81 lines
3.9 KiB
YAML
81 lines
3.9 KiB
YAML
version: '3'
|
|
|
|
services:
|
|
reverse-proxy:
|
|
image: traefik:v3.1
|
|
command:
|
|
- --providers.docker
|
|
- --global.checkNewVersion=true
|
|
- --providers.docker.exposedbydefault=false
|
|
- --providers.swarm.endpoint=unix:///var/run/docker.sock
|
|
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
|
|
- --entrypoints.http.address=:80
|
|
- --entrypoints.https.address=:443
|
|
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
|
|
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
|
|
- --certificatesresolvers.le.acme.tlschallenge=true
|
|
- --log
|
|
- --api=true
|
|
- --api.dashboard=true
|
|
- --api.insecure=true
|
|
- --log=true
|
|
- --log.filePath=/logs/traefik.log
|
|
- --log.level=INFO
|
|
- --accessLog=true
|
|
- --accessLog.filePath=/logs/access.log
|
|
- --accessLog.bufferingSize=100
|
|
- --accessLog.filters.statusCodes=204-299,400-499,500-599
|
|
- --providers.file.directory=rules
|
|
- --providers.file.watch=true
|
|
|
|
labels:
|
|
# Enable Traefik for this service, to make it available in the public network
|
|
- traefik.enable=true
|
|
# Use the traefik-public network (declared below)
|
|
- traefik.docker-network=traefik-public
|
|
# Use the custome label "traefik.constraint-label=traefik-public"
|
|
# This public Traefik will only use services with this label
|
|
# That way you can add other internal Traefik instances per stack if needed
|
|
#- traefik.constraint-label=traefik-public
|
|
# admin-auth middleware with HTTP Basic auth
|
|
# Using the environment variables USERNAME and HASHED_PASSOWRD
|
|
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
|
|
# https-redirect middleware to redirect HTTP to HTTPS
|
|
# It can be re-used by other stacks in other Docker Compose files
|
|
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
|
|
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
|
|
# traefik-http set up only to use the middleware to redirect to https
|
|
# Uses the environment variable DOMAIN
|
|
- traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
|
|
- traefik.http.routers.traefik-public-http.entrypoints=http
|
|
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
|
|
# traefik-https the actual router using HTTPS
|
|
# Uses the environment variable DOMAIN
|
|
- traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
|
|
- traefik.http.routers.traefik-public-https.entrypoints=https
|
|
- traefik.http.routers.traefik-public-https.tls=true
|
|
# Use the special Traefik service api@internal with the web UI/Dashboard
|
|
- traefik.http.routers.traefik-public-https.service=api@internal
|
|
# Use the "le" (Let's Encrypt) resolver created below
|
|
- traefik.http.routers.traefik-public-https.tls.certresolver=le
|
|
# Enable HTTP Basic auth, using the middleware created above
|
|
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
|
|
# Define the port inside of the Docker service to use
|
|
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
|
|
volumes:
|
|
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
# Mount the volume to store the certificates
|
|
- /data/share/traefik/certificates:/certificates
|
|
# Mount the volume to store logs
|
|
- /data/share/traefik/logs:/logs
|
|
# Mount the directory where rules are saved
|
|
- /data/share/traefik/rules:/rules
|
|
ports:
|
|
# The HTTP port
|
|
- "180:80"
|
|
# The HTTPS port
|
|
- "1443:443"
|
|
# The web UI (enabled by --api.insecure=true)
|
|
- "8080:8080"
|