From c9695eb5c14c4a020023d534c1a548ac411136a4 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 19 Dec 2019 14:43:36 +0100 Subject: [PATCH] traefik for docker-compose --- default_https.toml | 21 ++++++++++++++ docker-compose.yml | 27 ++++++++++++++++++ example-services.yaml | 66 +++++++++++++++++++++++++++++++++++++++++++ traefik.json | 3 ++ traefik.toml | 34 ++++++++++++++++++++++ 5 files changed, 151 insertions(+) create mode 100644 default_https.toml create mode 100644 docker-compose.yml create mode 100644 example-services.yaml create mode 100644 traefik.json create mode 100644 traefik.toml diff --git a/default_https.toml b/default_https.toml new file mode 100644 index 0000000..3edcf75 --- /dev/null +++ b/default_https.toml @@ -0,0 +1,21 @@ +[http.routers] + [http.routers.default_https] + rule = "HostRegexp(`{host:.+}`)" + middlewares = ["https-redirect"] + entrypoints = ["web"] + service = "dummy" + +[http.middlewares] + [http.middlewares.https-redirect.redirectScheme] + scheme = "https" + permanent = true + [http.middlewares.hsts.headers] + sslRedirect = true + STSSeconds = 31536000 + STSIncludeSubdomains = true + STSPreload = true + +[http.services] + [http.services.dummy.loadBalancer] + [[http.services.dummy.loadBalancer.servers]] + url = "https://zknt.org" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..46fd104 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,27 @@ +version: '3' + +networks: + dmz: + external: true + +services: + reverse-proxy: + image: reg.zknt.org/zknt/traefik + command: --configFile=/etc/traefik/traefik.toml + restart: always + ports: + - "80:80" + - "443:443" + - "172.27.123.x:8888:8080" + volumes: + - ./traefik.toml:/etc/traefik/traefik.toml + - ./default_https.toml:/etc/traefik/dyn/default_https.toml + - acme:/etc/traefik/acme + - /var/run/docker.sock:/var/run/docker.sock + networks: + - dmz + +volumes: + acme: + labels: + org.zknt.backup: true diff --git a/example-services.yaml b/example-services.yaml new file mode 100644 index 0000000..4930b0c --- /dev/null +++ b/example-services.yaml @@ -0,0 +1,66 @@ +version: '2.1' + +networks: + dmz: + external: true + +services: + web: + # accessible under the default hostname calculated from the compose stack + image: zknt/nginx-alpine + volumes: + - ./index.html:/var/www/html/index.html + labels: + - "traefik.enable=true" + - "traefik.docker.network=dmz" # not needed here, but useful if there are multiple nets + - "traefik.http.routers.https_web-hello.tls=true" + - "traefik.http.routers.https_web-hello.tls.certresolver=lestage" + networks: + - dmz + + web2: + # accessible under https://hostname/hello2 - with stripped path for the container + image: zknt/nginx-alpine + volumes: + - ./index.html:/var/www/html/index.html + labels: + - "traefik.enable=true" + - "traefik.docker.network=dmz" # not needed here, but useful if there are multiple nets + - "traefik.http.middlewares.stripprefix.stripprefix.prefixes=/hello2" + - "traefik.http.routers.web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)" + - "traefik.http.routers.https_web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)" + - "traefik.http.routers.https_web-hello2.middlewares=stripprefix" + - "traefik.http.routers.https_web-hello2.tls=true" + - "traefik.http.routers.https_web-hello2.tls.certresolver=lestage" + networks: + - dmz + + web-auth: + # uses basic auth for access control ($ in password need to be escaped, see + # https://docs.traefik.io/middlewares/basicauth/ for details) + image: zknt/nginx-alpine + volumes: + - ./index.html:/var/www/html/index.html + labels: + - "traefik.enable=true" + - "traefik.docker.network=dmz" + - "traefik.http.middlewares.auth.basicauth.users=admin:1234" # double $ in hashes! s/\$/$$/g + - "traefik.http.middlewares.auth.basicauth.realm=restriced" + - "traefik.http.routers.https_web-hello-auth.tls=true" + - "traefik.http.routers.https_web-hello-auth.tls.certresolver=lestage" + - "traefik.http.routers.https_web-hello-auth.middlewares=auth" + networks: + - dmz + + replace: + # replaces /some-old-path with /new-stuff + image: zknt/nginx-alpine + labels: + - "traefik.enable=true" + - "traefik.http.middlewares.replace-some-old.replacepathregex.regex=^/some-old-path/(.*)" + - "traefik.http.middlewares.replace-some-old.replacepathregex.replacement=/new-stuff/$$1" + - "traefik.http.routers.https_replace.tls=true" + - "traefik.http.routers.https_replace.tls.certresolver=lestage" + - "traefik.http.routers.https_replace.middlewares=replace-some-old" + networks: + - dmz diff --git a/traefik.json b/traefik.json new file mode 100644 index 0000000..a635b04 --- /dev/null +++ b/traefik.json @@ -0,0 +1,3 @@ +{"service": {"name": "traefik", + "port": 8888, + "tags": ["prometheus", "60s"]}} diff --git a/traefik.toml b/traefik.toml new file mode 100644 index 0000000..51ee2ce --- /dev/null +++ b/traefik.toml @@ -0,0 +1,34 @@ +[global] + checkNewVersion = false + sendAnonymousUsage = false + +[entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.websecure] + address = ":443" + +[certificatesResolvers.leprod.acme] + email = "hostmaster@zknt.org" + storage = "/etc/traefik/acme/acme.json" + [certificatesResolvers.leprod.acme.tlsChallenge] + +[tls.options] + [tls.options.default] + sniStrict = true + +[log] + [accessLog] + +[api] + insecure = true + +[metrics] + [metrics.prometheus] + +[providers.docker] + exposedByDefault = false + defaultRule = "Host(`{{ trimPrefix `/` .Name }}.XXX.cloud.zknt.org`)" + +[providers.file] + directory = "/etc/traefik/dyn/"