Skip to content

Instantly share code, notes, and snippets.

@dev01d
Last active March 4, 2023 14:20
Show Gist options
  • Save dev01d/6530f792d44d4b4c68ff6ff49b74e3bf to your computer and use it in GitHub Desktop.
Save dev01d/6530f792d44d4b4c68ff6ff49b74e3bf to your computer and use it in GitHub Desktop.
System-wide Traefik Reverse Proxy
EMAIL=
DOMAIN0=
DOMAIN1=
API_EMAIL=
API_TOKEN=

System-wide Traefik Reverse Proxy

The idea here is to stand up the Traefik container separately to the rest of your docker-compose files so it can act as a system wide reverse proxy.

You need to create a proxy network before bringing up Traefik

docker network create proxy 

Edit the .env variables file then bring up the traefik instance with the normal docker compose up -d.

Then all you need to do is make sure other docker-compose files have the proxy network included and the labels for Traefik like in this example-docker-compose.yml file.

I usually keep these in different directories so they stay separated.

.
├── traefik
│   └── docker-compose.yml
└── example
    └── docker-compose.yml
version: '3'
networks:
proxy:
external: true
internal:
external: false
services:
nginx:
image: nginx
networks:
- proxy
- internal # optional
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.nginx.rule=Host(`nginx.domain.com`)'
- 'traefik.http.services.nginx.loadbalancer.server.port=80'
# No SSL
- 'traefik.http.routers.nginx.entrypoints=web'
# SSL enabled
- 'traefik.http.routers.nginx.entrypoints=websecure'
version: "3.3"
networks:
proxy:
external: true
services:
traefik:
image: "traefik:v2.5"
container_name: traefik
restart: always
network_mode: proxy
command:
# - "--accesslog=true"
- "--api.dashboard=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# - "--log.level=INFO"
- "--ping"
- "--ping.entryPoint=web"
- "--providers.docker=true"
- "--global.sendAnonymousUsage"
- "--providers.docker.network=proxy"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--certificatesresolvers.sslresolver.acme.email=${EMAIL}"
- "--certificatesresolvers.sslresolver.acme.storage=/letsencrypt/acme.json"
# ? Prod http challenge
- "--certificatesresolvers.sslresolver.acme.httpchallenge=true"
- "--certificatesresolvers.sslresolver.acme.httpchallenge.entrypoint=http"
#? Cloudflare DNS Challenge
# - "--certificatesresolvers.sslresolver.acme.dnschallenge=true"
# - "--certificatesresolvers.sslresolver.acme.dnschallenge.provider=cloudflare"
# - "--certificatesResolvers.sslresolver.acme.dnsChallenge.delayBeforeCheck=0"
# - "--certificatesResolvers.sslresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
#? Wildcard domain certs
# - "--entrypoints.websecure.http.tls.certResolver=sslresolver"
# - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN0}"
# - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN0}"
# - "--entrypoints.websecure.http.tls.domains[1].main=${DOMAIN1}"
# - "--entrypoints.websecure.http.tls.domains[1].sans=*.${DOMAIN1}"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/opt/traefik/letsencrypt:/letsencrypt"
ports:
- "80:80"
- "443:443"
environment:
- "CLOUDFLARE_EMAIL=${API_EMAIL}"
- "CLOUDFLARE_DNS_API_TOKEN=${API_TOKEN}"
labels:
#? Dashboard
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`dash.${DOMAIN0}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=auth"
# echo $(htpasswd -nb admin 'Password!') | sed -e s/\\$/\\$\\$/g
- "traefik.http.middlewares.auth.basicauth.users=admin:INSERT_PASSWORD_HERE"
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-For=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment