78 lines
3.9 KiB
YAML
78 lines
3.9 KiB
YAML
services:
|
|
traefik:
|
|
image: traefik:3.0
|
|
ports:
|
|
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
|
|
- 80:80
|
|
# Listen on port 443, default for HTTPS
|
|
- 443:443
|
|
restart: always
|
|
labels:
|
|
# Enable Traefik for this service, to make it available in the public network
|
|
- traefik.enable=true
|
|
# Use the traefik-public network (declared below)
|
|
- traefik.docker.network=traefik-public
|
|
# Define the port inside of the Docker service to use
|
|
- traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
|
|
# Make Traefik use this domain (from an environment variable) in HTTP
|
|
- traefik.http.routers.traefik-dashboard-http.entrypoints=http
|
|
- traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.${DOMAIN?Variable not set}`)
|
|
# traefik-https the actual router using HTTPS
|
|
- traefik.http.routers.traefik-dashboard-https.entrypoints=https
|
|
- traefik.http.routers.traefik-dashboard-https.rule=Host(`traefik.${DOMAIN?Variable not set}`)
|
|
- traefik.http.routers.traefik-dashboard-https.tls=true
|
|
# Use the "le" (Let's Encrypt) resolver created below
|
|
- traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
|
|
# Use the special Traefik service api@internal with the web UI/Dashboard
|
|
- traefik.http.routers.traefik-dashboard-https.service=api@internal
|
|
# https-redirect middleware to redirect HTTP to HTTPS
|
|
# - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
|
|
# - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
|
|
# traefik-http set up only to use the middleware to redirect to https
|
|
- traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
|
|
# admin-auth middleware with HTTP Basic auth
|
|
# Using the environment variables USERNAME and HASHED_PASSWORD
|
|
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
|
|
# Enable HTTP Basic auth, using the middleware created above
|
|
- traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth
|
|
volumes:
|
|
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
# Mount the volume to store the certificates
|
|
- traefik-public-certificates:/certificates
|
|
command:
|
|
# Enable Docker in Traefik, so that it reads labels from Docker services
|
|
- --providers.docker
|
|
# Do not expose all Docker services, only the ones explicitly exposed
|
|
- --providers.docker.exposedbydefault=false
|
|
# Create an entrypoint "http" listening on port 80
|
|
- --entrypoints.http.address=:80
|
|
# Create an entrypoint "https" listening on port 443
|
|
- --entrypoints.https.address=:443
|
|
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
|
|
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
|
|
# Store the Let's Encrypt certificates in the mounted volume
|
|
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
|
|
# Use the TLS Challenge for Let's Encrypt
|
|
- --certificatesresolvers.le.acme.tlschallenge=true
|
|
# Enable the access log, with HTTP requests
|
|
- --accesslog
|
|
# Enable the Traefik log, for configurations and errors
|
|
- --log
|
|
# Enable the Dashboard and API
|
|
- --api
|
|
networks:
|
|
# Use the public network created to be shared between Traefik and
|
|
# any other service that needs to be publicly available with HTTPS
|
|
- traefik-public
|
|
|
|
volumes:
|
|
# Create a volume to store the certificates, even if the container is recreated
|
|
traefik-public-certificates:
|
|
|
|
networks:
|
|
# Use the previously created public network "traefik-public", shared with other
|
|
# services that need to be publicly available via this Traefik
|
|
traefik-public:
|
|
external: true
|