108 lines
5.1 KiB
YAML
108 lines
5.1 KiB
YAML
services:
|
|
|
|
traefik:
|
|
# Use the latest v3.0.x Traefik image available
|
|
image: traefik:latest
|
|
ports:
|
|
- target: 80
|
|
published: 80
|
|
mode: host
|
|
- target: 443
|
|
published: 443
|
|
mode: host
|
|
# - "7687:7687"
|
|
# - "8083:8083"
|
|
# - "8084:8084"
|
|
# - "8883:8883"
|
|
# - "5432:5432"
|
|
deploy:
|
|
placement:
|
|
constraints:
|
|
# Make the traefik service run only on the node with this label
|
|
# as the node with it has the volume for the certificates
|
|
- node.labels.traefik-public.traefik-public-certificates == true
|
|
labels:
|
|
# Enable Traefik for this service, to make it available in the public network
|
|
- traefik.enable=true
|
|
# Use the traefik-public network (declared below)
|
|
- traefik.docker.network=traefik-public
|
|
# Use the custom label "traefik.constraint-label=traefik-public"
|
|
# This public Traefik will only use services with this label
|
|
# That way you can add other internal Traefik instances per stack if needed
|
|
- traefik.constraint-label=traefik-public
|
|
# admin-auth middleware with HTTP Basic auth
|
|
# Using the environment variables USERNAME and HASHED_PASSWORD
|
|
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
|
|
- traefik.http.middlewares.csrf.headers.hostsProxyHeaders=["X-CSRFToken"]
|
|
# traefik-https the actual router using HTTPS
|
|
- traefik.http.routers.traefik-public-https.rule=Host(`dashboard.${DOMAIN?Variable not set}`)
|
|
- traefik.http.routers.traefik-public-https.entrypoints=https
|
|
- traefik.http.routers.traefik-public-https.tls=true
|
|
# Use the special Traefik service api@internal with the web UI/Dashboard
|
|
- traefik.http.routers.traefik-public-https.service=api@internal
|
|
# Use the "le" (Let's Encrypt) resolver created below
|
|
- traefik.http.routers.traefik-public-https.tls.certresolver=le
|
|
# Enable HTTP Basic auth, using the middleware created above
|
|
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
|
|
# Define the port inside of the Docker service to use
|
|
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
|
|
volumes:
|
|
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
# Mount the volume to store the certificates
|
|
- traefik-public-certificates:/certificates
|
|
command:
|
|
# Enable Docker in Traefik, so that it reads labels from Docker services
|
|
- --providers.docker
|
|
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
|
|
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
|
|
# Do not expose all Docker services, only the ones explicitly exposed
|
|
- --providers.docker.exposedbydefault=false
|
|
# Enable Docker Swarm mode
|
|
- --providers.swarm.endpoint=unix:///var/run/docker.sock
|
|
# Create an entrypoint "http" listening on port 80
|
|
- --entrypoints.http.address=:80
|
|
# Create an entrypoint "https" listening on port 443
|
|
- --entrypoints.https.address=:443
|
|
# Redirect HTTP to HTTPS
|
|
- --entrypoints.http.http.redirections.entrypoint.to=https
|
|
- --entrypoints.http.http.redirections.entrypoint.scheme=https
|
|
- --entrypoints.http.http.redirections.entrypoint.permanent=true
|
|
# Create an entrypoint "postgres-socket" listening on port 5432
|
|
- --entrypoints.postgres-socket.address=:5432
|
|
# Others entrypoints can be created, like a TCP entrypoint
|
|
# - --entrypoints.mqtt.address=:1883
|
|
- --entrypoints.web-socket.address=:8083
|
|
- --entrypoints.web-socket-secure.address=:8084
|
|
- --entrypoints.bolt-socket.address=:7687
|
|
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
|
|
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
|
|
# Store the Let's Encrypt certificates in the mounted volume
|
|
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
|
|
# Use the TLS Challenge for Let's Encrypt
|
|
- --certificatesresolvers.le.acme.tlschallenge=true
|
|
# Enable the access log, with HTTP requests
|
|
- --accesslog=true
|
|
# Enable the Traefik log, for configurations and errors
|
|
- --log=true
|
|
- --log.level=INFO
|
|
# Enable the Dashboard and API
|
|
- --api=true
|
|
- --dashboard=true
|
|
networks:
|
|
# Use the public network created to be shared between Traefik and
|
|
# any other service that needs to be publicly available with HTTPS
|
|
- traefik-public
|
|
|
|
volumes:
|
|
# Create a volume to store the certificates, there is a constraint to make sure
|
|
# Traefik is always deployed to the same Docker node with the same volume containing
|
|
# the HTTPS certificates
|
|
traefik-public-certificates:
|
|
|
|
networks:
|
|
# Use the previously created public network "traefik-public", shared with other
|
|
# services that need to be publicly available via this Traefik
|
|
traefik-public:
|
|
external: true
|