traefik/docker-compose.yml

80 lines
3.9 KiB
YAML

---
services:
traefik:
image: traefik:${TRAEFIK_VERSION}
container_name: ${TRAEFIK_CONTAINER_NAME}
restart: unless-stopped
command:
# when debugging is needed
- --accesslog=${TRAEFIK_ACCESSLOG}
# enable Træfik dashboard
- --api.dashboard=true
# configure Let's Encrypt automatic certificates
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
- --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
# we listen on both HTTP and HTTPS
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
# logging level
- --log.level=${TRAEFIK_LOGLEVEL}
# Træfik Pilot token (of course retrieved from dotenv)
- --pilot.token=${TRAEFIK_PILOT_TOKEN}
# we only use Docker (for now)
- --providers.docker=true
# and we want to manually specify exposed containers
- --providers.docker.exposedbydefault=false
- --providers.docker.watch=true
# should not need, but just in case, a folder for dynamic config files is also configured
- --providers.file.directory=/config
- --providers.file.watch=true
env_file:
- ${TRAEFIK_DNSPROVIDER_ENVFILE}
labels:
# expose Træfik using Træfik (dashboard)
- traefik.enable=${TRAEFIK_ENABLED}
# configure a global whitelist for accessing the Træfik dashboard
- traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
# configure a global middleware for redirecting HTTP to HTTPS
- traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
- traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
# configure a global middleware to harden security through HSTS
- traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
- traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
- traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
### Section HTTP
- traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
# only some people can access the dashboard, hence protect it with it's whitelist
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
# redirect Træfik dashboard to HTTPS only
- traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
- traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
- traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
### Section HTTPS
- traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
# only some people can access the dashboard, hence protect it with it's whitelist (and add HSTS for security)
- traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=hsts,dashboard-whitelist
# configure Træfik dashboard to be the exposed service
- traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
- traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
# of course, enable TLS and it's certificate provider
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
- traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
networks:
- traefik
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config:/config:ro
- ./certs.json:/certs.json
networks:
traefik:
external: true
name: ${TRAEFIK_NETWORK}