traefik for docker-compose

This commit is contained in:
chris 2019-12-19 14:43:36 +01:00
commit c9695eb5c1
5 changed files with 151 additions and 0 deletions

21
default_https.toml Normal file
View file

@ -0,0 +1,21 @@
[http.routers]
[http.routers.default_https]
rule = "HostRegexp(`{host:.+}`)"
middlewares = ["https-redirect"]
entrypoints = ["web"]
service = "dummy"
[http.middlewares]
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.hsts.headers]
sslRedirect = true
STSSeconds = 31536000
STSIncludeSubdomains = true
STSPreload = true
[http.services]
[http.services.dummy.loadBalancer]
[[http.services.dummy.loadBalancer.servers]]
url = "https://zknt.org"

27
docker-compose.yml Normal file
View file

@ -0,0 +1,27 @@
version: '3'
networks:
dmz:
external: true
services:
reverse-proxy:
image: reg.zknt.org/zknt/traefik
command: --configFile=/etc/traefik/traefik.toml
restart: always
ports:
- "80:80"
- "443:443"
- "172.27.123.x:8888:8080"
volumes:
- ./traefik.toml:/etc/traefik/traefik.toml
- ./default_https.toml:/etc/traefik/dyn/default_https.toml
- acme:/etc/traefik/acme
- /var/run/docker.sock:/var/run/docker.sock
networks:
- dmz
volumes:
acme:
labels:
org.zknt.backup: true

66
example-services.yaml Normal file
View file

@ -0,0 +1,66 @@
version: '2.1'
networks:
dmz:
external: true
services:
web:
# accessible under the default hostname calculated from the compose stack
image: zknt/nginx-alpine
volumes:
- ./index.html:/var/www/html/index.html
labels:
- "traefik.enable=true"
- "traefik.docker.network=dmz" # not needed here, but useful if there are multiple nets
- "traefik.http.routers.https_web-hello.tls=true"
- "traefik.http.routers.https_web-hello.tls.certresolver=lestage"
networks:
- dmz
web2:
# accessible under https://hostname/hello2 - with stripped path for the container
image: zknt/nginx-alpine
volumes:
- ./index.html:/var/www/html/index.html
labels:
- "traefik.enable=true"
- "traefik.docker.network=dmz" # not needed here, but useful if there are multiple nets
- "traefik.http.middlewares.stripprefix.stripprefix.prefixes=/hello2"
- "traefik.http.routers.web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)"
- "traefik.http.routers.https_web-hello2.rule=Host(`traefik.zknt.org`) && Path(`/hello2`)"
- "traefik.http.routers.https_web-hello2.middlewares=stripprefix"
- "traefik.http.routers.https_web-hello2.tls=true"
- "traefik.http.routers.https_web-hello2.tls.certresolver=lestage"
networks:
- dmz
web-auth:
# uses basic auth for access control ($ in password need to be escaped, see
# https://docs.traefik.io/middlewares/basicauth/ for details)
image: zknt/nginx-alpine
volumes:
- ./index.html:/var/www/html/index.html
labels:
- "traefik.enable=true"
- "traefik.docker.network=dmz"
- "traefik.http.middlewares.auth.basicauth.users=admin:1234" # double $ in hashes! s/\$/$$/g
- "traefik.http.middlewares.auth.basicauth.realm=restriced"
- "traefik.http.routers.https_web-hello-auth.tls=true"
- "traefik.http.routers.https_web-hello-auth.tls.certresolver=lestage"
- "traefik.http.routers.https_web-hello-auth.middlewares=auth"
networks:
- dmz
replace:
# replaces /some-old-path with /new-stuff
image: zknt/nginx-alpine
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.replace-some-old.replacepathregex.regex=^/some-old-path/(.*)"
- "traefik.http.middlewares.replace-some-old.replacepathregex.replacement=/new-stuff/$$1"
- "traefik.http.routers.https_replace.tls=true"
- "traefik.http.routers.https_replace.tls.certresolver=lestage"
- "traefik.http.routers.https_replace.middlewares=replace-some-old"
networks:
- dmz

3
traefik.json Normal file
View file

@ -0,0 +1,3 @@
{"service": {"name": "traefik",
"port": 8888,
"tags": ["prometheus", "60s"]}}

34
traefik.toml Normal file
View file

@ -0,0 +1,34 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.leprod.acme]
email = "hostmaster@zknt.org"
storage = "/etc/traefik/acme/acme.json"
[certificatesResolvers.leprod.acme.tlsChallenge]
[tls.options]
[tls.options.default]
sniStrict = true
[log]
[accessLog]
[api]
insecure = true
[metrics]
[metrics.prometheus]
[providers.docker]
exposedByDefault = false
defaultRule = "Host(`{{ trimPrefix `/` .Name }}.XXX.cloud.zknt.org`)"
[providers.file]
directory = "/etc/traefik/dyn/"