You've already forked traefik
Compare commits
12 Commits
ccf95deedc
...
1.1.0
| Author | SHA1 | Date | |
|---|---|---|---|
| 4633927204 | |||
| 64e726391a | |||
| 4d4a578b78 | |||
| 39dbe048f5 | |||
| 310c237add | |||
| 4f46fdcdea | |||
| ccb8dee381 | |||
| 6888d09442 | |||
| 8111b7297b | |||
| 026fc917e9 | |||
| 5b9facf603 | |||
| 46a8794a7c |
3
.gitignore
vendored
3
.gitignore
vendored
@@ -1 +1,2 @@
|
||||
.env
|
||||
/.env
|
||||
/certs.json
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
# traefik.bjphoster.com
|
||||
# Træfik Deployment
|
||||
|
||||
Træfik deployment for reverse proxying all the infrastructure
|
||||
|
||||
11
config/tls.yml
Normal file
11
config/tls.yml
Normal file
@@ -0,0 +1,11 @@
|
||||
---
|
||||
tls:
|
||||
options:
|
||||
default:
|
||||
minVersion: VersionTLS12
|
||||
mintls13:
|
||||
minVersion: VersionTLS13
|
||||
compatible:
|
||||
minVersion: VersionTLS11
|
||||
supercompatible:
|
||||
minVersion: VersionTLS10
|
||||
@@ -1,18 +1,20 @@
|
||||
version: "3"
|
||||
|
||||
---
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:${TRAEFIK_VERSION}
|
||||
container_name: ${TRAEFIK_CONTAINER_NAME}
|
||||
restart: unless-stopped
|
||||
command:
|
||||
# when debugging is needed
|
||||
- --accesslog=${TRAEFIK_ACCESSLOG}
|
||||
# enable Træfik dashboard
|
||||
- --api.dashboard=true
|
||||
# configure Let's Encrypt automatic certificates
|
||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
|
||||
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
|
||||
- --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
|
||||
- --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
|
||||
- --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
|
||||
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
|
||||
# we listen on both HTTP and HTTPS
|
||||
- --entrypoints.http.address=:80
|
||||
- --entrypoints.https.address=:443
|
||||
@@ -25,50 +27,48 @@ services:
|
||||
# and we want to manually specify exposed containers
|
||||
- --providers.docker.exposedbydefault=false
|
||||
- --providers.docker.watch=true
|
||||
# should not need, but just in case, a dynamic config file is also configured
|
||||
- --providers.file.directory=/dynamic-config
|
||||
# should not need, but just in case, a folder for dynamic config files is also configured
|
||||
- --providers.file.directory=/config
|
||||
- --providers.file.watch=true
|
||||
container_name: ${TRAEFIK_CONTAINER_NAME}
|
||||
environment:
|
||||
- HETZNER_API_KEY=${HETZNER_API_KEY}
|
||||
image: traefik:${TRAEFIK_VERSION}
|
||||
env_file:
|
||||
- ${TRAEFIK_DNSPROVIDER_ENVFILE}
|
||||
labels:
|
||||
# expose Træfik using Træfik (dashboard)
|
||||
- traefik.enable=true
|
||||
- traefik.enable=${TRAEFIK_ENABLED}
|
||||
# configure a global whitelist for my home
|
||||
- traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
|
||||
# configure the global redirect middleware
|
||||
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
|
||||
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
|
||||
### Section HTTP
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.entrypoints=http
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
|
||||
# only some people can access the dashboard, hence protect it with it's whitelist
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
|
||||
# redirect Træfik dashboard to HTTPS only
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=http-to-https
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.service=api@internal
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
|
||||
### Section HTTPS
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.entrypoints=https
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
|
||||
# only some people can access the dashboard, hence protect it with it's whitelist
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
|
||||
# configure Træfik dashboard to be the exposed service
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.service=api@internal
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
|
||||
# of course, enable TLS and it's certificate provider
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls=true
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls.certresolver=letsencrypt
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
|
||||
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
|
||||
networks:
|
||||
- traefik-proxy
|
||||
- traefik
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./config:/dynamic-config:ro
|
||||
- ./le-certs.json:/le-certs.json
|
||||
- ./config:/config:ro
|
||||
- ./certs.json:/certs.json
|
||||
|
||||
networks:
|
||||
traefik-proxy:
|
||||
traefik:
|
||||
external: true
|
||||
name: ${TRAEFIK_NETWORK}
|
||||
|
||||
1
env.dnsprovider.example
Normal file
1
env.dnsprovider.example
Normal file
@@ -0,0 +1 @@
|
||||
HETZNER_API_KEY=
|
||||
16
env.example
16
env.example
@@ -1,14 +1,20 @@
|
||||
# General environment
|
||||
TRAEFIK_VERSION=2.4
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
|
||||
TRAEFIK_MATCHRULE=traefik.mydomain.com
|
||||
TRAEFIK_ROUTER_NAME=traefik_mydomain_com
|
||||
TRAEFIK_LOGLEVEL=INFO
|
||||
TRAEFIK_PILOT_TOKEN=
|
||||
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
|
||||
TRAEFIK_ENABLED=true
|
||||
TRAEFIK_NETWORK=traefik
|
||||
TRAEFIK_MATCHRULE=traefik.mydomain.com
|
||||
TRAEFIK_ROUTER=traefik_mydomain_com
|
||||
TRAEFIK_PILOT_TOKEN=
|
||||
TRAEFIK_TLSENABLED=true
|
||||
|
||||
# Certificate provider
|
||||
HETZNER_API_KEY=
|
||||
TRAEFIK_DNSPROVIDER=hetzner
|
||||
TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
|
||||
LETSENCRYPT_EMAIL=admin@mydomain.com
|
||||
|
||||
# Debugging
|
||||
TRAEFIK_ACCESSLOG=false
|
||||
TRAEFIK_LOGLEVEL=INFO
|
||||
|
||||
Reference in New Issue
Block a user