Created
July 14, 2022 07:12
-
-
Save PlugFox/98d2b6f58f4e3cae53eb0e1f7d09b73b to your computer and use it in GitHub Desktop.
Traefik with Portainer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '3.9' | |
services: | |
# Traefik is the reverse proxy | |
traefik: | |
hostname: traefik | |
image: "traefik:v2.8.0" | |
#healthcheck: | |
# test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/80' || exit 1 | |
# interval: 30s | |
# timeout: 15s | |
# retries: 3 | |
ports: | |
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS | |
- target: 80 | |
published: 80 | |
protocol: tcp | |
mode: host | |
# Listen on port 443, default for HTTPS | |
- target: 443 | |
published: 443 | |
protocol: tcp | |
mode: host | |
networks: | |
- public | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
# Add Docker as a mounted volume, so that Traefik can read the labels of other services | |
- /var/run/docker.sock:/var/run/docker.sock:ro | |
# Mount the volume to store the certificates and logs | |
- traefik-logs:/logs | |
- traefik-certificates:/letsencrypt | |
command: | |
# Enable Hub communication (open the port 9900 and 9901 by default) | |
- --experimental.hub=true | |
- --hub.tls.insecure=true | |
- --metrics.prometheus.addrouterslabels=true | |
# Enable Docker in Traefik, so that it reads labels from Docker services | |
- --providers.docker | |
# Create an entrypoint "http" listening on port 80 | |
- --entrypoints.http.address=:80 | |
# Create an entrypoint "https" listening on port 443 | |
- --entrypoints.https.address=:443 | |
# Logs | |
- --log | |
- --accesslog | |
- --log.level=WARN | |
- --log.format=json | |
- --log.filePath=/data/log/log.json | |
# Enable the Dashboard and API | |
# see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard | |
- --api | |
- --api.insecure=false # set to 'false' on production | |
- --api.dashboard=true | |
- --providers.docker.network=public | |
# Do not expose all Docker services, only the ones explicitly exposed | |
- --providers.docker.exposedbydefault=false | |
- --providers.docker.swarmMode=true | |
#- --providers.docker.defaultRule=Host(`{{normalize .Name}}.docker.local`) | |
- --certificatesresolvers.le.acme.httpchallenge=true | |
- --certificatesresolvers.le.acme.email=name@email.com | |
- --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json | |
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=http | |
# Only for development to avoid hitting the rate limit on certificates | |
#- --certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory | |
deploy: | |
replicas: 1 | |
restart_policy: | |
condition: on-failure | |
placement: | |
constraints: | |
- node.role==manager | |
labels: | |
# Enable Traefik for this service, to make it available in the public network | |
- "traefik.enable=true" | |
# Use the public network (declared below) | |
- "traefik.docker.network=public" | |
- "traefik.constraint-label=public" | |
# Global redirection: HTTP to HTTPS | |
# traefik-http set up only to use the middleware to redirect to https | |
# Uses the environment variable DOMAIN | |
- "traefik.http.routers.http-catchall.entrypoints=http" | |
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" | |
- "traefik.http.routers.http-catchall.middlewares=traefik-ratelimit,https-redirect" | |
# https-redirect middleware to redirect HTTP to HTTPS | |
# It can be re-used by other stacks in other Docker Compose files | |
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" | |
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true" | |
# Extra middleware (ratelimit, ip whitelisting) | |
- "traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100" | |
- "traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50" | |
#################################################################### | |
# Traefik dashboard | |
#################################################################### | |
- "traefik.http.routers.traefik-dashboard.entrypoints=https" | |
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.domain.tld`) && (Path(`/`) || PathPrefix(`/api`) || PathPrefix(`/dashboard`))" | |
- "traefik.http.routers.traefik-dashboard.tls=true" | |
- "traefik.http.routers.traefik-dashboard.tls.certresolver=le" | |
# Use the special Traefik service api@internal with the web UI/Dashboard | |
- "traefik.http.routers.traefik-dashboard.service=api@internal" | |
# Enable HTTP Basic auth, using the middleware created above | |
- "traefik.http.routers.traefik-dashboard.middlewares=traefik-ratelimit,traefik-dashboard-auth" | |
# Middleware with HTTP Basic auth | |
#- "traefik.http.middlewares.traefik-dashboard-auth.basicauth.users=" | |
# Fix docker dashboard problem | |
- "traefik.http.services.dummy-service.loadbalancer.server.port=1337" | |
#################################################################### | |
# Portainer is a web-based administration panel for Docker. | |
portainer: | |
hostname: portainer | |
image: portainer/portainer-ee:2.14.0-alpine | |
#healthcheck: | |
# test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1 | |
# interval: 30s | |
# timeout: 15s | |
# retries: 3 | |
depends_on: | |
- traefik | |
command: -H unix:///var/run/docker.sock | |
networks: | |
- public | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
- /var/run/docker.sock:/var/run/docker.sock | |
- portainer-data:/data | |
deploy: | |
replicas: 1 | |
restart_policy: | |
condition: on-failure | |
placement: | |
constraints: [node.role==manager] | |
labels: | |
#################################################################### | |
# Portainer dashboard | |
#################################################################### | |
- "traefik.enable=true" | |
- "traefik.http.routers.portainer.rule=Host(`portainer.domain.tld`)" | |
- "traefik.http.routers.portainer.entrypoints=https" | |
- "traefik.http.routers.portainer.tls.certresolver=le" | |
- "traefik.http.routers.portainer.service=portainer" | |
- "traefik.http.services.portainer.loadbalancer.server.port=9000" | |
# Middlewares | |
- "traefik.http.routers.portainer.middlewares=portainer-ratelimit" | |
- "traefik.http.middlewares.portainer-ratelimit.ratelimit.average=100" | |
- "traefik.http.middlewares.portainer-ratelimit.ratelimit.burst=50" | |
#################################################################### | |
# docker network rm ingress && docker network ls | |
# | |
# Ingress network with encryption | |
# docker network create --subnet 10.10.0.0/16 --driver overlay \ | |
# --opt encrypted --ingress ingress | |
# | |
# Host network for outside of docker | |
# Traefik, for all web services that I want to expose to the internet | |
# docker network create --subnet 10.11.0.0/16 --driver overlay \ | |
# --scope swarm --opt encrypted --attachable public | |
networks: | |
public: | |
external: true | |
attachable: true | |
driver: overlay | |
volumes: | |
portainer-data: | |
# Volume for the traefik logs | |
traefik-logs: | |
# Volume for the SSL certificates from Let's Encrypt | |
traefik-certificates: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment