-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathstack-proxy.yml
140 lines (133 loc) · 3.94 KB
/
stack-proxy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# using http-challenge is simpler but does NOT allow wildcare certs
version: '3.7'
x-default-opts:
&default-opts
logging:
options:
max-size: "10m"
networks:
ntw_front:
external: true
ntw_proxy:
external: true
services:
# this custom haproxy allows us to move traefik to worker nodes (if needed)
# while this container listens on managers and only allows
# traefik to connect, read-only, to limited docker api calls
# https://github.com/Tecnativa/docker-socket-proxy
# image: devmtl/proxysocket:1.9.10 (with wget for heathcheck)
# image: tecnativa/docker-socket-proxy
proxysocket:
<<: *default-opts
image: devmtl/proxysocket:1.9.13
networks:
- ntw_proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
# specific to 'docker stack deploy'
NETWORKS: 1
SERVICES: 1
TASKS: 1
SWARM: 1
#NODE: 1
deploy:
mode: global
placement:
constraints: [node.role == manager]
restart_policy:
condition: on-failure
resources:
limits:
cpus: '0.20'
memory: 8M
reservations:
cpus: '0.10'
memory: 4M
# Traefik reverse proxy has a bunch of features:
# - reverse proxy all 80/443 ingress traffic on a swarm
# - dynamic config via each app's swarm service labels
# - HA multi-container design for traefik
# - runs traefik on host NIC directly, to improve performance
# and capture client IP's
#
#- --debug=true
#
# OPTION A) Select STAGING or PROD letsencrypt server
# https://acme-v02.api.letsencrypt.org/directory
# https://acme-staging-v02.api.letsencrypt.org/directory
#
# OPTION B)
#- --entryPoints=Name:http Address::80 # don't force HTTPS
#- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https # force HTTPS
#
# If not using proxysocket
#- --docker.endpoint=unix:///var/run/docker.sock
traefik:
<<: *default-opts
image: traefik:1.7.34-alpine
ports:
- target: 80
protocol: tcp
published: 80
mode: ingress
- target: 443
protocol: tcp
published: 443
mode: ingress
- target: 8080
protocol: tcp
published: 8080
mode: ingress
networks:
- ntw_front
- ntw_proxy
environment:
DO_AUTH_TOKEN: ${do_auth_token}
volumes:
- ${PATH_ACME_JSON_FILE}/acme.json:/etc/traefik/acme/acme.json
command:
- --docker
- --docker.domain=traefik
- --docker.swarmMode
- --docker.watch
- --docker.exposedbydefault=false
- --docker.endpoint=tcp://proxysocket:2375
- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
- --entryPoints=Name:https Address::443 TLS
- --defaultentrypoints=http,https
- --acme
- --acme.email=${ACME_EMAIL}
- --acme.httpchallenge
- --acme.httpchallenge.entrypoint=http
- --acme.entryPoint=https
- --acme.onhostrule=true
- --acme.storage=/etc/traefik/acme/acme.json
- --acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --acme.acmelogging=true
- --logLevel=ERROR
- --api=true
deploy:
mode: replicated
replicas: 1
update_config:
delay: 2s
placement:
constraints: [node.labels.nodeid==1]
restart_policy:
condition: on-failure
max_attempts: 20
resources:
limits:
cpus: '0.33'
memory: 96M
reservations:
cpus: '0.05'
memory: 48M
labels:
- traefik.frontend.rule=Host:${DASHBOARD_DOMAIN}
- traefik.frontend.auth.basic.users=pascal:$$2y$$05$$jyYdEv/SOqfhRXLmgGhnbuiKTdxHnXE21m4Rctn4iZPqTFAY3BG8W
- traefik.docker.network=ntw_front
- traefik.enable=true
- traefik.port=8080
# https://github.com/pascalandy/docker-stack-this, inspired by https://github.com/BretFisher/dogvscat