giteadmin/Docker-Projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Docker-Projects/frontend/traefik/compose.yml

90 lines
4.2 KiB
YAML
Raw Permalink Blame History

services:
traefik:
image: "traefik:${TAG}"
container_name: ${SUBDOMAIN}
restart: always
command:
# General settings
- "--log.level=DEBUG"
- "--api.insecure=false"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# EntryPoints configuration
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certresolver=cloudflare"
- "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_NAME}"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_NAME}"
# Cloudflare IPs trusted for forwarded headers
- "--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22"
- "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
labels:
- traefik.enable=true
- traefik.http.routers.traefik_dashboard.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
- traefik.http.routers.traefik_dashboard.entrypoints=websecure
- traefik.http.routers.traefik_dashboard.service=api@internal
- traefik.http.routers.traefik_dashboard.tls=true
# - traefik.http.middlewares.myauth.basicauth.users=${TRAEFIK_USER}
# - traefik.http.routers.traefik_dashboard.middlewares=myauth@docker
- traefik.http.routers.traefik_dashboard.middlewares=authentik-forwardauth@docker
- traefik.http.routers.traefik_dashboard.tls.certresolver=cloudflare
- traefik.http.services.traefik_dashboard.loadbalancer.server.port=80
# - "traefik.http.middlewares.cloudflare-ips.ipallowlist.sourcerange=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
- traefik.http.middlewares.traefik_dashboard.headers.SSLRedirect=true
- traefik.http.middlewares.traefik_dashboard.headers.STSSeconds=315360000
- traefik.http.middlewares.traefik_dashboard.headers.browserXSSFilter=true
- traefik.http.middlewares.traefik_dashboard.headers.contentTypeNosniff=true
- traefik.http.middlewares.traefik_dashboard.headers.forceSTSHeader=true
- traefik.http.middlewares.traefik_dashboard.headers.SSLHost=${DOMAIN_NAME}
- traefik.http.middlewares.traefik_dashboard.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.traefik_dashboard.headers.STSPreload=true
- traefik.http.middlewares.traefik_dashboard.headers.frameDeny=true
- traefik.docker.network=mgmt
env_file:
- .env
secrets:
- CF_API_EMAIL
- CF_DNS_API_TOKEN
volumes:
- ./traefik_data:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- "80:80"
- "443:443"
networks:
- frontend
- webapp
- mgmt
- jump
- mcp
secrets:
CF_API_EMAIL:
file: .secrets/CF_API_EMAIL
CF_DNS_API_TOKEN:
file: .secrets/CF_DNS_API_TOKEN
networks:
frontend:
external:
true
webapp:
external:
true
mgmt:
external:
true
jump:
external:
true
mcp:
external:
true
Reference in New Issue View Git Blame Copy Permalink