Tips-Of-Mine/Docker-Traefik
2
0
Fork 0
Code Pull Requests Wiki Activity
Docker-Traefik/README.md

389 lines
10 KiB
Markdown
Raw Blame History

# Titre
image
description.
## Installation
#### titre
## Usage
## More info
- more information on the website [Tips-Of-Mine](https://www.tips-of-mine.fr/)
## Buy me a coffe
<a href='https://ko-fi.com/R5R2KNI3N' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://storage.ko-fi.com/cdn/kofi4.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
# Traefik 2 config
This is a resuseable traefik config for usage on a virtual server or for local debelopment using docker-compose.
It uses:
- Traefik 2
- docker-compose
- Let's encrypt
## Table of content
- [Traefik 2 config](#traefik-2-config)
- [Table of content](#table-of-content)
- [Production setup](#production-setup)
- [Setting up traefik](#setting-up-traefik)
- [Traefik dashboard](#traefik-dashboard)
- [Connect docker-compose service to reverse-proxy](#connect-docker-compose-service-to-reverse-proxy)
- [SSL configuration](#ssl-configuration)
- [Global middlewares](#global-middlewares)
- [Access Logs](#access-logs)
- [Setup for local development](#setup-for-local-development)
- [Setting up traefik](#setting-up-traefik-1)
- [Traefik dashboard](#traefik-dashboard-1)
- [Connect docker-compose service to reverse-proxy](#connect-docker-compose-service-to-reverse-proxy-1)
- [Enable SSL locally](#enable-ssl-locally)
- [Enable SSL in the docker-compose file](#enable-ssl-in-the-docker-compose-file)
- [Credits](#credits)
- [License](#license)
## Production setup
### Setting up traefik
1. Clone repository
```bash
git clone https://github.com/korridor/reverse-proxy-docker-traefik.git
cd reverse-proxy-docker-traefik
```
2. Copy default config
```bash
cp docker-compose.prod.yml docker-compose.yml
cp -r configs-prod configs
echo "{}" > certificates/acme.json
chmod 600 certificates/acme.json
```
3. Replace domain for dashboard (`reverse-proxy.somedomain.com` in `configs/dynamic/dashboard.yml`)
```yaml
http:
routers:
traefik:
rule: Host(`reverse-proxy.somedomain.com`)
# ...
traefik-http-redirect:
rule: Host(`reverse-proxy.somedomain.com`)
# ...
```
4. Replace password for admin account (in `configs/dynamic/dashboard.yml`)
```yaml
htpasswd -nBC 10 admin
New password:
Re-type new password:
admin:$2y$10$zi5n43jq9S63gBqSJwHTH.nCai2vB0SW/ABPGg2jSGmJBVRo0A.ni
```
```yaml
http:
# ...
middlewares:
dashboardauth:
basicAuth:
users:
- "user1:$2y$05$/x10KYbrHtswyR8POT.ny.H4fFd1n.0.IEiYiestWzE1QFkYIEI3m"
```
- You can use a website like [this](https://hostingcanada.org/htpasswd-generator/) to generate the hash (use Bcrypt).
- Or generate it with: `echo $(htpasswd -nB user1)`
5. Replace email for Let's encrypt (`mail@somedomain.com` in `configs/traefik.yml`)
```yaml
certificatesResolvers:
letsencrypt:
acme:
# ...
email: mail@somedomain.com
```
6. Start container
```bash
docker-compose up -d
```
7. Check that traefik is running smoothly
```bash
docker-compose logs
```
### Traefik dashboard
The traefik dashboard is now available under:
```
https://reverse-proxy.somedomain.com
```
The dashboard shows you the configured routers, services, middleware, etc.
### Connect docker-compose service to reverse-proxy
```yaml
version: '3.8'
networks:
frontend:
external:
name: reverse-proxy-docker-traefik_routing
services:
someservice:
restart: always
# ...
labels:
- "traefik.enable=true"
- "traefik.docker.network=reverse-proxy-docker-traefik_routing"
# https
- "traefik.http.routers.someservice.rule=Host(`someservice.com`)"
- "traefik.http.routers.someservice.tls=true"
- "traefik.http.routers.someservice.tls.certresolver=letsencrypt"
- "traefik.http.routers.someservice.entrypoints=websecure"
# http (redirect to https)
- "traefik.http.routers.someservice-http.rule=Host(`someservice.com`)"
- "traefik.http.routers.someservice-http.entrypoints=web"
- "traefik.http.routers.someservice-http.middlewares=redirect-to-https@file"
networks:
- frontend
- ...
```
**Password protection for service with basic auth**
```yaml
services:
someservice:
# ...
labels:
# ...
- "traefik.http.routers.someservice.middlewares=someservice-auth"
- "traefik.http.middlewares.someservice-auth.basicauth.users=user1:$2y$05$/x10KYbrHtswyR8POT.ny.H4fFd1n.0.IEiYiestWzE1QFkYIEI3m"
```
You can generate the **escaped** hash with the following command: `echo $(htpasswd -nB user1) | sed -e s/\\$/\\$\\$/g`
If you use a website like [this](https://hostingcanada.org/htpasswd-generator/) to generate the hash remember to escape the dollar signs (`$` -> `$$`) and use Bcrypt.
**Specifying port if service exposes multiple ports**
If your service exposes multiple ports Traefik does not know which one it should use.
With this line you can select one:
```yaml
services:
someservice:
# ...
labels:
# ...
- "traefik.http.services.someservice.loadbalancer.server.port=8080"
```
### SSL configuration
Per default the SSL configuration is set so that [SSL Labs](https://www.ssllabs.com/) gives an `A` rating.
If you want an `A+` rating, you need to use HSTS (HTTP Strict Transport Security).
The setup includes a global middleware called `hsts-minimal@file` that can be used to activate HSTS in a simple setting.
See "Global middlewares" for more information.
### Global middlewares
**hsts-minimal@file**
Adds the HSTS header to the HTTP response without `includeSubDomains` and `preload`.
The `max-age` is set to one year / 31536000 seconds.
**hsts-standard@file**
Adds the HSTS header to the HTTP response with `includeSubDomains` and no `preload`.
The `max-age` is set to one year / 31536000 seconds.
**hsts-full@file**
Adds the HSTS header to the HTTP response with `includeSubDomains` and `preload`.
The `max-age` is set to one year / 31536000 seconds.
**redirect-to-https@file**
Adds a permanent redirect to HTTPS.
**redirect-non-www-to-www@file**
Adds a permanent redirect (HTTP 301) from non-www domains to the HTTPS www domain
Examples:
- `https://example.test` -> `https://www.example.test`
- `http://example.test` -> `https://www.example.test`
**redirect-www-to-non-www@file**
Adds a permanent redirect (HTTP 301) from www domains to the HTTPS non-www domain
Examples:
- `https://www.example.test` -> `https://example.test`
- `http://www.example.test` -> `https://example.test`
### Access Logs
To enable the traefik access logs in the production configuration, open the file `traefik.yml` within the config folder and uncomment the `accessLog` section.
```yml
# Access logs
accessLog: {}
```
## Setup for local development
### Setting up traefik
1. Clone repository
```bash
git clone https://github.com/korridor/reverse-proxy-docker-traefik.git
cd reverse-proxy-docker-traefik
```
2. Copy default config
```bash
ln -s docker-compose.local.yml docker-compose.yml
ln -s configs-local configs
```
If you want to change the configuration copy the configuration instead of creating a symlink.
```bash
cp docker-compose.local.yml docker-compose.yml
cp -r configs-local configs
```
3. If you want you can change the domain of the traefik dashboard (`reverse-proxy.test` in `configs/dynamic/dashboard.yml`)
```yaml
http:
routers:
traefik:
rule: Host(`reverse-proxy.test`)
# ...
```
4. Start container
```bash
docker-compose up -d
```
5. Check that traefik is running smoothly
```bash
docker-compose logs
```
### Traefik dashboard
The traefik dashboard is now available under:
```
http://reverse-proxy.test
```
The dashboard shows you the configured routers, services, middlewares, etc.
### Connect docker-compose service to reverse-proxy
```yaml
version: '3.8'
networks:
frontend:
external:
name: reverse-proxy-docker-traefik_routing
services:
someservice:
restart: always
# ...
labels:
- "traefik.enable=true"
- "traefik.docker.network=reverse-proxy-docker-traefik_routing"
# http
- "traefik.http.routers.someservice.rule=Host(`someservice.test`)"
- "traefik.http.routers.someservice.entrypoints=web"
networks:
- frontend
- ...
```
**Enabling service to send requests to itself (with someservice.test)**
```yaml
services:
someservice:
# ...
extra_hosts:
- "someservice.test:10.100.100.10"
```
**Specifying port if service exposes multiple ports**
If your service exposes multiple ports traefik does not know which one it should use.
With this config line you can select one:
```yaml
services:
someservice:
# ...
labels:
# ...
- "traefik.http.services.someservice.loadbalancer.server.port=8080"
```
### Enable SSL locally
1. Install [mkcert](https://github.com/FiloSottile/mkcert)
For example on macOS:
```bash
brew install mkcert
brew install nss # if you use Firefox
```
Now install the local CA:
```bash
mkcert -install
```
3. Generate certificate
Replace `someservice` with the domains that you are using for local development.
```bash
cd certificates
mkcert -key-file local.key.pem -cert-file local.cert.pem "*.local" "*.test" "*.someservice.test" "*.someservice.local"
```
### Enable SSL in the docker-compose file
```yaml
version: '3.8'
networks:
frontend:
external:
name: reverse-proxy-docker-traefik_routing
services:
someservice:
restart: always
# ...
labels:
- ...
# http
- ...
# https
- "traefik.http.routers.someservice-https.rule=Host(`someservice.test`)"
- "traefik.http.routers.someservice-https.entrypoints=websecure"
- "traefik.http.routers.someservice-https.tls=true"
networks:
- frontend
- ...
```
## Credits
I used the following resources to create this setup:
- [Traefik docs](https://docs.traefik.io)
- [Traefik v2 and Mastodon, a wonderful couple! by Nicolas Inden](https://www.innoq.com/en/blog/traefik-v2-and-mastodon/)
- [GitHub repo traefik-example by jamct](https://github.com/jamct/traefik-example)
## License
This configuration is licensed under the MIT License (MIT). Please see [license file](license.md) for more information.
View Git Blame Copy Permalink