Skip to content

Instantly share code, notes, and snippets.

Last active November 29, 2020 20:32
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save dmengelt/a58110634f2db77dd3496ec49c14a510 to your computer and use it in GitHub Desktop.
a configuration to run a unifi cloud key behind traefik
version: "3.3"
image: traefik:v2.2.0
container_name: traefik
restart: unless-stopped
- --log.level=DEBUG
- --api
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker
- --providers.file=true
- --providers.file.filename=dynamic.toml
- "${EMAIL}"
- --certificatesresolvers.leresolver.acme.dnschallenge=true
- --certificatesresolvers.leresolver.acme.dnschallenge.provider=cloudflare
# Needed because upstream controller does not have a valid cert
# Its bad to set this globally but I did not find another way so far.
- --serverstransport.insecureskipverify=true
- "80:80"
- "443:443"
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
- ./dynamic.toml:/dynamic.toml
# wildcard setup
- "traefik.http.routers.traefik.tls.certresolver=leresolver"
- "[0].main=${DOMAINNAME}"
- "[0].sans=*.${DOMAINNAME}"
# Dashboard (api@internal is the default service spawned by trafik for the dashboard)
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
entryPoints = ["websecure"]
rule = "Host(``)"
service = "controller"
certResolver = "leresolver"
url = "https://internal-controller-ip:8443"
Copy link

dmengelt commented Apr 24, 2020

The goal was to access the unifi controller (cloud key) web interface over a domain with proper certificates (letsencrypt/cloudflare) in place. Of course only when connected to VPN (wireguard). The file configuration (dynamic.toml) is needed because it is not possible to declare a service pointing to a local IP in a compose file using docker labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment