services: traefik: image: "traefik:v3.5.3" container_name: ${SUBDOMAIN} restart: always command: # General settings - "--log.level=DEBUG" - "--api.insecure=false" - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" # EntryPoints configuration - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.permanent=true" - "--entrypoints.websecure.address=:443" - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certresolver=cloudflare" - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_NAME}" - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_NAME}" # - "--entrypoints.ssh.address=:${SSH_PORT}" # Cloudflare IPs trusted for forwarded headers - "--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22" - "--certificatesresolvers.cloudflare.acme.dnschallenge=true" - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL_FILE}" - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json" labels: - traefik.enable=true - traefik.http.routers.traefik_dashboard.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`) - traefik.http.routers.traefik_dashboard.entrypoints=websecure - traefik.http.routers.traefik_dashboard.service=api@internal - traefik.http.routers.traefik_dashboard.tls=true # - traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER} # - traefik.http.routers.traefik_dashboard.middlewares=myauth@docker - traefik.http.routers.traefik_dashboard.middlewares=authentik-forwardauth@docker - traefik.http.routers.traefik_dashboard.tls.certresolver=cloudflare - traefik.http.services.traefik_dashboard.loadbalancer.server.port=80 # - "traefik.http.middlewares.cloudflare-ips.ipallowlist.sourcerange=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" - traefik.http.middlewares.traefik_dashboard.headers.SSLRedirect=true - traefik.http.middlewares.traefik_dashboard.headers.STSSeconds=315360000 - traefik.http.middlewares.traefik_dashboard.headers.browserXSSFilter=true - traefik.http.middlewares.traefik_dashboard.headers.contentTypeNosniff=true - traefik.http.middlewares.traefik_dashboard.headers.forceSTSHeader=true - traefik.http.middlewares.traefik_dashboard.headers.SSLHost=${DOMAIN_NAME} - traefik.http.middlewares.traefik_dashboard.headers.STSIncludeSubdomains=true - traefik.http.middlewares.traefik_dashboard.headers.STSPreload=true - traefik.http.middlewares.traefik_dashboard.headers.frameDeny=true env_file: - .env secrets: # - SSH_PORT - CF_API_KEY - CF_API_EMAIL volumes: - ./traefik_data:/letsencrypt - /var/run/docker.sock:/var/run/docker.sock:ro ports: - "80:80" - "443:443" networks: - frontend - webapp - mgmt - remote secrets: # SSH_PORT: # file: .secrets/SSH_PORT CF_API_KEY: file: .secrets/CF_API_KEY CF_API_EMAIL: file: .secrets/CF_API_EMAIL networks: frontend: external: true webapp: external: true mgmt: external: true remote: external: true