+    profiles: ['minio', 'full']
     restart: unless-stopped
     networks:
       - openwa-network
@@ -265,8 +247,8 @@ volumes:
     driver: local
 
 networks:
-  # Application network — datastores, traefik, dashboard, and openwa-api. Keep the
-  # name `openwa-network`: docker.service.ts attaches orchestrated containers to it by literal name.
+  # Application network — datastores and openwa-api. Keep the name `openwa-network`:
+  # docker.service.ts attaches orchestrated containers to it by literal name.
   openwa-network:
     name: openwa-network
   # Isolated network for the Docker socket proxy. `internal: true` means no external

docs/14-migration-guide.md

@@ -103,7 +103,7 @@ curl -s 'http://localhost:2785/api/infra/export-data' \
 #       POSTGRES_BUILTIN=true
 
 # Step 3: Restart with new configuration
-docker compose --profile with-proxy up -d
+docker compose --profile postgres up -d
 
 # Step 4: Import data to new database
 curl -X POST 'http://localhost:2785/api/infra/import-data' \

docs/DOCKER_ID.md

@@ -22,7 +22,6 @@ OpenWA menggunakan fitur **Profiles** di Docker Compose untuk mempermudah orkest
 *   **`postgres`**: Database PostgreSQL (bawaan docker).
 *   **`redis`**: Caching layer untuk performa tinggi.
 *   **`minio`**: Penyimpanan berkas media yang kompatibel dengan Amazon S3.
-*   **`with-proxy`**: Reverse proxy Traefik otomatis.
 
 ---
 
@@ -75,7 +74,7 @@ Cocok untuk keandalan data lebih tinggi:
 docker compose --profile postgres up -d
 ```
 
-#### Skenario C: Full Stack (PostgreSQL + Redis + S3 MinIO + Traefik)
+#### Skenario C: Full Stack (PostgreSQL + Redis + S3 MinIO)
 Cocok untuk skala enterprise dengan multi-sesi aktif:
 ```bash
 docker compose --profile full up -d
@@ -90,7 +89,6 @@ Berikut variabel penting yang bisa disesuaikan di `.env`:
 | Nama Variabel | Nilai Default | Deskripsi |
 |---|---|---|
 | `API_PORT` | `2785` | Port REST API sekaligus Dashboard UI (disajikan oleh NestJS). |
-| `DASHBOARD_PORT` | `2886` | Port publik untuk proxy Traefik opsional (profil `with-proxy`). |
 | `DATABASE_TYPE` | `sqlite` | Jenis database yang digunakan (`sqlite` atau `postgres`). |
 | `DATABASE_NAME` | `/app/data/openwa.sqlite` | Lokasi database SQLite atau nama database PostgreSQL. |
 | `ENGINE_TYPE` | `whatsapp-web.js` | Driver/mesin engine WhatsApp yang digunakan. |

docs/README.md

@@ -83,7 +83,7 @@ Access:
 - Swagger: `http://localhost:2785/api/docs`
 - Health: `http://localhost:2785/api/health`
 
-### Option B: Docker (Traefik + API, dashboard bundled into the API)
+### Option B: Docker (single container: API + Dashboard)
 
 ```bash
 # Clone repository
@@ -94,12 +94,11 @@ cd OpenWA
 docker compose up -d
 ```
 
-Access:
+Access (the dashboard is bundled into the API and served on the same port):
 
-- Dashboard: `http://localhost:2785` (bundled into the API, same port)
+- Dashboard: `http://localhost:2785`
 - API: `http://localhost:2785/api`
 - Swagger: `http://localhost:2785/api/docs`
-- Traefik (optional, with-proxy profile): `http://localhost:2886`
 
 ### API Key
 
@@ -173,7 +172,7 @@ socket.on('message', msg => {
 | WebSocket Events (Socket.IO)    | Ready                         |
 | Multi-session Support           | Ready                         |
 | Web Dashboard                   | Ready                         |
-| Docker + Traefik Deployment     | Ready                         |
+| Docker Deployment               | Ready                         |
 | Webhooks with HMAC Signature    | Ready                         |
 | SQLite / PostgreSQL Storage     | Ready                         |
 | API Key Authentication & Roles  | Ready                         |
@@ -204,7 +203,7 @@ socket.on('message', msg => {
 OpenWA/
 ├── src/                    # Backend source code
 ├── dashboard/              # Frontend dashboard
-├── docker-compose.yml      # Traefik (optional) + API (serves bundled dashboard)
+├── docker-compose.yml      # API (serves bundled dashboard) + optional datastores
 ├── docker-compose.dev.yml  # Dev-only compose
 ├── docs/                  # Project documentation
 └── data/                   # Local runtime data (sessions, media, api key)

scripts/openwa.sh

@@ -37,14 +37,8 @@ load_env() {
 get_profiles() {
     local profiles=""
 
-    # Dashboard is bundled into the openwa-api image and served by NestJS on the API port -
-    # no separate container/profile needed.
-
-    # Proxy (default: enabled)
-    if [ "${PROXY_ENABLED:-true}" = "true" ]; then
-        profiles="$profiles --profile with-proxy"
-        log_info "Proxy (Traefik): enabled"
-    fi
+    # Dashboard is bundled into the openwa-api image and served by NestJS on the API port —
+    # no separate container/profile needed. Put your own TLS proxy in front if required.
 
     # PostgreSQL (built-in)
     if [ "${DATABASE_TYPE:-sqlite}" = "postgres" ] && [ "${POSTGRES_BUILTIN:-false}" = "true" ]; then
@@ -117,16 +111,13 @@ cmd_start() {
     log_success "OpenWA started successfully!"
     echo ""
     log_info "Dashboard & API: http://localhost:${API_PORT:-2785}"
-    if [ "${PROXY_ENABLED:-true}" = "true" ]; then
-        log_info "Public (Traefik): http://localhost:${DASHBOARD_PORT:-2886}"
-    fi
 }
 
 # Stop OpenWA
 cmd_stop() {
     log_info "Stopping OpenWA..."
     cd "$PROJECT_DIR"
-    docker compose --profile postgres --profile redis --profile minio --profile with-proxy down
+    docker compose --profile full down
     log_success "OpenWA stopped"
 }