You've already forked traefik
Compare commits
9 Commits
1.0.2
...
503f438bdf
| Author | SHA1 | Date | |
|---|---|---|---|
| 503f438bdf | |||
| a1428f0d3b | |||
| a40e9ad9ad | |||
| e2b612e664 | |||
| 4633927204 | |||
| 64e726391a | |||
| 4d4a578b78 | |||
| 39dbe048f5 | |||
| 310c237add |
4
.gitignore
vendored
4
.gitignore
vendored
@@ -1,2 +1,2 @@
|
||||
.env
|
||||
le-certs.json
|
||||
/.env*
|
||||
/certs.json
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
version: "3"
|
||||
|
||||
---
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:${TRAEFIK_VERSION}
|
||||
@@ -11,11 +10,12 @@ services:
|
||||
# enable Træfik dashboard
|
||||
- --api.dashboard=true
|
||||
# configure Let's Encrypt automatic certificates
|
||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
|
||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
|
||||
- --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
|
||||
- --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
|
||||
- --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
|
||||
# we listen on both HTTP and HTTPS
|
||||
- --entrypoints.http.address=:80
|
||||
- --entrypoints.https.address=:443
|
||||
@@ -31,22 +31,26 @@ services:
|
||||
# should not need, but just in case, a folder for dynamic config files is also configured
|
||||
- --providers.file.directory=/config
|
||||
- --providers.file.watch=true
|
||||
environment:
|
||||
- HETZNER_API_KEY=${HETZNER_API_KEY}
|
||||
env_file:
|
||||
- ${TRAEFIK_DNSPROVIDER_ENVFILE}
|
||||
labels:
|
||||
# expose Træfik using Træfik (dashboard)
|
||||
- traefik.enable=true
|
||||
# configure a global whitelist for my home
|
||||
- traefik.enable=${TRAEFIK_ENABLED}
|
||||
# configure a global whitelist for accessing the Træfik dashboard
|
||||
- traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
|
||||
# configure the global redirect middleware
|
||||
# configure a global middleware for redirecting HTTP to HTTPS
|
||||
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
|
||||
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
|
||||
# configure a global middleware to harden security through HSTS
|
||||
- traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
|
||||
- traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
|
||||
- traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
|
||||
### Section HTTP
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
|
||||
# only some people can access the dashboard, hence protect it with it's whitelist
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
|
||||
# redirect Træfik dashboard to HTTPS only
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https,hsts
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
|
||||
### Section HTTPS
|
||||
@@ -57,8 +61,8 @@ services:
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
|
||||
# of course, enable TLS and it's certificate provider
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=true
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=letsencrypt
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
|
||||
networks:
|
||||
- traefik
|
||||
ports:
|
||||
@@ -67,7 +71,7 @@ services:
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./config:/config:ro
|
||||
- ./le-certs.json:/le-certs.json
|
||||
- ./certs.json:/certs.json
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
|
||||
1
env.dnsprovider.example
Normal file
1
env.dnsprovider.example
Normal file
@@ -0,0 +1 @@
|
||||
HETZNER_API_KEY=
|
||||
17
env.example
17
env.example
@@ -1,13 +1,24 @@
|
||||
# General environment
|
||||
TRAEFIK_VERSION=2.4
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
|
||||
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
|
||||
TRAEFIK_ENABLED=true
|
||||
TRAEFIK_NETWORK=traefik
|
||||
TRAEFIK_MATCHRULE=traefik.mydomain.com
|
||||
TRAEFIK_ROUTER=traefik_mydomain_com
|
||||
TRAEFIK_NETWORK=traefik-proxy
|
||||
TRAEFIK_PILOT_TOKEN=
|
||||
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
|
||||
|
||||
# Security
|
||||
TRAEFIK_TLSENABLED=true
|
||||
TRAEFIK_STS_SECONDS=15552000
|
||||
TRAEFIK_STS_SUBDOMAINS=true
|
||||
TRAEFIK_STS_PRELOAD=true
|
||||
|
||||
# Certificate provider
|
||||
HETZNER_API_KEY=
|
||||
TRAEFIK_DNSPROVIDER=hetzner
|
||||
TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
|
||||
TRAEFIK_DNSRESOLVERS=1.1.1.1:53,1.0.0.1:53
|
||||
LETSENCRYPT_EMAIL=admin@mydomain.com
|
||||
|
||||
# Debugging
|
||||
|
||||
Reference in New Issue
Block a user