Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
a configuration to run a unifi cloud key behind traefik
version: "3.3"
services:
traefik:
image: traefik:v2.2.0
container_name: traefik
restart: unless-stopped
command:
- --log.level=DEBUG
- --api
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --providers.file=true
- --providers.file.filename=dynamic.toml
- "--certificatesresolvers.leresolver.acme.email=${EMAIL}"
- --certificatesresolvers.leresolver.acme.storage=acme.json
- --certificatesresolvers.leresolver.acme.dnschallenge=true
- --certificatesresolvers.leresolver.acme.dnschallenge.provider=cloudflare
# Needed because upstream controller does not have a valid cert
# Its bad to set this globally but I did not find another way so far.
- --serverstransport.insecureskipverify=true
environment:
- "CF_API_EMAIL=${CF_API_EMAIL}"
- "CF_API_KEY=${CF_API_KEY}"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
- ./dynamic.toml:/dynamic.toml
labels:
# wildcard setup
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "traefik.http.routers.traefik.tls.domains[0].main=${DOMAINNAME}"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAINNAME}"
# Dashboard (api@internal is the default service spawned by trafik for the dashboard)
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
[http]
[http.routers]
[http.routers.router0]
entryPoints = ["websecure"]
rule = "Host(`controller.yourdomain.com`)"
service = "controller"
[http.routers.router0.tls]
certResolver = "leresolver"
[http.services]
[http.services.controller]
[[http.services.controller.loadBalancer.servers]]
url = "https://internal-controller-ip:8443"
@dmengelt

This comment has been minimized.

Copy link
Owner Author

@dmengelt dmengelt commented Apr 24, 2020

The goal was to access the unifi controller (cloud key) web interface over a domain with proper certificates (letsencrypt/cloudflare) in place. Of course only when connected to VPN (wireguard). The file configuration (dynamic.toml) is needed because it is not possible to declare a service pointing to a local IP in a compose file using docker labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.