traefik + whoami added

2025-10-17 13:47:55 +02:00
parent 2f644afe60
commit 94bc5e1b0f
5 changed files with 99 additions and 0 deletions
--- a/traefik/compose.yaml
+++ b/traefik/compose.yaml
@@ -0,0 +1,24 @@
+volumes:
+  acme:
+
+services:
+  traefik:
+    image: traefik:3.0
+    container_name: traefik
+    restart: always
+    command: --providers.docker
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./volume.git/traefik.yml:/traefik.yml:ro
+      - ./volume.git/dynamic_config.yml:/dynamic_config.yml:ro
+      - acme:/acme/
+      #- ./volume/usersFile:/usersFile # Basic Auth
+    network_mode: host
+    labels:
+      - traefik.enable=true
+      # Wildcard http -> https redirection for all routers
+      - traefik.http.routers.http-catchall.rule=HostRegexp(`.`)
+      - traefik.http.routers.http-catchall.entrypoints=http
+      - traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker
+      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
+      - traefik.http.services.http-catchall.loadbalancer.server.port=80
--- a/traefik/volume.git/dynamic_config.yml
+++ b/traefik/volume.git/dynamic_config.yml
@@ -0,0 +1,32 @@
+http:
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+
+    default-allowlist:
+      IPAllowList:
+        sourceRange:
+          - '10.0.0.0/8'
+          - '172.16.0.0/12'
+          - '192.168.0.0/16'
+
+    secured:
+      chain:
+        middlewares:
+          - default-allowlist
+
+    basic-auth:
+      basicAuth:
+        usersFile: '/usersFile'
+
+# https://docs.traefik.io/https/tls/#minimum-tls-version
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
--- a/traefik/volume.git/traefik.yml
+++ b/traefik/volume.git/traefik.yml
@@ -0,0 +1,23 @@
+entryPoints:
+  http:
+    address: ':80'
+  https:
+    address: ':443'
+    asDefault: true
+
+providers:
+  docker:
+    endpoint: 'unix:///var/run/docker.sock'
+    exposedByDefault: false
+
+  file:
+    filename: /dynamic_config.yml
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      # LetsEncrypt Staging see: https://docs.traefik.io/https/acme/#caserver
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      storage: /acme/acme.json
+      httpChallenge:
+        entryPoint: http
--- a/traefik/volume.git/usersFile
+++ b/traefik/volume.git/usersFile
@@ -0,0 +1,5 @@
+# Users and Passwords for basic auth. Passwords need to be hashed.
+# Use the following command with your preferred username and password to generate a user with a hashed password
+# htpasswd is can be installed with "apt install apache2-utils"
+#
+# htpasswd -nb <User> "<Password>"
--- a/whoami/compose.yaml
+++ b/whoami/compose.yaml
@@ -0,0 +1,15 @@
+services:
+  whoami:
+    # A container that exposes an API to show its IP address
+    image: containous/whoami
+    labels:
+      - traefik.enable=true
+      # Enable HTTPS
+      - traefik.http.routers.whoami.rule=Host(${TRAEFIK_HOST})
+      - traefik.http.routers.whoami.tls=true
+      - traefik.http.routers.whoami.tls.certresolver=letsencrypt
+      - traefik.http.routers.whoami.middlewares=secured@file # ip allowlist
+      # # Basic Auth - Users and Passwords must be added to volume/traefik/usersFile
+      # - traefik.http.routers.whoami.middlewares=basic-auth@file
+      # # Specify web port from container (if container is not listen on default port 80)
+      # - traefik.http.services.whoami.loadbalancer.server.port=8080