-
Notifications
You must be signed in to change notification settings - Fork 0
/
traefik-cloudflare.yml
112 lines (101 loc) · 4.93 KB
/
traefik-cloudflare.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
version: "3.3"
#
# This file uses cloudflare for LetsEncrypt DNS challenge and provides a wildcard cert for all subdomains.
#
# This file can stand alone as the simplest version to test your network, DNS, etc. Simply run this and visit whoami.${DOMAIN}
# to see that everything is making connections properly. Be sure to check logs e.g. `./md logs traefik` and address any errors.
#
# This pattern can utilize HTTPS and allow only specific IPs to access via the IP_WHITELIST_SOURCERANGE. For simpler setups, this means
# that setting up OAUTH isn't an absolute necessity.
#
# @credit to https://github.com/htpcBeginner/docker-traefik for better traefik settings.
#
networks:
web:
driver: bridge
services:
traefik:
image: traefik
restart: unless-stopped
container_name: traefik
ports:
- 80:80
- 443:443
command:
- --global.sendAnonymousUsage=true
- --api.dashboard=true
- --api.debug=true
- --log.level=INFO
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=${COMPOSE_PROJECT_NAME}_web
# Set default rule to use container name as subomain e.g. whoami.example.com
- --providers.docker.defaultRule=Host(`{{ index .Labels "com.docker.compose.service" }}.${DOMAIN}`)
# Entrypoints for HTTP, HTTPS, and NX (TCP + UDP)
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
# Setup tls use for all services
- --entrypoints.https.http.tls.certresolver=cloudflare-resolver
- --entrypoints.https.http.tls.domains[0].main=${DOMAIN}
- --entrypoints.https.http.tls.domains[0].sans=*.${DOMAIN}
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
# - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
# Letsencrypt - wildcard certificates can only be generated through a DNS-01 challenge.
- --certificatesresolvers.cloudflare-resolver.acme.dnschallenge=true
- --certificatesResolvers.cloudflare-resolver.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- --certificatesresolvers.cloudflare-resolver.acme.dnschallenge.provider=cloudflare
- --certificatesResolvers.cloudflare-resolver.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesresolvers.cloudflare-resolver.acme.email=${SSL_ACME_EMAIL}
- --certificatesresolvers.cloudflare-resolver.acme.storage=etc/traefik/acme/acme.json
# Enable the following staging server initially to test successful issuance of certificates (and avoid being rate limited due to errors)
# - --certificatesresolvers.cloudflare-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_API_KEY=${CF_API_KEY}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${CONTAINERS}/traefik/acme:/etc/traefik/acme
networks:
- web
labels:
- traefik.enable=true
# -----------------------------
# HTTP-to-HTTPS Redirect
# -----------------------------
# - traefik.http.routers.http-catchall.entrypoints=http
# - traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
# - traefik.http.routers.http-catchall.middlewares=redirect-to-https
# - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
# -----------------------------
# HTTP Routers
# -----------------------------
- traefik.http.routers.traefik.entrypoints=https
# -----------------------------
# Services - API
# -----------------------------
- traefik.http.routers.traefik.service=api@internal
# -----------------------------
# Healthcheck/ping
# -----------------------------
#- traefik.http.routers.ping.rule=Host(`traefik.${DOMAIN}`) && Path(`/ping`)
#- traefik.http.routers.ping.tls=true
#- traefik.http.routers.ping.service=ping@internal
# -----------------------------
# Define reusable middlewares
# -----------------------------
- traefik.http.middlewares.internalwhitelist.ipwhitelist.sourcerange=${IP_WHITELIST_SOURCERANGE}
# -----------------------------
# Apply ip restriction to dashboard UI
# -----------------------------
- traefik.http.routers.traefik.middlewares=internalwhitelist@docker
# sample for verification of traefik, routing, etc.
whoami:
image: traefik/whoami
restart: unless-stopped
container_name: whoami
networks:
- web
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.middlewares=internalwhitelist@docker