-
Notifications
You must be signed in to change notification settings - Fork 0
/
traefik_docker_compose.yml
79 lines (75 loc) · 6.7 KB
/
traefik_docker_compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# This file is based on https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/
# `# *` specifies significant changed configurations. Everything else comes from the above base file.
version: "3.3"
# * added an external network
# `docker create network traefik_net` via unraid's terminal
networks:
traefik_net:
external: true
services:
traefik:
# The official v2 Traefik docker image
image: traefik:v2.10
container_name: "traefik"
command:
- "--log.level=DEBUG" # `DEBUG` for troubleshooting, `WARN` for unstable production, `FATAL` for stable production
#- "--api.insecure=true" # DO NOT enable `insecure` in production. This puts an unsecured dashboard on port 8080.
- "--api.dashboard=true" # Enable the dashboard
- "--api=true" # Enable the API for the dashboard
- "--log.filePath=/logs/traefik.log" # write logs for troubleshooting
- "--accesslog.filepath=/logs/access.log" # write logs for http requests made to the server
- "--providers.docker.network=traefik_net" # ? I do not know if this is redundant to `networks: - traefik_net`
- "--providers.docker=true" # * required when using docker (docs don't say why)
- "--providers.docker.exposedbydefault=false" # If set to false, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration. (https://doc.traefik.io/traefik/providers/docker/#exposedbydefault)
#- "--entrypoints.web.address=:80" # *** Do not expose the HTTP entrypoint
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.email=<MY_EMAIL_FOR_CLOUDFLARE>"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # testing
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # production
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
labels:
# HTTPS only
- "traefik.http.middlewares.httpsonly.redirectscheme.scheme=https"
- "traefik.http.middlewares.httpsonly.redirectscheme.permanent=true"
- "traefik.http.routers.httpsonly.rule=HostRegexp(`{any:.*}`)" # redirect *everything* to https
- "traefik.http.routers.httpsonly.middlewares=httpsonly"
#
#
# Note: need a DNS entry on the local router that redirects the host address, e.g. `tower.mynetwork`, to the Unraid Server.
# Can fake this by adding an entry to the DNS table on your local machine (`c:\windows\system32\drivers\etc\hosts.file` on Windows); useful if the router doesn't support custom DNS entries.
#
# Dashboard
- "traefik.enable=true" # this is required for the dashboard to be included in the routing configuration, i.e. traefik is allowed to see and talk to itself to route to its own dashboard.
- "traefik.http.routers.dashboard.rule=Host(`tower.mynetwork`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" # put the dashboard at tower.mynetwork/api or tower.mynetwork/dashboard
- "traefik.http.routers.dashboard.service=api@internal" # name of the internal service running the dashboard
- "traefik.http.routers.dashboard.middlewares=auth" # Require a password to log into the dashboard
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$t923deiq$$XShniVE0m7heYgWJw.J9A1" # HTPasswd required to log into the dashboard. Generated via https://www.web2generators.com/apache-tools/htpasswd-generator
- "traefik.http.routers.dashboard.tls=true" # Enable SSL requests for the dashboard
- "traefik.http.routers.dashboard.tls.certresolver=myresolver" # Use the resolve setup from the commandline `certificatesresolvers.myresolver`
# API
- "traefik.http.routers.api.tls=true" # Enable SSL requests for the API used for the dashboard
- "traefik.http.routers.api.tls.certresolver=myresolver" # Use the resolve setup from the commandline `certificatesresolvers.myresolver`
ports:
- "80:80" # Map port 80 (HTTP) in the docker HOST -> 80 on the docker CONTAINER
- "443:443" # Map port 443 (HTTPS) in the docker HOST -> 443 on the docker CONTAINER
environment:
- "CF_API_EMAIL=<MY_EMAIL_FOR_CLOUDFLARE>" # * Email for cloudflare's dns challenge.
- "CF_API_KEY=<MY_SECRET_API_KEY>" # * API Key for cloudflare's dns challenge.
volumes:
# For unraid, just about every directory should be sent to /mnt/user/appdata/, so it's visible from file browsing.
# Otherwise, they're stuffed into the docker system image file and hard to access.
- "/mnt/user/appdata/traefik/letsencrypt:/letsencrypt" # * put these in appdata so I can see them in the file browser and delete them if needed.
- "/mnt/cache/appdata/traefik/logs:/logs" # * need this in appdata to read the logs
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_net # * set traefik to proxy external web requests into the traefik_net network
# whoami:
# image: "traefik/whoami"
# container_name: "whoami-service"
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.whoami.rule=Host(`photos.codyduncan.net`)"
# - "traefik.http.routers.whoami.entrypoints=websecure"
# - "traefik.http.routers.whoami.tls.certresolver=myresolver"