-
Notifications
You must be signed in to change notification settings - Fork 0
/
traefik-v2.yml
130 lines (124 loc) · 4.21 KB
/
traefik-v2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Work In Progress transition to v2
# taken from https://sysadmins.co.za/traefik-and-portainer-on-docker-swarm-with-letsencrypt/
# create a portainer app template and add this variables (or declare on command line with the -e option):
# EMAIL [email address to be notified by let's encrypt]
# DOMAIN [domain name used as a base to generate fqdn certificates]
# STACK_BASE_PATH [base folder where to host files, must exists]
# put autogenerated certificate in /certs/default.[key|crt] to use this instead of traefik default (which expose its identity)
version: '3.7'
services:
traefik:
image: traefik:v2.4
hostname: traefik
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 8080
published: 8080
mode: host
command: >
--api.insecure=true
--api.dashboard=true
--providers.docker=true
--providers.docker.network=traefik-public
--providers.docker.exposedbydefault=false
--providers.docker.swarmMode=true
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
--certificatesResolvers.default.acme.storage=/certs/acme-v2.json
--certificatesResolvers.default.acme.httpChallenge.entryPoint=web
--certificatesResolvers.default.acme.email=${EMAIL:-root@localhost}
--certificatesResolvers.default.acme.tlsChallenge=true
--certificatesResolvers.default.acme.httpChallenge=true
--accessLog
# logging by logspout
#--accessLog.filePath="/logs/access.log"
#--accessLog.bufferingSize=100
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik_certs:/certs
- traefik_auth:/auth
- traefik_logs:/logs
networks:
- traefik-public
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
labels:
- "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
- "traefik.http.routers.http_catchall.entrypoints=web"
- "traefik.http.routers.http_catchall.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
- "traefik.http.middlewares.auth.basicauth.usersfile=/auth/htpasswd"
- "traefik.docker.network=traefik-public"
- "traefik.port=8080"
- "traefik.tags=traefik-public"
- "traefik.backend=traefik"
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN:-localhost}`)"
- "traefik.http.routers.api.service=api@internal" # Let the dashboard access the traefik api
# - "traefik.http.middlewares.neo-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.0.0/24"
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
nginx-catchall:
image: nginx:1.17
hostname: catch-all
volumes:
- ${STACK_BASE_PATH}/nginx/conf:/etc/nginx/conf.d:ro
- ${STACK_BASE_PATH}/nginx/html:/data/html:ro
- traefik_logs:/data/logs
networks:
- traefik-public
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-public"
- "traefik.http.routers.catchall.rule=HostRegexp(`{catchall:[.]+}`)"
- "traefik.http.routers.catchall.entrypoints=web"
- "traefik.http.services.nginx-catchall.loadbalancer.server.port=80"
networks:
traefik-public:
driver: overlay
name: traefik-public
volumes:
traefik_certs:
driver: local
driver_opts:
type: none
o: bind
device: ${STACK_BASE_PATH}/certs
traefik_auth:
driver: local
driver_opts:
type: none
o: bind
device: ${STACK_BASE_PATH}/auth
traefik_logs:
driver: local
driver_opts:
type: none
o: bind
device: ${STACK_BASE_PATH}/logs
# end