Compare commits

..

2 Commits

Author SHA1 Message Date
Bryan Joshua Pedini
44354e0ed1 variabilized access log, router name, match rule 2022-01-01 22:27:36 +01:00
Bryan Joshua Pedini
6c374a2460 generalize domain name in env.example 2022-01-01 21:26:40 +01:00
6 changed files with 47 additions and 76 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
/.env* .env
/certs.json

View File

@ -1,3 +1,3 @@
# Træfik Deployment # traefik.bjphoster.com
Træfik deployment for reverse proxying all the infrastructure Træfik deployment for reverse proxying all the infrastructure

View File

@ -1,11 +0,0 @@
---
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
compatible:
minVersion: VersionTLS11
supercompatible:
minVersion: VersionTLS10

View File

@ -1,74 +1,74 @@
--- version: "3"
services: services:
traefik: traefik:
image: traefik:${TRAEFIK_VERSION}
restart: unless-stopped
command: command:
# when debugging is needed # when debugging is needed
- --accesslog=${TRAEFIK_ACCESSLOG} - --accesslog=${TRAEFIK_ACCESSLOG}
# enable Træfik dashboard # enable Træfik dashboard
- --api.dashboard=true - --api.dashboard=true
# configure Let's Encrypt automatic certificates # configure Let's Encrypt automatic certificates
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER} - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hetzner
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS} - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL} - --certificatesresolvers.letsencrypt.acme.keytype=RSA4096
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096 - --certificatesresolvers.letsencrypt.acme.storage=/le-certs.json
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
# we listen on both HTTP and HTTPS # we listen on both HTTP and HTTPS
- --entrypoints.http.address=:80 - --entrypoints.http.address=:80
- --entrypoints.https.address=:443 - --entrypoints.https.address=:443
# logging level # logging level
- --log.level=${TRAEFIK_LOGLEVEL} - --log.level=${TRAEFIK_LOGLEVEL}
# Træfik Pilot token (of course retrieved from dotenv)
- --pilot.token=${TRAEFIK_PILOT_TOKEN}
# we only use Docker (for now) # we only use Docker (for now)
- --providers.docker=true - --providers.docker=true
# and we want to manually specify exposed containers # and we want to manually specify exposed containers
- --providers.docker.exposedbydefault=false - --providers.docker.exposedbydefault=false
- --providers.docker.watch=true - --providers.docker.watch=true
# should not need, but just in case, a folder for dynamic config files is also configured # should not need, but just in case, a dynamic config file is also configured
- --providers.file.directory=/config - --providers.file.directory=/dynamic-config
- --providers.file.watch=true - --providers.file.watch=true
env_file: container_name: ${TRAEFIK_CONTAINER_NAME}
- ${TRAEFIK_DNSPROVIDER_ENVFILE} environment:
- HETZNER_API_KEY=${HETZNER_API_KEY}
image: traefik:${TRAEFIK_VERSION}
labels: labels:
# expose Træfik using Træfik (dashboard) # expose Træfik using Træfik (dashboard)
- traefik.enable=${TRAEFIK_ENABLED} - traefik.enable=true
- traefik.docker.network=${TRAEFIK_NETWORK} # configure a global whitelist for my home
# configure a global whitelist for accessing the Træfik dashboard - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
- traefik.http.middlewares.dashboard-whitelist.ipallowlist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST} # configure the global redirect middleware
# configure a global middleware for redirecting HTTP to HTTPS
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
# configure a global middleware to harden security through HSTS
- traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
- traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
- traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
### Section HTTP ### Section HTTP
- traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.entrypoints=http
# only some people can access the dashboard, hence protect it with it's whitelist
- traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
# redirect Træfik dashboard to HTTPS only # redirect Træfik dashboard to HTTPS only
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTP_MIDDLEWARES} - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.middlewares=http-to-https
- traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE} - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
- traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal - traefik.http.routers.http-${TRAEFIK_ROUTER_NAME}.service=api@internal
### Section HTTPS ### Section HTTPS
- traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.entrypoints=https
# only some people can access the dashboard, hence protect it with it's whitelist
- traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.middlewares=dashboard-whitelist
# configure Træfik dashboard to be the exposed service # configure Træfik dashboard to be the exposed service
- traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTPS_MIDDLEWARES} - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.rule=Host(`${TRAEFIK_MATCHRULE}`)
- traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE} - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.service=api@internal
- traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
# of course, enable TLS and it's certificate provider # of course, enable TLS and it's certificate provider
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED} - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls=true
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER} - traefik.http.routers.https-${TRAEFIK_ROUTER_NAME}.tls.certresolver=letsencrypt
networks: networks:
- traefik - traefik-proxy
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
restart: unless-stopped
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- ${TRAEFIK_DYNAMIC}:/config:ro - ./config:/dynamic-config:ro
- ${TRAEFIK_CERTFILE}:/certs.json - ./le-certs.json:/le-certs.json
networks: networks:
traefik: traefik-proxy:
external: true external: true
name: ${TRAEFIK_NETWORK}

View File

@ -1 +0,0 @@
HETZNER_API_KEY=

View File

@ -1,30 +1,14 @@
# General environment TRAEFIK_VERSION=2.4
TRAEFIK_VERSION=latest TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
TRAEFIK_CERTRESOLVER=letsencrypt TRAEFIK_MATCHRULE=traefik.mydomain.com
TRAEFIK_ROUTER_NAME=traefik_mydomain_com
TRAEFIK_LOGLEVEL=INFO
TRAEFIK_PILOT_TOKEN=
TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24 TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
TRAEFIK_ENABLED=true
TRAEFIK_NETWORK=traefik
TRAEFIK_MATCHRULE=Host(`traefik.example.com`)
TRAEFIK_ROUTER=traefik_example_com
TRAEFIK_HTTP_MIDDLEWARES=dashboard-whitelist,http-to-https
TRAEFIK_HTTPS_MIDDLEWARES=dashboard-whitelist,hsts
# Security
TRAEFIK_TLSENABLED=true
TRAEFIK_STS_SECONDS=15552000
TRAEFIK_STS_SUBDOMAINS=true
TRAEFIK_STS_PRELOAD=true
# Certificate provider # Certificate provider
TRAEFIK_DNSPROVIDER=hetzner HETZNER_API_KEY=
TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider LETSENCRYPT_EMAIL=admin@mydomain.com
TRAEFIK_DNSRESOLVERS=1.1.1.1:53,1.0.0.1:53
LETSENCRYPT_EMAIL=admin@example.com
# Debugging # Debugging
TRAEFIK_ACCESSLOG=false TRAEFIK_ACCESSLOG=false
TRAEFIK_LOGLEVEL=INFO
# Volumes
TRAEFIK_DYNAMIC=./config
TRAEFIK_CERTFILE=./certs.json