adamcstephens/docker-compose.yml

## docker-compose.yml
version: "3.3"

services:
  proxy:
    image: traefik:latest
    command:
      - --global.sendAnonymousUsage=false
      - --log.level=WARN
      - --api.insecure=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/files
      - --providers.file.watch=true
      - --serverstransport.insecureskipverify=true
      - --certificatesresolvers.basic.acme.email=email@example.com
      - --certificatesresolvers.basic.acme.storage=/acme.json
      - --certificatesresolvers.basic.acme.dnschallenge.provider=digitalocean
      - --certificatesresolvers.basic.acme.dnschallenge.delaybeforecheck=0
      - --certificatesresolvers.basic.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --metrics.prometheus=true
    environment:
      TZ: EST5EDT
    env_file:
      - secrets.env
    labels:
      # redirect web to websecure
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # proxy interface
      - "traefik.enable=true"
      - "traefik.http.routers.proxy.rule=Host(`proxy.sub.example.com`)"
      - "traefik.http.routers.proxy.entrypoints=websecure"
      # tls
      - "traefik.http.routers.proxy.tls.certresolver=basic"
      - "traefik.http.routers.proxy.tls.domains[0].main=sub.example.com"
      - "traefik.http.routers.proxy.tls.domains[0].sans=*.sub.example.com"
      # internal port
      - "traefik.http.services.traefik-internal.loadbalancer.server.port=8080"
      # auth
      - "traefik.http.routers.proxy.middlewares=oauth-auth"
      - "traefik.http.middlewares.oauth-auth.forwardauth.authResponseHeaders=authorization,X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
      - "traefik.http.middlewares.oauth-auth.forwardauth.address=http://pomerium:8080/"
      - "traefik.http.middlewares.oauth-auth.forwardauth.trustForwardHeader=true"
      ## password file: docker run --rm -it -v $PWD:/pwd library/httpd htpasswd -B -c /pwd/usersfile adam
      # - "traefik.http.routers.proxy.middlewares=usersfile-auth"
      # - "traefik.http.middlewares.usersfile-auth.basicauth.usersfile=/usersfile"
    networks:
      - webgateway
    ports:
      - "80:80"
      - "443:443"
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme.json:/acme.json
      - ./usersfile:/usersfile
      - ./files:/files:ro

  pomerium:
    env_file: pomerium.env
    environment:
      TZ: EST5EDT
    image: pomerium/pomerium:v0.13.6
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pomerium.rule=Host(`auth.sub.example.com`)"
      - "traefik.http.routers.pomerium.tls.certresolver=basic"
      - "traefik.http.services.pomerium.loadbalancer.server.port=8080"
    networks:
      - webgateway
    restart: unless-stopped
    user: nobody
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./pomerium:/pomerium

networks:
  webgateway:
    driver: bridge

## other-project-docker-compose.yml
version: '2'
services:
  app:
    environment:
      TZ: EST5EDT
    image: IMAGE
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_webgateway"
      - "traefik.http.routers.CHANGEME.rule=Host(`wow.sub.example.com`)"
      - "traefik.http.routers.CHANGEME.tls.certresolver=basic"
      # - "traefik.http.services.CHANGEME.loadbalancer.server.port=PORT"
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro

networks:
  default:
    external:
      name: traefik_webgateway
	version: "3.3"

	services:
	proxy:
	image: traefik:latest
	command:
	- --global.sendAnonymousUsage=false
	- --log.level=WARN
	- --api.insecure=true
	- --api.dashboard=true
	- --providers.docker=true
	- --providers.docker.exposedbydefault=false
	- --providers.file.directory=/files
	- --providers.file.watch=true
	- --serverstransport.insecureskipverify=true
	- --certificatesresolvers.basic.acme.email=email@example.com
	- --certificatesresolvers.basic.acme.storage=/acme.json
	- --certificatesresolvers.basic.acme.dnschallenge.provider=digitalocean
	- --certificatesresolvers.basic.acme.dnschallenge.delaybeforecheck=0
	- --certificatesresolvers.basic.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
	- --entrypoints.web.address=:80
	- --entrypoints.websecure.address=:443
	- --metrics.prometheus=true
	environment:
	TZ: EST5EDT
	env_file:
	- secrets.env
	labels:
	# redirect web to websecure
	- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
	- "traefik.http.routers.http-catchall.entrypoints=web"
	- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
	- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
	# proxy interface
	- "traefik.enable=true"
	- "traefik.http.routers.proxy.rule=Host(`proxy.sub.example.com`)"
	- "traefik.http.routers.proxy.entrypoints=websecure"
	# tls
	- "traefik.http.routers.proxy.tls.certresolver=basic"
	- "traefik.http.routers.proxy.tls.domains[0].main=sub.example.com"
	- "traefik.http.routers.proxy.tls.domains[0].sans=*.sub.example.com"
	# internal port
	- "traefik.http.services.traefik-internal.loadbalancer.server.port=8080"
	# auth
	- "traefik.http.routers.proxy.middlewares=oauth-auth"
	- "traefik.http.middlewares.oauth-auth.forwardauth.authResponseHeaders=authorization,X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
	- "traefik.http.middlewares.oauth-auth.forwardauth.address=http://pomerium:8080/"
	- "traefik.http.middlewares.oauth-auth.forwardauth.trustForwardHeader=true"
	## password file: docker run --rm -it -v $PWD:/pwd library/httpd htpasswd -B -c /pwd/usersfile adam
	# - "traefik.http.routers.proxy.middlewares=usersfile-auth"
	# - "traefik.http.middlewares.usersfile-auth.basicauth.usersfile=/usersfile"
	networks:
	- webgateway
	ports:
	- "80:80"
	- "443:443"
	restart: unless-stopped
	volumes:
	- /etc/localtime:/etc/localtime:ro
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ./acme.json:/acme.json
	- ./usersfile:/usersfile
	- ./files:/files:ro

	pomerium:
	env_file: pomerium.env
	environment:
	TZ: EST5EDT
	image: pomerium/pomerium:v0.13.6
	labels:
	- "traefik.enable=true"
	- "traefik.http.routers.pomerium.rule=Host(`auth.sub.example.com`)"
	- "traefik.http.routers.pomerium.tls.certresolver=basic"
	- "traefik.http.services.pomerium.loadbalancer.server.port=8080"
	networks:
	- webgateway
	restart: unless-stopped
	user: nobody
	volumes:
	- /etc/localtime:/etc/localtime:ro
	- ./pomerium:/pomerium

	networks:
	webgateway:
	driver: bridge
	version: '2'
	services:
	app:
	environment:
	TZ: EST5EDT
	image: IMAGE
	labels:
	- "traefik.enable=true"
	- "traefik.docker.network=traefik_webgateway"
	- "traefik.http.routers.CHANGEME.rule=Host(`wow.sub.example.com`)"
	- "traefik.http.routers.CHANGEME.tls.certresolver=basic"
	# - "traefik.http.services.CHANGEME.loadbalancer.server.port=PORT"
	restart: unless-stopped
	volumes:
	- /etc/localtime:/etc/localtime:ro

	networks:
	default:
	external:
	name: traefik_webgateway