Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Traefik with Portainer
version: '3.9'
services:
# Traefik is the reverse proxy
traefik:
hostname: traefik
image: "traefik:v2.8.0"
#healthcheck:
# test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/80' || exit 1
# interval: 30s
# timeout: 15s
# retries: 3
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 80
protocol: tcp
mode: host
# Listen on port 443, default for HTTPS
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- public
volumes:
- /etc/localtime:/etc/localtime:ro
# Add Docker as a mounted volume, so that Traefik can read the labels of other services
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mount the volume to store the certificates and logs
- traefik-logs:/logs
- traefik-certificates:/letsencrypt
command:
# Enable Hub communication (open the port 9900 and 9901 by default)
- --experimental.hub=true
- --hub.tls.insecure=true
- --metrics.prometheus.addrouterslabels=true
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Logs
- --log
- --accesslog
- --log.level=WARN
- --log.format=json
- --log.filePath=/data/log/log.json
# Enable the Dashboard and API
# see https://docs.traefik.io/v2.0/operations/dashboard/#secure-mode for how to secure the dashboard
- --api
- --api.insecure=false # set to 'false' on production
- --api.dashboard=true
- --providers.docker.network=public
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
- --providers.docker.swarmMode=true
#- --providers.docker.defaultRule=Host(`{{normalize .Name}}.docker.local`)
- --certificatesresolvers.le.acme.httpchallenge=true
- --certificatesresolvers.le.acme.email=name@email.com
- --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=http
# Only for development to avoid hitting the rate limit on certificates
#- --certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
deploy:
replicas: 1
restart_policy:
condition: on-failure
placement:
constraints:
- node.role==manager
labels:
# Enable Traefik for this service, to make it available in the public network
- "traefik.enable=true"
# Use the public network (declared below)
- "traefik.docker.network=public"
- "traefik.constraint-label=public"
# Global redirection: HTTP to HTTPS
# traefik-http set up only to use the middleware to redirect to https
# Uses the environment variable DOMAIN
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=traefik-ratelimit,https-redirect"
# https-redirect middleware to redirect HTTP to HTTPS
# It can be re-used by other stacks in other Docker Compose files
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
# Extra middleware (ratelimit, ip whitelisting)
- "traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50"
####################################################################
# Traefik dashboard
####################################################################
- "traefik.http.routers.traefik-dashboard.entrypoints=https"
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.domain.tld`) && (Path(`/`) || PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=le"
# Use the special Traefik service api@internal with the web UI/Dashboard
- "traefik.http.routers.traefik-dashboard.service=api@internal"
# Enable HTTP Basic auth, using the middleware created above
- "traefik.http.routers.traefik-dashboard.middlewares=traefik-ratelimit,traefik-dashboard-auth"
# Middleware with HTTP Basic auth
#- "traefik.http.middlewares.traefik-dashboard-auth.basicauth.users="
# Fix docker dashboard problem
- "traefik.http.services.dummy-service.loadbalancer.server.port=1337"
####################################################################
# Portainer is a web-based administration panel for Docker.
portainer:
hostname: portainer
image: portainer/portainer-ee:2.14.0-alpine
#healthcheck:
# test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1
# interval: 30s
# timeout: 15s
# retries: 3
depends_on:
- traefik
command: -H unix:///var/run/docker.sock
networks:
- public
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- portainer-data:/data
deploy:
replicas: 1
restart_policy:
condition: on-failure
placement:
constraints: [node.role==manager]
labels:
####################################################################
# Portainer dashboard
####################################################################
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.domain.tld`)"
- "traefik.http.routers.portainer.entrypoints=https"
- "traefik.http.routers.portainer.tls.certresolver=le"
- "traefik.http.routers.portainer.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
# Middlewares
- "traefik.http.routers.portainer.middlewares=portainer-ratelimit"
- "traefik.http.middlewares.portainer-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.portainer-ratelimit.ratelimit.burst=50"
####################################################################
# docker network rm ingress && docker network ls
#
# Ingress network with encryption
# docker network create --subnet 10.10.0.0/16 --driver overlay \
# --opt encrypted --ingress ingress
#
# Host network for outside of docker
# Traefik, for all web services that I want to expose to the internet
# docker network create --subnet 10.11.0.0/16 --driver overlay \
# --scope swarm --opt encrypted --attachable public
networks:
public:
external: true
attachable: true
driver: overlay
volumes:
portainer-data:
# Volume for the traefik logs
traefik-logs:
# Volume for the SSL certificates from Let's Encrypt
traefik-certificates:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment