Add Harbor And Update Traefik

Reseaux/Traefik/configs/dynamic/dashboard.yml

@@ -1,16 +1,16 @@
 http:
   routers:
     traefik:
-      rule: Host(`dashboard.10.0.4.29.traefik.me`)
+      rule: Host(`dashboard.traefik.me`)
       entryPoints:
         - https
       service: api@internal
       middlewares:
         - dashboardauth
       tls:
-        certResolver: letsencrypt
+        certResolver: production
     traefik-http-redirect:
-      rule: Host(`dashboard.10.0.4.29.traefik.me`)
+      rule: Host(`dashboard.traefik.me`)
       entryPoints:
         - http
       service: api@internal

Reseaux/Traefik/configs/dynamic/global-middlewares.yml

@@ -48,3 +48,58 @@ http:
         regex: "^https?://www\\.(.+)"
         # How to modify the URL to have the new target URL
         replacement: "https://${1}"
+
+#    default-headers:
+#      headers:
+#        frameDeny: true
+#        browserXssFilter: true
+#        contentTypeNosniff: true
+#        forceSTSHeader: true
+#        stsIncludeSubdomains: true
+#        stsPreload: true
+#        stsSeconds: 15552000
+#        customFrameOptionsValue: SAMEORIGIN
+#        customRequestHeaders:
+#          X-Forwarded-Proto: https
+
+#    crowdsec:
+#      plugin:
+#        bouncer:
+#          enabled: true
+#          logLevel: INFO
+#          updateIntervalSeconds: 15
+#          updateMaxFailure: 0
+#          defaultDecisionSeconds: 15
+#          httpTimeoutSeconds: 10
+#          crowdsecMode: stream
+#          crowdsecAppsecEnabled: true
+#          crowdsecAppsecHost: crowdsec:7422
+#          crowdsecAppsecFailureBlock: true
+#          crowdsecAppsecUnreachableBlock: true
+#          crowdsecLapiKey: #####REPLACE_API_KEY#####                                    # Replace CrowdSec API key (docker exec crowdsec cscli bouncers add crowdsecBouncer)
+#          crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
+#          crowdsecLapiHost: crowdsec:8080
+#          crowdsecLapiScheme: http
+#          forwardedHeadersTrustedIPs:
+#            - 10.0.35.4/32                                                              # Cloudflare tunnel IP address
+#            - 172.30.0.0/24                                                            # Reverse Proxy IP address
+#          clientTrustedIPs:
+#            - 10.0.1.0/24                                                              # Internal LAN IP addresses
+#            - 10.0.2.0/24                                                              # Internal LAN IP addresses
+#            - 10.0.3.0/24                                                              # Internal LAN IP addresses
+#            - 10.0.4.0/24                                                              # Internal LAN IP addresses
+#            - 10.0.5.0/24                                                              # Internal LAN IP addresses
+#          forwardedHeadersCustomName: CF-Connecting-IP                                 # Cloudflare IP address header
+
+#    default-whitelist:
+#      ipWhiteList:
+#        sourceRange:
+#        - "10.0.4.0/24"
+#        - "192.168.0.0/16"
+#        - "172.16.0.0/12"
+
+#    secured:
+#      chain:
+#        middlewares:
+#        - default-whitelist
+#        - default-headers

Reseaux/Traefik/configs/dynamic/registry.yml

@@ -0,0 +1,13 @@
+http:
+  routers:
+    harbor:
+      service: harbor
+      rule: "Host(`registry.traefik.me`)"
+      tls:
+        certResolver: production
+
+  services:
+    harbor:
+      loadBalancer:
+        servers:
+          - url: "http://registry.traefik.me:8083"

Reseaux/Traefik/configs/traefik.yml

@@ -8,8 +8,8 @@ global:
 entryPoints:
   http:
     address: ":80"
-#    forwardedHeaders:
-#      insecure: true
+    forwardedHeaders:
+      insecure: true
     http:
       redirections:
         entryPoint:
@@ -17,8 +17,8 @@ entryPoints:
           scheme: https
   https:
     address: ":443"
-#    forwardedHeaders:
-#      insecure: true
+    forwardedHeaders:
+      insecure: true
 #    http:
 #      middlewares:
 #        - secureHeaders@file
@@ -38,12 +38,23 @@ providers:
   providersThrottleDuration: 10
 
 certificatesResolvers:
-  cloudflare:
+  staging:
     acme:
       email: admin@tips-of-mine.fr
       storage: acme.json
+      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
       dnsChallenge:
-        provider: cloudflare
+        provider: staging
+      tlschallenge: true
+      httpChallenge:
+        entryPoint: http
+  production:
+    acme:
+      email: admin@tips-of-mine.fr
+      storage: acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      dnsChallenge:
+        provider: production
         resolvers:
           - "1.1.1.1:53"
           - "1.0.0.1:53"
@@ -83,3 +94,21 @@ metrics:
     # Ajout des services
     addServicesLabels: true
     addRoutersLabels: true
+
+experimental:
+  plugins:
+    crowdsec-bouncer-traefik-plugin:
+      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+      version: "v1.3.3"
+
+    traefik-maintenance:
+      moduleName: github.com/TRIMM/traefik-maintenance
+      version: v1.0.1
+
+    fail2ban:
+      moduleName: "github.com/tomMoulard/fail2ban"
+      version: "v0.8.3"
+
+    sablier:
+      moduleName: "github.com/acouvreur/sablier"
+      version: "v1.8.0-beta.22"

Reseaux/Traefik/docker-compose-traefik.yml

@@ -0,0 +1,99 @@
+### networks
+networks:
+  back_network:
+    driver: bridge
+    attachable: true
+  front_network:
+    driver: bridge
+    attachable: true
+
+### Volumes
+#volumes:
+#  traefik-logs:
+
+### services
+services:
+# traefik
+  traefik:
+    container_name: traefik-app
+    hostname: traefik-app
+    image: traefik:latest
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8181:8181"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/etc/localtime:/etc/localtime:ro"
+      - "./configs/traefik.yml:/etc/traefik/traefik.yml"
+      - "./configs/dynamic:/etc/traefik/dynamic"
+      - "./certificates/acme.json:/etc/traefik/acme/acme.json"
+      - "./certificates:/etc/traefik/ssl"
+      - "./log:/var/log/traefik"
+#      - traefik-logs:/var/log/traefik
+#    environment:
+#      - CF_DNS_API_TOKEN=3836286773f145fb8f7c0758f2ce8896hb9dusqpsm6b3scn
+    networks:
+      - back_network
+      - front_network
+
+### crowdsec
+#  crowdsec:
+#    container_name: crowdsec
+#    hostname: crowdsec
+#    image: crowdsecurity/crowdsec
+#    environment:
+#      PGID: "1000"
+#      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
+#    expose:
+#      - "8080"
+#    volumes:
+#      - ./log/crowdsec:/var/log/crowdsec:ro
+#      - ./crowdsec-db:/var/lib/crowdsec/data
+#      - ./log/auth.log:/var/log/auth.log:ro
+#      - ./crowdsec:/etc/crowdsec
+#      - ./log:/var/log/traefik:ro
+#    restart: unless-stopped
+#    labels:
+#      - traefik.enable=false
+#    networks:
+#      - front_network
+#      - back_network
+
+### Certificats
+  certificat:
+    container_name: traefik-certificat
+    hostname: traefik-certificat
+    image: alpine:latest
+    command: sh -c "cd /etc/traefik/ssl
+      && wget traefik.me/cert.pem -O cert.pem
+      && wget traefik.me/privkey.pem -O privkey.pem"
+    volumes:
+      - "./certificates:/etc/traefik/ssl"
+    networks:
+      - front_network
+
+# whoami
+  whoami:
+    container_name: traefik-whoami
+    hostname: traefik-whoami
+    image: traefik/whoami:latest
+    restart: unless-stopped
+    networks:
+      - front_network
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=front_network"
+# HTTP
+      - "traefik.http.routers.whoami-http.rule=Host(`whoami.traefik.me`)"
+      - "traefik.http.routers.whoami-http.entrypoints=http"
+# HTTPS
+      - "traefik.http.routers.whoami-https.rule=Host(`whoami.traefik.me`)"
+      - "traefik.http.routers.whoami-https.entrypoints=https"
+      - "traefik.http.routers.whoami-https.tls=true"
+#      - "traefik.http.routers.whoami-https.middlewares=whoami-crowdsec"
+# Middleware
+#      - "traefik.http.middlewares.whoami-crowdsec.plugin.crowdsec-bouncer-traefik-plugin.enabled=true"
+#      - "traefik.http.middlewares.whoami-crowdsec.plugin.crowdsec-bouncer-traefik-plugin.crowdseclapikey=3836286773f145fb8f7c0758f2ce8896hb9dusqpsm6b3scn"
+# Service