diff --git a/traefik/compose.yaml b/traefik/compose.yaml new file mode 100644 index 0000000..e662476 --- /dev/null +++ b/traefik/compose.yaml @@ -0,0 +1,24 @@ +volumes: + acme: + +services: + traefik: + image: traefik:3.0 + container_name: traefik + restart: always + command: --providers.docker + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./volume.git/traefik.yml:/traefik.yml:ro + - ./volume.git/dynamic_config.yml:/dynamic_config.yml:ro + - acme:/acme/ + #- ./volume/usersFile:/usersFile # Basic Auth + network_mode: host + labels: + - traefik.enable=true + # Wildcard http -> https redirection for all routers + - traefik.http.routers.http-catchall.rule=HostRegexp(`.`) + - traefik.http.routers.http-catchall.entrypoints=http + - traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker + - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https + - traefik.http.services.http-catchall.loadbalancer.server.port=80 diff --git a/traefik/volume.git/dynamic_config.yml b/traefik/volume.git/dynamic_config.yml new file mode 100644 index 0000000..d6bd2b1 --- /dev/null +++ b/traefik/volume.git/dynamic_config.yml @@ -0,0 +1,32 @@ +http: + middlewares: + https-redirect: + redirectScheme: + scheme: https + + default-allowlist: + IPAllowList: + sourceRange: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + + secured: + chain: + middlewares: + - default-allowlist + + basic-auth: + basicAuth: + usersFile: '/usersFile' + +# https://docs.traefik.io/https/tls/#minimum-tls-version +tls: + options: + default: + minVersion: VersionTLS12 + sniStrict: true + cipherSuites: + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 diff --git a/traefik/volume.git/traefik.yml b/traefik/volume.git/traefik.yml new file mode 100644 index 0000000..3b26bb9 --- /dev/null +++ b/traefik/volume.git/traefik.yml @@ -0,0 +1,23 @@ +entryPoints: + http: + address: ':80' + https: + address: ':443' + asDefault: true + +providers: + docker: + endpoint: 'unix:///var/run/docker.sock' + exposedByDefault: false + + file: + filename: /dynamic_config.yml + +certificatesResolvers: + letsencrypt: + acme: + # LetsEncrypt Staging see: https://docs.traefik.io/https/acme/#caserver + caServer: https://acme-staging-v02.api.letsencrypt.org/directory + storage: /acme/acme.json + httpChallenge: + entryPoint: http diff --git a/traefik/volume.git/usersFile b/traefik/volume.git/usersFile new file mode 100644 index 0000000..271488b --- /dev/null +++ b/traefik/volume.git/usersFile @@ -0,0 +1,5 @@ +# Users and Passwords for basic auth. Passwords need to be hashed. +# Use the following command with your preferred username and password to generate a user with a hashed password +# htpasswd is can be installed with "apt install apache2-utils" +# +# htpasswd -nb "" diff --git a/whoami/compose.yaml b/whoami/compose.yaml new file mode 100644 index 0000000..2589dc2 --- /dev/null +++ b/whoami/compose.yaml @@ -0,0 +1,15 @@ +services: + whoami: + # A container that exposes an API to show its IP address + image: containous/whoami + labels: + - traefik.enable=true + # Enable HTTPS + - traefik.http.routers.whoami.rule=Host(${TRAEFIK_HOST}) + - traefik.http.routers.whoami.tls=true + - traefik.http.routers.whoami.tls.certresolver=letsencrypt + - traefik.http.routers.whoami.middlewares=secured@file # ip allowlist + # # Basic Auth - Users and Passwords must be added to volume/traefik/usersFile + # - traefik.http.routers.whoami.middlewares=basic-auth@file + # # Specify web port from container (if container is not listen on default port 80) + # - traefik.http.services.whoami.loadbalancer.server.port=8080