dev01d/.env

## .env
EMAIL=
DOMAIN0=
DOMAIN1=
API_EMAIL=
API_TOKEN=

## readme.md

      
    Raw
  

              readme.md
            
          
    System-wide Traefik Reverse Proxy

The idea here is to stand up the Traefik container separately to the rest of your docker-compose files so it can act as a system wide reverse proxy.
You need to create a proxy network before bringing up Traefik
docker network create proxy 
Edit the .env variables file then bring up the traefik instance with the normal docker compose up -d.
Then all you need to do is make sure other docker-compose files have the proxy network included and the labels for Traefik like in this example-docker-compose.yml file.
I usually keep these in different directories so they stay separated.
.
├── traefik
│   └── docker-compose.yml
└── example
    └── docker-compose.yml


## example-docker-compose.yml
version: '3'

networks:
  proxy:
    external: true
  internal:
    external: false

services:
  nginx:
    image: nginx
    networks:
      - proxy
      - internal # optional
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.nginx.rule=Host(`nginx.domain.com`)'
      - 'traefik.http.services.nginx.loadbalancer.server.port=80'
      # No SSL
      - 'traefik.http.routers.nginx.entrypoints=web'
      # SSL enabled
      - 'traefik.http.routers.nginx.entrypoints=websecure'

## traefik-docker-compose.yml
version: "3.3"

networks:
  proxy:
    external: true

services:
  traefik:
    image: "traefik:v2.5"
    container_name: traefik
    restart: always
    network_mode: proxy
    command:
      # - "--accesslog=true"
      - "--api.dashboard=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      # - "--log.level=INFO"
      - "--ping"
      - "--ping.entryPoint=web"
      - "--providers.docker=true"
      - "--global.sendAnonymousUsage"
      - "--providers.docker.network=proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--certificatesresolvers.sslresolver.acme.email=${EMAIL}"
      - "--certificatesresolvers.sslresolver.acme.storage=/letsencrypt/acme.json"
      # ? Prod http challenge
      - "--certificatesresolvers.sslresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.sslresolver.acme.httpchallenge.entrypoint=http"
      #? Cloudflare DNS Challenge
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge=true"
      # - "--certificatesresolvers.sslresolver.acme.dnschallenge.provider=cloudflare"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.delayBeforeCheck=0"
      # - "--certificatesResolvers.sslresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      #? Wildcard domain certs
      # - "--entrypoints.websecure.http.tls.certResolver=sslresolver"
      # - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN0}"
      # - "--entrypoints.websecure.http.tls.domains[1].main=${DOMAIN1}"
      # - "--entrypoints.websecure.http.tls.domains[1].sans=*.${DOMAIN1}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/opt/traefik/letsencrypt:/letsencrypt"
    ports:
      - "80:80"
      - "443:443"
    environment:
      - "CLOUDFLARE_EMAIL=${API_EMAIL}"
      - "CLOUDFLARE_DNS_API_TOKEN=${API_TOKEN}"
    labels:
      #? Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`dash.${DOMAIN0}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      # echo $(htpasswd -nb admin 'Password!') | sed -e s/\\$/\\$\\$/g
      - "traefik.http.middlewares.auth.basicauth.users=admin:INSERT_PASSWORD_HERE"
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-For=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
	version: '3'

	networks:
	proxy:
	external: true
	internal:
	external: false

	services:
	nginx:
	image: nginx
	networks:
	- proxy
	- internal # optional
	labels:
	- 'traefik.enable=true'
	- 'traefik.http.routers.nginx.rule=Host(`nginx.domain.com`)'
	- 'traefik.http.services.nginx.loadbalancer.server.port=80'
	# No SSL
	- 'traefik.http.routers.nginx.entrypoints=web'
	# SSL enabled
	- 'traefik.http.routers.nginx.entrypoints=websecure'
	version: "3.3"

	networks:
	proxy:
	external: true

	services:
	traefik:
	image: "traefik:v2.5"
	container_name: traefik
	restart: always
	network_mode: proxy
	command:
	# - "--accesslog=true"
	- "--api.dashboard=true"
	- "--entrypoints.web.address=:80"
	- "--entrypoints.websecure.address=:443"
	- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
	- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
	# - "--log.level=INFO"
	- "--ping"
	- "--ping.entryPoint=web"
	- "--providers.docker=true"
	- "--global.sendAnonymousUsage"
	- "--providers.docker.network=proxy"
	- "--providers.docker.exposedbydefault=false"
	- "--providers.docker.endpoint=unix:///var/run/docker.sock"
	- "--certificatesresolvers.sslresolver.acme.email=${EMAIL}"
	- "--certificatesresolvers.sslresolver.acme.storage=/letsencrypt/acme.json"
	# ? Prod http challenge
	- "--certificatesresolvers.sslresolver.acme.httpchallenge=true"
	- "--certificatesresolvers.sslresolver.acme.httpchallenge.entrypoint=http"
	#? Cloudflare DNS Challenge
	# - "--certificatesresolvers.sslresolver.acme.dnschallenge=true"
	# - "--certificatesresolvers.sslresolver.acme.dnschallenge.provider=cloudflare"
	# - "--certificatesResolvers.sslresolver.acme.dnsChallenge.delayBeforeCheck=0"
	# - "--certificatesResolvers.sslresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
	#? Wildcard domain certs
	# - "--entrypoints.websecure.http.tls.certResolver=sslresolver"
	# - "--entrypoints.websecure.http.tls.domains[0].main=${DOMAIN0}"
	# - "--entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN0}"
	# - "--entrypoints.websecure.http.tls.domains[1].main=${DOMAIN1}"
	# - "--entrypoints.websecure.http.tls.domains[1].sans=*.${DOMAIN1}"
	volumes:
	- "/var/run/docker.sock:/var/run/docker.sock:ro"
	- "/opt/traefik/letsencrypt:/letsencrypt"
	ports:
	- "80:80"
	- "443:443"
	environment:
	- "CLOUDFLARE_EMAIL=${API_EMAIL}"
	- "CLOUDFLARE_DNS_API_TOKEN=${API_TOKEN}"
	labels:
	#? Dashboard
	- "traefik.enable=true"
	- "traefik.http.routers.traefik.rule=Host(`dash.${DOMAIN0}`) && (PathPrefix(`/api`) \|\| PathPrefix(`/dashboard`))"
	- "traefik.http.routers.traefik.entrypoints=websecure"
	- "traefik.http.routers.traefik.service=api@internal"
	- "traefik.http.routers.traefik.middlewares=auth"
	# echo $(htpasswd -nb admin 'Password!') \| sed -e s/\\$/\\$\\$/g
	- "traefik.http.middlewares.auth.basicauth.users=admin:INSERT_PASSWORD_HERE"
	- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
	- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-For=https"
	- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"