traefik local

traefik/docker-compose.traefik-local.yml

@@ -0,0 +1,65 @@
+version: '3'
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:v2.2.1
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false      
+      - --api=true
+      - --entrypoints.web.address=:80      
+      - --entrypoints.websecure.address=:443
+      # - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
+      # - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
+      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge=true
+      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+      # - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=gandiv5
+      # - --certificatesResolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=0
+      # staging server
+      #- --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+    # environment:
+    #   - GANDIV5_API_KEY=${GANDIV5_API_KEY}
+    #labels: 
+      # - traefik.enable=true
+      # - traefik.http.routers.api.rule=Host(`${HOST_TRAEFIK}.${DOMAIN}`)
+      # - traefik.http.routers.api.entrypoints=web
+      # - traefik.http.routers.api.entrypoints=websecure
+      # - traefik.http.routers.api.service=api@internal   
+      # - traefik.http.routers.api.middlewares=auth
+      # - traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
+      # request widlcard certificate
+      # - traefik.http.routers.api.tls.certresolver=letsencrypt
+      # - traefik.http.routers.api.tls.domains[0].main=${DOMAIN}
+      # - traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}
+      # global redirect to https
+      # - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
+      # - traefik.http.routers.http-catchall.entrypoints=web
+      # - traefik.http.routers.http-catchall.middlewares=redirect-to-https
+      # middleware redirect
+      # - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
+      # - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true     
+    ports:
+      - 80:80
+      - 443:443
+    expose:
+      - 8080
+    networks:
+      - srv
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${ROOT_INSTALL}/hosting/traefik/traefik.yml:/etc/traefik/traefik.yml
+      - ${ROOT_INSTALL}/hosting/traefik/tls.yml:/etc/traefik/tls.yml
+      - certs:/etc/ssl/traefik
+
+  reverse-proxy-https-helper:
+    image: alpine
+    command: sh -c "cd /etc/ssl/traefik
+      && wget traefik.me/cert.pem -O cert.pem
+      && wget traefik.me/privkey.pem -O privkey.pem"
+    volumes:
+      - certs:/etc/ssl/traefik
+
+volumes:
+  certs:

traefik/docker-compose.traefik.yml

@@ -8,8 +8,8 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=false      
       - --api=true
-      - --entrypoints.web.address=:80      
-      - --entrypoints.websecure.address=:443
+      - --entrypoints.http.address=:80      
+      - --entrypoints.https.address=:443
       - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
       - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
       - --certificatesResolvers.letsencrypt.acme.dnsChallenge=true
@@ -23,8 +23,8 @@ services:
     labels: 
       - traefik.enable=true
       - traefik.http.routers.api.rule=Host(`${HOST_TRAEFIK}.${DOMAIN}`)
-      - traefik.http.routers.api.entrypoints=web
-      - traefik.http.routers.api.entrypoints=websecure
+      - traefik.http.routers.api.entrypoints=http
+      - traefik.http.routers.api.entrypoints=https
       - traefik.http.routers.api.service=api@internal   
       - traefik.http.routers.api.middlewares=auth
       - traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
@@ -34,7 +34,7 @@ services:
       - traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}
       # global redirect to https
       - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
-      - traefik.http.routers.http-catchall.entrypoints=web
+      - traefik.http.routers.http-catchall.entrypoints=http
       - traefik.http.routers.http-catchall.middlewares=redirect-to-https
       # middleware redirect
       - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

traefik/tls.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/ssl/traefik/cert.pem
+        keyFile: /etc/ssl/traefik/privkey.pem
+  certificates:
+    - certFile: /etc/ssl/traefik/cert.pem
+      keyFile: /etc/ssl/traefik/privkey.pem

traefik/traefik.yml

@@ -0,0 +1,20 @@
+logLevel: INFO
+
+api:
+  insecure: true
+  dashboard: true
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+
+providers:
+  file:
+    filename: /etc/traefik/tls.yml
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    watch: true
+    exposedByDefault: true
+    defaultRule: "HostRegexp(`{{ index .Labels \"com.docker.compose.service\"}}.traefik.me`,`{{ index .Labels \"com.docker.compose.service\"}}-{dashed-ip:.*}.traefik.me`)"