traefik for docker-compose

default_https.toml

@@ -0,0 +1,21 @@
+[http.routers]
+  [http.routers.default_https]
+    rule = "HostRegexp(`{host:.+}`)"
+    middlewares = ["https-redirect"]
+    entrypoints = ["web"]
+    service = "dummy"
+
+[http.middlewares]
+  [http.middlewares.https-redirect.redirectScheme]
+    scheme = "https"
+    permanent = true
+  [http.middlewares.hsts.headers]
+    sslRedirect = true
+    STSSeconds = 31536000
+    STSIncludeSubdomains = true
+    STSPreload = true
+
+[http.services]
+  [http.services.dummy.loadBalancer]
+    [[http.services.dummy.loadBalancer.servers]]
+      url = "https://zknt.org"

docker-compose.yml

@@ -0,0 +1,27 @@
+version: '3'
+
+networks:
+  dmz:
+    external: true
+
+services:
+  reverse-proxy:
+    image: reg.zknt.org/zknt/traefik
+    command: --configFile=/etc/traefik/traefik.toml
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "172.27.123.x:8888:8080"
+    volumes:
+      - ./traefik.toml:/etc/traefik/traefik.toml
+      - ./default_https.toml:/etc/traefik/dyn/default_https.toml
+      - acme:/etc/traefik/acme
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - dmz
+
+volumes:
+  acme:
+    labels:
+      org.zknt.backup: true

example-services.yaml

@@ -0,0 +1,66 @@
+version: '2.1'
+
+networks:
+  dmz:
+    external: true
+
+services:
+  web:
+    # accessible under the default hostname calculated from the compose stack
+    image: zknt/nginx-alpine
+    volumes:
+      - ./index.html:/var/www/html/index.html
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=dmz"  # not needed here, but useful if there are multiple nets
+      - "traefik.http.routers.https_web-hello.tls=true"
+      - "traefik.http.routers.https_web-hello.tls.certresolver=lestage"
+    networks:
+      - dmz
+
+  web2:
+    # accessible under https://hostname/hello2 - with stripped path for the container
+    image: zknt/nginx-alpine
+    volumes:
+      - ./index.html:/var/www/html/index.html
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=dmz"  # not needed here, but useful if there are multiple nets
+      - "traefik.http.middlewares.stripprefix.stripprefix.prefixes=/hello2"
+      - "traefik.http.routers.web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)"
+      - "traefik.http.routers.https_web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)"
+      - "traefik.http.routers.https_web-hello2.middlewares=stripprefix"
+      - "traefik.http.routers.https_web-hello2.tls=true"
+      - "traefik.http.routers.https_web-hello2.tls.certresolver=lestage"
+    networks:
+      - dmz
+
+  web-auth:
+    # uses basic auth for access control ($ in password need to be escaped, see
+    # https://docs.traefik.io/middlewares/basicauth/ for details)
+    image: zknt/nginx-alpine
+    volumes:
+      - ./index.html:/var/www/html/index.html
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=dmz"
+      - "traefik.http.middlewares.auth.basicauth.users=admin:1234"  # double $ in hashes! s/\$/$$/g
+      - "traefik.http.middlewares.auth.basicauth.realm=restriced"
+      - "traefik.http.routers.https_web-hello-auth.tls=true"
+      - "traefik.http.routers.https_web-hello-auth.tls.certresolver=lestage"
+      - "traefik.http.routers.https_web-hello-auth.middlewares=auth"
+    networks:
+      - dmz
+
+  replace:
+    # replaces /some-old-path with /new-stuff
+    image: zknt/nginx-alpine
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.replace-some-old.replacepathregex.regex=^/some-old-path/(.*)"
+      - "traefik.http.middlewares.replace-some-old.replacepathregex.replacement=/new-stuff/$$1"
+      - "traefik.http.routers.https_replace.tls=true"
+      - "traefik.http.routers.https_replace.tls.certresolver=lestage"
+      - "traefik.http.routers.https_replace.middlewares=replace-some-old"
+    networks:
+      - dmz

traefik.json

@@ -0,0 +1,3 @@
+{"service": {"name": "traefik",
+             "port": 8888,
+             "tags": ["prometheus", "60s"]}}

traefik.toml

@@ -0,0 +1,34 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+  [entryPoints.websecure]
+    address = ":443"
+
+[certificatesResolvers.leprod.acme]
+  email = "hostmaster@zknt.org"
+  storage = "/etc/traefik/acme/acme.json"
+  [certificatesResolvers.leprod.acme.tlsChallenge]
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+
+[log]
+  [accessLog]
+    
+[api]
+  insecure = true
+
+[metrics]
+  [metrics.prometheus]
+
+[providers.docker]
+  exposedByDefault = false
+  defaultRule = "Host(`{{ trimPrefix `/` .Name }}.XXX.cloud.zknt.org`)"
+
+[providers.file]
+  directory = "/etc/traefik/dyn/"