Compare commits
25 Commits
44354e0ed1
...
main
Author | SHA1 | Date | |
---|---|---|---|
47b9c06ba9 | |||
032cbf1820 | |||
09f3ec9f70 | |||
92f3d7bc79 | |||
9995f30c3b | |||
026a2a272b | |||
deb1b7ccb5 | |||
503f438bdf | |||
a1428f0d3b | |||
a40e9ad9ad | |||
e2b612e664 | |||
4633927204 | |||
64e726391a | |||
4d4a578b78 | |||
39dbe048f5 | |||
310c237add | |||
4f46fdcdea | |||
ccb8dee381 | |||
6888d09442 | |||
8111b7297b | |||
026fc917e9 | |||
5b9facf603 | |||
46a8794a7c | |||
ccf95deedc | |||
f63b75e636 |
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
.env
|
/.env*
|
||||||
|
/certs.json
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
# traefik.bjphoster.com
|
# Træfik Deployment
|
||||||
|
|
||||||
Træfik deployment for reverse proxying all the infrastructure
|
Træfik deployment for reverse proxying all the infrastructure
|
||||||
|
11
config/tls.yml
Normal file
11
config/tls.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
tls:
|
||||||
|
options:
|
||||||
|
default:
|
||||||
|
minVersion: VersionTLS12
|
||||||
|
mintls13:
|
||||||
|
minVersion: VersionTLS13
|
||||||
|
compatible:
|
||||||
|
minVersion: VersionTLS11
|
||||||
|
supercompatible:
|
||||||
|
minVersion: VersionTLS10
|
@ -1,74 +1,74 @@
|
|||||||
version: "3"
|
---
|
||||||
|
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
|
image: traefik:${TRAEFIK_VERSION}
|
||||||
|
restart: unless-stopped
|
||||||
command:
|
command:
|
||||||
# when debugging is needed
|
# when debugging is needed
|
||||||
- --accesslog=${TRAEFIK_ACCESSLOG}
|
- --accesslog=${TRAEFIK_ACCESSLOG}
|
||||||
# enable Træfik dashboard
|
# enable Træfik dashboard
|
||||||
- --api.dashboard=true
|
- --api.dashboard=true
|
||||||
# configure Let's Encrypt automatic certificates
|
# configure Let's Encrypt automatic certificates
|
||||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
|
||||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
|
||||||
- --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
|
||||||
- --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
|
||||||
- --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
|
||||||
|
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
|
||||||
# we listen on both HTTP and HTTPS
|
# we listen on both HTTP and HTTPS
|
||||||
- --entrypoints.http.address=:80
|
- --entrypoints.http.address=:80
|
||||||
- --entrypoints.https.address=:443
|
- --entrypoints.https.address=:443
|
||||||
# logging level
|
# logging level
|
||||||
- --log.level=${TRAEFIK_LOGLEVEL}
|
- --log.level=${TRAEFIK_LOGLEVEL}
|
||||||
# Træfik Pilot token (of course retrieved from dotenv)
|
|
||||||
- --pilot.token=${TRAEFIK_PILOT_TOKEN}
|
|
||||||
# we only use Docker (for now)
|
# we only use Docker (for now)
|
||||||
- --providers.docker=true
|
- --providers.docker=true
|
||||||
# and we want to manually specify exposed containers
|
# and we want to manually specify exposed containers
|
||||||
- --providers.docker.exposedbydefault=false
|
- --providers.docker.exposedbydefault=false
|
||||||
- --providers.docker.watch=true
|
- --providers.docker.watch=true
|
||||||
# should not need, but just in case, a dynamic config file is also configured
|
# should not need, but just in case, a folder for dynamic config files is also configured
|
||||||
- --providers.file.directory=/dynamic-config
|
- --providers.file.directory=/config
|
||||||
- --providers.file.watch=true
|
- --providers.file.watch=true
|
||||||
container_name: ${TRAEFIK_CONTAINER_NAME}
|
env_file:
|
||||||
environment:
|
- ${TRAEFIK_DNSPROVIDER_ENVFILE}
|
||||||
- HETZNER_API_KEY=${HETZNER_API_KEY}
|
|
||||||
image: traefik:${TRAEFIK_VERSION}
|
|
||||||
labels:
|
labels:
|
||||||
# expose Træfik using Træfik (dashboard)
|
# expose Træfik using Træfik (dashboard)
|
||||||
- traefik.enable=true
|
- traefik.enable=${TRAEFIK_ENABLED}
|
||||||
# configure a global whitelist for my home
|
- traefik.docker.network=${TRAEFIK_NETWORK}
|
||||||
- traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
|
# configure a global whitelist for accessing the Træfik dashboard
|
||||||
# configure the global redirect middleware
|
- traefik.http.middlewares.dashboard-whitelist.ipallowlist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
|
||||||
|
# configure a global middleware for redirecting HTTP to HTTPS
|
||||||
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
|
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
|
||||||
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
|
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
|
||||||
|
# configure a global middleware to harden security through HSTS
|
||||||
|
- traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
|
||||||
|
- traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
|
||||||
|
- traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
|
||||||
### Section HTTP
|
### Section HTTP
|
||||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.entrypoints=http
|
- traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
|
||||||
# only some people can access the dashboard, hence protect it with it's whitelist
|
|
||||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
|
|
||||||
# redirect Træfik dashboard to HTTPS only
|
# redirect Træfik dashboard to HTTPS only
|
||||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=http-to-https
|
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTP_MIDDLEWARES}
|
||||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
- traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
|
||||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.service=api@internal
|
- traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
|
||||||
### Section HTTPS
|
### Section HTTPS
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.entrypoints=https
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
|
||||||
# only some people can access the dashboard, hence protect it with it's whitelist
|
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
|
|
||||||
# configure Træfik dashboard to be the exposed service
|
# configure Træfik dashboard to be the exposed service
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTPS_MIDDLEWARES}
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.service=api@internal
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
|
||||||
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
|
||||||
# of course, enable TLS and it's certificate provider
|
# of course, enable TLS and it's certificate provider
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls=true
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
|
||||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls.certresolver=letsencrypt
|
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
|
||||||
networks:
|
networks:
|
||||||
- traefik-proxy
|
- traefik
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
restart: unless-stopped
|
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
- ./config:/dynamic-config:ro
|
- ${TRAEFIK_DYNAMIC}:/config:ro
|
||||||
- ./le-certs.json:/le-certs.json
|
- ${TRAEFIK_CERTFILE}:/certs.json
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
traefik-proxy:
|
traefik:
|
||||||
external: true
|
external: true
|
||||||
|
name: ${TRAEFIK_NETWORK}
|
||||||
|
1
env.dnsprovider.example
Normal file
1
env.dnsprovider.example
Normal file
@ -0,0 +1 @@
|
|||||||
|
HETZNER_API_KEY=
|
32
env.example
32
env.example
@ -1,14 +1,30 @@
|
|||||||
TRAEFIK_VERSION=2.4
|
# General environment
|
||||||
TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
|
TRAEFIK_VERSION=latest
|
||||||
TRAEFIK_MATCHRULE=traefik.mydomain.com
|
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||||
TRAEFIK_ROUTER_NAME=traefik_mydomain_com
|
|
||||||
TRAEFIK_LOGLEVEL=INFO
|
|
||||||
TRAEFIK_PILOT_TOKEN=
|
|
||||||
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
|
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
|
||||||
|
TRAEFIK_ENABLED=true
|
||||||
|
TRAEFIK_NETWORK=traefik
|
||||||
|
TRAEFIK_MATCHRULE=Host(`traefik.example.com`)
|
||||||
|
TRAEFIK_ROUTER=traefik_example_com
|
||||||
|
TRAEFIK_HTTP_MIDDLEWARES=dashboard-whitelist,http-to-https
|
||||||
|
TRAEFIK_HTTPS_MIDDLEWARES=dashboard-whitelist,hsts
|
||||||
|
|
||||||
|
# Security
|
||||||
|
TRAEFIK_TLSENABLED=true
|
||||||
|
TRAEFIK_STS_SECONDS=15552000
|
||||||
|
TRAEFIK_STS_SUBDOMAINS=true
|
||||||
|
TRAEFIK_STS_PRELOAD=true
|
||||||
|
|
||||||
# Certificate provider
|
# Certificate provider
|
||||||
HETZNER_API_KEY=
|
TRAEFIK_DNSPROVIDER=hetzner
|
||||||
LETSENCRYPT_EMAIL=admin@mydomain.com
|
TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
|
||||||
|
TRAEFIK_DNSRESOLVERS=1.1.1.1:53,1.0.0.1:53
|
||||||
|
LETSENCRYPT_EMAIL=admin@example.com
|
||||||
|
|
||||||
# Debugging
|
# Debugging
|
||||||
TRAEFIK_ACCESSLOG=false
|
TRAEFIK_ACCESSLOG=false
|
||||||
|
TRAEFIK_LOGLEVEL=INFO
|
||||||
|
|
||||||
|
# Volumes
|
||||||
|
TRAEFIK_DYNAMIC=./config
|
||||||
|
TRAEFIK_CERTFILE=./certs.json
|
||||||
|
Loading…
Reference in New Issue
Block a user