-
-
Save crazygit/3cc2ca496050e3005884218fee7f14b5 to your computer and use it in GitHub Desktop.
# bare secure mode: no https, no basic auth | |
version: '3.8' | |
services: | |
reverse_proxy: | |
image: traefik:v2.6 | |
command: | |
# - "--log.level=DEBUG" | |
# Enable Docker in Traefik, so that it reads labels from Docker services | |
- "--providers.docker" | |
# Do not expose all Docker services, only the ones explicitly exposed | |
- "--providers.docker.exposedbydefault=false" | |
# Set default Docker network used | |
- "--providers.docker.network=traefik-public" | |
# Enable Docker Swarm mode | |
- "--providers.docker.swarmmode" | |
# Create an entrypoint "http" listening on port 80 | |
- "--entrypoints.web.address=:80" | |
# Create an entrypoint "https" listening on port 443 | |
- "--entrypoints.websecure.address=:443" | |
# Enable the access log, with HTTP requests | |
- "--accesslog" | |
# Enable the Traefik log, for configurations and errors | |
- "--log" | |
# Enable the Dashboard and API | |
- "--api.dashboard=true" | |
ports: | |
- "80:80" | |
- "443:443" | |
volumes: | |
# So that Traefik can listen to the Docker events | |
- /var/run/docker.sock:/var/run/docker.sock | |
# Since the Swarm API is only exposed on the manager nodes, these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role": | |
deploy: | |
placement: | |
constraints: | |
- node.role == manager | |
labels: | |
# Enable Traefik for this service, to make it available in the public network | |
- "traefik.enable=true" | |
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" | |
- "traefik.http.routers.dashboard.entrypoints=web" | |
- "traefik.http.routers.dashboard.service=api@internal" | |
# Dummy service for Swarm port detection. The port can be any valid integer value. | |
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999" | |
networks: | |
# Use the public network created to be shared between Traefik and | |
# any other service that needs to be publicly available with HTTPS | |
- traefik-public | |
networks: | |
# services that need to be publicly available via this Traefik | |
traefik-public: | |
external: true | |
# secure mode with https and basic auth | |
version: '3.8' | |
services: | |
reverse_proxy: | |
image: traefik:v2.6 | |
command: | |
# - "--log.level=DEBUG" | |
# Enable Docker in Traefik, so that it reads labels from Docker services | |
- "--providers.docker" | |
# Do not expose all Docker services, only the ones explicitly exposed | |
- "--providers.docker.exposedbydefault=false" | |
# Set default Docker network used | |
- "--providers.docker.network=traefik-public" | |
# Enable Docker Swarm mode | |
- "--providers.docker.swarmmode" | |
# Create an entrypoint "http" listening on port 80 | |
- "--entrypoints.web.address=:80" | |
# Create an entrypoint "https" listening on port 443 | |
- "--entrypoints.websecure.address=:443" | |
# Enable the access log, with HTTP requests | |
# - "--accesslog" | |
# Enable the Traefik log, for configurations and errors | |
- "--log" | |
# Enable the Dashboard and API | |
- "--api.dashboard=true" | |
# Use the Http Challenge for Let's Encrypt | |
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true" | |
# Use the HTTP Challenge | |
- "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web" | |
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL | |
- "--certificatesresolvers.letsencryptresolver.acme.email=your_email@example.com" | |
# Store the Let's Encrypt certificates in the mounted volume | |
- "--certificatesresolvers.letsencryptresolver.acme.storage=/letsencrypt/acme.json" | |
# If you uncommented the acme.caserver line, you will get an SSL error, but if you display the certificate and see it was emitted by Fake LE Intermediate X1 then it means all is good. (It is the staging environment intermediate certificate used by let's encrypt). You can now safely comment the acme.caserver line, remove the letsencrypt/acme.json file and restart Traefik to issue a valid certificate. | |
- "--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" | |
ports: | |
- "80:80" | |
- "443:443" | |
volumes: | |
# So that Traefik can listen to the Docker events | |
- /var/run/docker.sock:/var/run/docker.sock | |
- certificates:/letsencrypt | |
# Since the Swarm API is only exposed on the manager nodes, these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role": | |
deploy: | |
placement: | |
constraints: | |
- node.role == manager | |
labels: | |
# Enable Traefik for this service, to make it available in the public network | |
- "traefik.enable=true" | |
# Use the traefik-public network | |
- "traefik.docker.network=traefik-public" | |
# http | |
- "traefik.http.routers.dashboardhttp.rule=Host(`traefik.example.com`)" | |
- "traefik.http.routers.dashboardhttp.entrypoints=web" | |
- "traefik.http.routers.dashboardhttp.service=api@internal" | |
# https | |
- "traefik.http.routers.dashboardhttps.rule=Host(`traefik.example.com`)" | |
- "traefik.http.routers.dashboardhttps.entrypoints=websecure" | |
- "traefik.http.routers.dashboardhttps.service=api@internal" | |
- "traefik.http.routers.dashboardhttps.tls.certresolver=letsencryptresolver" | |
# Dummy service for Swarm port detection. The port can be any valid integer value. | |
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999" | |
# dashboard-auth middleware with HTTP Basic auth | |
- "traefik.http.middlewares.auth.basicauth.users=your_username:$$apr1$$MjQrynku$$iSdz67CS8wZvCaqm7qYBC/" | |
- "traefik.http.routers.dashboardhttp.middlewares=auth" | |
- "traefik.http.routers.dashboardhttps.middlewares=auth" | |
networks: | |
# Use the public network created to be shared between Traefik and | |
# any other service that needs to be publicly available with HTTPS | |
- traefik-public | |
volumes: | |
# Create a volume to store the certificates, there is a constraint to make sure | |
# Traefik is always deployed to the same Docker node with the same volume containing | |
# the HTTPS certificates | |
certificates: | |
networks: | |
# services that need to be publicly available via this Traefik | |
traefik-public: | |
external: true | |
Expose Traefik dashboard in secure mode with https and basic auth
ssh into docker swarm master node first
Step 1, create traefik-public
network
$ docker network create --driver=overlay traefik-public
Step 2, Create Http Basic Auth User
$ sudo apt install apache2-utils
$ export USERNAME="your_username"
$ export PASSWORD="your_password"
$ echo $(htpasswd -nb $USERNAME $PASSWORD) | sed -e s/\\$/\\$\\$/g
your_username:$$apr1$$MjQrynku$$iSdz67CS8wZvCaqm7qYBC/
Note
when used in
docker-compose.yml
all dollar signs in the hash need to be doubled for escaping.
To create user:password pair, it's possible to use this command:
echo $(htpasswd -nB user) | sed -e s/\$/\$\$/g
Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
Update the user info in traefik-secure-mode-auth-https.yml
file with yours
Step 3, deploy traefik stack with traefik-secure-mode-auth-https.yml
$ docker stack deploy -c traefik-secure-mode-auth-https.yml traefik
Step 4, Check access
Use browser to access below link
you will get an SSL error, if you display the certificate and see it was emitted by Fake LE Intermediate X1 then it means all is good.
Note: The trailing slash /
in /dashboard/
is mandatory
Step 5
Comment below line in traefik-bare-secure-mode.yml
file when deploy to production
- "--certificatesresolvers.letsencryptresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
More reffer
https://doc.traefik.io/traefik/operations/dashboard/#secure-mode
Expose Traefik dashboard in secure mode (no https, no basic auth)
ssh into docker swarm master node first
Step 1, create
traefik-public
networkStep 2, deploy traefik stack with
traefik-bare-secure-mode.yml
Step 3, Check access
Use browser to access below link
Note: The trailing slash
/
in/dashboard/
is mandatoryStep 4
Add more secure method, such as https, auth middleware
More reffer
https://doc.traefik.io/traefik/operations/dashboard/#secure-mode