Breaking change - traefik files to avoid host header attacks on unsus…

…pecting users (#1597)
eth-educators · Nov 2, 2023 · e3d27b9 · e3d27b9
1 parent ce477a6
commit e3d27b9
Show file tree

Hide file tree

Showing 21 changed files with 60 additions and 228 deletions.
diff --git a/.github/workflows/test-lighthouse-reth.yml b/.github/workflows/test-lighthouse-reth.yml
@@ -32,12 +32,12 @@ jobs:
         run: ./ethd up
       - name: Pause for 30 seconds
         run: sleep 30
+      - name: Test Reth
+        run: ./.github/check-service.sh execution
       - name: Test Lighthouse CL
         run: ./.github/check-service.sh consensus
       - name: Test Lighthouse VC
         run: ./.github/check-service.sh validator
-      - name: Test Reth
-        run: ./.github/check-service.sh execution
       - name: Set Lighthouse/Reth w/ VC
         run: |
           source ./.github/helper.sh
@@ -48,9 +48,9 @@ jobs:
         run: ./ethd up
       - name: Pause for 30 seconds
         run: sleep 30
+      - name: Test Reth
+        run: ./.github/check-service.sh execution
       - name: Test Lighthouse CL
         run: ./.github/check-service.sh consensus
       - name: Test Lighthouse VC
         run: ./.github/check-service.sh validator
-      - name: Test Reth
-        run: ./.github/check-service.sh execution
diff --git a/README.md b/README.md
@@ -29,4 +29,4 @@ please read the [contribution guidelines](CONTRIBUTING.md) so you can run lint c
 
 ## Version
 
-This is Eth Docker v2.3.5
+This is Eth Docker v2.3.6
diff --git a/besu.yml b/besu.yml
@@ -76,30 +76,6 @@ services:
       - "6060"
       - --nat-method=DOCKER
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${EL_HOST:-el}.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}.rule=Host(`${EL_HOST:-el}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_HOST:-el}lb.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}lb.rule=Host(`${EL_LB:-el-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_HOST:-el}.loadbalancer.server.port=${EL_RPC_PORT:-8545}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}.rule=Host(`${EL_WS_HOST:-elws}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.rule=Host(`${EL_WS_LB:-elws-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_WS_HOST:-elws}.loadbalancer.server.port=${EL_WS_PORT:-8546}
-      - traefik.http.routers.${EE_HOST:-ee}.service=${EE_HOST:-ee}
-      - traefik.http.routers.${EE_HOST:-ee}.entrypoints=websecure
-      - traefik.http.routers.${EE_HOST:-ee}.rule=Host(`${EE_HOST:-ee}.${DOMAIN}`)
-      - traefik.http.routers.${EE_HOST:-ee}.tls.certresolver=letsencrypt
-      - traefik.http.services.${EE_HOST:-ee}.loadbalancer.server.port=${EE_PORT:-8551}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=6060

diff --git a/cl-traefik.yml b/cl-traefik.yml
@@ -0,0 +1,17 @@
+# To be used in conjunction with lodestar.yml, nimbus.yml, teku.yml, lighthouse.yml or prysm.yml, ditto their
+# -cl-only.yml versions
+# For remote validator setups only. Please be very cautious when exposing your consensus API port
+version: "3.9"
+services:
+  execution:
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
+      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
+      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
+      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
+      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
+      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
+      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
+      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
+      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
diff --git a/ee-traefik.yml b/ee-traefik.yml
@@ -0,0 +1,12 @@
+# To be used in conjunction with erigon.yml, nethermind.yml, besu.yml, reth.yml or geth.yml
+# For distributed setups only. Please be very cautious when exposing your engine port
+version: "3.9"
+services:
+  execution:
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.${EE_HOST:-ee}.service=${EE_HOST:-ee}
+      - traefik.http.routers.${EE_HOST:-ee}.entrypoints=websecure
+      - traefik.http.routers.${EE_HOST:-ee}.rule=Host(`${EE_HOST:-ee}.${DOMAIN}`)
+      - traefik.http.routers.${EE_HOST:-ee}.tls.certresolver=letsencrypt
+      - traefik.http.services.${EE_HOST:-ee}.loadbalancer.server.port=${EE_PORT:-8551}
diff --git a/el-traefik.yml b/el-traefik.yml
@@ -0,0 +1,24 @@
+# To be used in conjunction with erigon.yml, nethermind.yml, besu.yml, reth.yml or geth.yml
+version: "3.9"
+services:
+  execution:
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.${EL_HOST:-el}.service=${EL_HOST:-el}
+      - traefik.http.routers.${EL_HOST:-el}.entrypoints=websecure
+      - traefik.http.routers.${EL_HOST:-el}.rule=Host(`${EL_HOST:-el}.${DOMAIN}`)
+      - traefik.http.routers.${EL_HOST:-el}.tls.certresolver=letsencrypt
+      - traefik.http.routers.${EL_HOST:-el}lb.service=${EL_HOST:-el}
+      - traefik.http.routers.${EL_HOST:-el}lb.entrypoints=websecure
+      - traefik.http.routers.${EL_HOST:-el}lb.rule=Host(`${EL_LB:-el-lb}.${DOMAIN}`)
+      - traefik.http.routers.${EL_HOST:-el}lb.tls.certresolver=letsencrypt
+      - traefik.http.services.${EL_HOST:-el}.loadbalancer.server.port=${EL_RPC_PORT:-8545}
+      - traefik.http.routers.${EL_WS_HOST:-elws}.service=${EL_WS_HOST:-elws}
+      - traefik.http.routers.${EL_WS_HOST:-elws}.entrypoints=websecure
+      - traefik.http.routers.${EL_WS_HOST:-elws}.rule=Host(`${EL_WS_HOST:-elws}.${DOMAIN}`)
+      - traefik.http.routers.${EL_WS_HOST:-elws}.tls.certresolver=letsencrypt
+      - traefik.http.routers.${EL_WS_HOST:-elws}lb.service=${EL_WS_HOST:-elws}
+      - traefik.http.routers.${EL_WS_HOST:-elws}lb.entrypoints=websecure
+      - traefik.http.routers.${EL_WS_HOST:-elws}lb.rule=Host(`${EL_WS_LB:-elws-lb}.${DOMAIN}`)
+      - traefik.http.routers.${EL_WS_HOST:-elws}lb.tls.certresolver=letsencrypt
+      - traefik.http.services.${EL_WS_HOST:-elws}.loadbalancer.server.port=${EL_WS_PORT:-8546}
diff --git a/erigon.yml b/erigon.yml
@@ -92,30 +92,6 @@ services:
       #- --batchSize
       #- 64m
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${EL_HOST:-el}.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}.rule=Host(`${EL_HOST:-el}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_HOST:-el}lb.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}lb.rule=Host(`${EL_LB:-el-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_HOST:-el}.loadbalancer.server.port=${EL_RPC_PORT:-8545}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}.rule=Host(`${EL_WS_HOST:-elws}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.rule=Host(`${EL_WS_LB:-elws-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_WS_HOST:-elws}.loadbalancer.server.port=${EL_WS_PORT:-8546}
-      - traefik.http.routers.${EE_HOST:-ee}.service=${EE_HOST:-ee}
-      - traefik.http.routers.${EE_HOST:-ee}.entrypoints=websecure
-      - traefik.http.routers.${EE_HOST:-ee}.rule=Host(`${EE_HOST:-ee}.${DOMAIN}`)
-      - traefik.http.routers.${EE_HOST:-ee}.tls.certresolver=letsencrypt
-      - traefik.http.services.${EE_HOST:-ee}.loadbalancer.server.port=${EE_PORT:-8551}
       - metrics.scrape=true
       - metrics.path=/debug/metrics/prometheus
       - metrics.port=6060

diff --git a/ethd b/ethd
@@ -496,14 +496,13 @@ migrate_compose_file() {
         traefik-cf-v6.yml validator-keyapi-localport.yml consensus-keyapi-localport.yml prysm-web.yml blank-grafana.yml \
         lh-grafana.yml lhcc-grafana.yml nimbus-grafana.yml prysm-grafana.yml teku-grafana.yml geth-grafana.yml \
         erigon-grafana.yml oe.yml teku-stats.yml lh-stats.yml lh-stats-consensus.yml lh-stats-validator.yml \
-        traefik-shared.yml lighthouse-slasher.yml prysm-slasher.yml el-traefik.yml ee-traefik.yml \
-        prometheus-traefik.yml grafana-localhost.yml )
+        traefik-shared.yml lighthouse-slasher.yml prysm-slasher.yml prometheus-traefik.yml grafana-localhost.yml )
     TO_YML=( el-shared.yml el-traefik.yml cl-shared.yml grafana-shared.yml prysm-web-shared.yml lighthouse-base.yml \
         lighthouse-vc-only.yml lighthouse-slasher.yml teku-base.yml teku-vc-only.yml lighthouse-cl-only.yml \
         lighthouse-vc-only.yml lodestar-cl-only.yml lodestar-vc-only.yml nimbus-cl-only.yml prysm-cl-only.yml \
         prysm-cl-only.yml prysm-vc-only.yml teku-cl-only.yml teku-vc-only.yml lighthouse-base.yml lighthouse-vc-only.yml \
         lighthouse-cl-only.yml nethermind.yml lighthouse.yml teku.yml nimbus.yml prysm.yml lodestar.yml traefik-cf.yml \
-        validator-keyapi-shared.yml validator-keyapi-shared.yml "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "")
+        validator-keyapi-shared.yml validator-keyapi-shared.yml "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "")
 
     __old_grafana=0
     __new_grafana=0

diff --git a/geth.yml b/geth.yml
@@ -74,30 +74,6 @@ services:
       - --maxpeers
       - ${EL_MAX_PEER_COUNT:-50}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${EL_HOST:-el}.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}.rule=Host(`${EL_HOST:-el}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_HOST:-el}lb.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}lb.rule=Host(`${EL_LB:-el-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_HOST:-el}.loadbalancer.server.port=${EL_RPC_PORT:-8545}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}.rule=Host(`${EL_WS_HOST:-elws}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.rule=Host(`${EL_WS_LB:-elws-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_WS_HOST:-elws}.loadbalancer.server.port=${EL_WS_PORT:-8546}
-      - traefik.http.routers.${EE_HOST:-ee}.service=${EE_HOST:-ee}
-      - traefik.http.routers.${EE_HOST:-ee}.entrypoints=websecure
-      - traefik.http.routers.${EE_HOST:-ee}.rule=Host(`${EE_HOST:-ee}.${DOMAIN}`)
-      - traefik.http.routers.${EE_HOST:-ee}.tls.certresolver=letsencrypt
-      - traefik.http.services.${EE_HOST:-ee}.loadbalancer.server.port=${EE_PORT:-8551}
       - metrics.scrape=true
       - metrics.path=/debug/metrics/prometheus
       - metrics.port=6060

diff --git a/lighthouse-cl-only.yml b/lighthouse-cl-only.yml
@@ -80,16 +80,6 @@ services:
       - --suggested-fee-recipient
       - ${FEE_RECIPIENT}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008

diff --git a/lighthouse.yml b/lighthouse.yml
@@ -84,16 +84,6 @@ services:
       - --suggested-fee-recipient
       - ${FEE_RECIPIENT}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008

diff --git a/lodestar-cl-only.yml b/lodestar-cl-only.yml
@@ -74,16 +74,6 @@ services:
       - --suggestedFeeRecipient
       - ${FEE_RECIPIENT}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008

diff --git a/lodestar.yml b/lodestar.yml
@@ -76,16 +76,6 @@ services:
       - --suggestedFeeRecipient
       - ${FEE_RECIPIENT}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008

diff --git a/nethermind.yml b/nethermind.yml
@@ -82,30 +82,6 @@ services:
       - --log
       - ${LOG_LEVEL}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${EL_HOST:-el}.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}.rule=Host(`${EL_HOST:-el}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_HOST:-el}lb.service=${EL_HOST:-el}
-      - traefik.http.routers.${EL_HOST:-el}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_HOST:-el}lb.rule=Host(`${EL_LB:-el-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_HOST:-el}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_HOST:-el}.loadbalancer.server.port=${EL_RPC_PORT:-8545}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}.rule=Host(`${EL_WS_HOST:-elws}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.service=${EL_WS_HOST:-elws}
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.entrypoints=websecure
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.rule=Host(`${EL_WS_LB:-elws-lb}.${DOMAIN}`)
-      - traefik.http.routers.${EL_WS_HOST:-elws}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${EL_WS_HOST:-elws}.loadbalancer.server.port=${EL_WS_PORT:-8546}
-      - traefik.http.routers.${EE_HOST:-ee}.service=${EE_HOST:-ee}
-      - traefik.http.routers.${EE_HOST:-ee}.entrypoints=websecure
-      - traefik.http.routers.${EE_HOST:-ee}.rule=Host(`${EE_HOST:-ee}.${DOMAIN}`)
-      - traefik.http.routers.${EE_HOST:-ee}.tls.certresolver=letsencrypt
-      - traefik.http.services.${EE_HOST:-ee}.loadbalancer.server.port=${EE_PORT:-8551}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=6060

diff --git a/nimbus-cl-only.yml b/nimbus-cl-only.yml
@@ -75,16 +75,6 @@ services:
       - --suggested-fee-recipient=${FEE_RECIPIENT}
       - --in-process-validators=false
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008

diff --git a/nimbus.yml b/nimbus.yml
@@ -79,16 +79,6 @@ services:
       - --keymanager-token-file=/var/lib/nimbus/api-token.txt
       - --suggested-fee-recipient=${FEE_RECIPIENT}
     labels:
-      - traefik.enable=true
-      - traefik.http.routers.${CL_HOST:-cl}.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}.rule=Host(`${CL_HOST:-cl}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}.tls.certresolver=letsencrypt
-      - traefik.http.routers.${CL_HOST:-cl}lb.service=${CL_HOST:-cl}
-      - traefik.http.routers.${CL_HOST:-cl}lb.entrypoints=websecure
-      - traefik.http.routers.${CL_HOST:-cl}lb.rule=Host(`${CL_LB:-cl-lb}.${DOMAIN}`)
-      - traefik.http.routers.${CL_HOST:-cl}lb.tls.certresolver=letsencrypt
-      - traefik.http.services.${CL_HOST:-cl}.loadbalancer.server.port=${CL_REST_PORT:-5052}
       - metrics.scrape=true
       - metrics.path=/metrics
       - metrics.port=8008