Last active
May 30, 2022 11:30
-
-
Save fogx/9819277b8bb4f4d79b7eb6a37cb464ac to your computer and use it in GitHub Desktop.
Broken Traefik - Cloudflare
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: "3" | |
| services: | |
| traefik: | |
| #https://www.smarthomebeginner.com/traefik-2-docker-tutorial/ | |
| image: traefik:latest | |
| container_name: traefik | |
| command: # CLI arguments | |
| - --global.sendAnonymousUsage=false | |
| - --api=true | |
| - --api.insecure=true | |
| ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ## | |
| - --entrypoints.http.address=:80 # <== Defining an entrypoint for port :80 | |
| - --entrypoints.https.address=:443 # <== Defining an entrypoint for https on port :443 | |
| - --entryPoints.traefik.address=:8080 | |
| # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ | |
| # - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22 | |
| ## providers | |
| - --providers.docker=true | |
| - --providers.docker.exposedByDefault=false | |
| - --providers.docker.network=traefik_proxy # Defines a default docker network to use for connections to all containers. | |
| - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory. | |
| - --providers.file.watch=true # Only works on top level files in the rules folder | |
| ## Certificate Settings (Let's Encrypt) - https://docs.traefik.io/https/acme/#configuration-examples ## | |
| # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing | |
| - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL | |
| - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json | |
| - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare | |
| ## logging | |
| - --log=true | |
| - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC #change to warn when done setting up | |
| - --accessLog=true | |
| - --accessLog.filePath=/traefik.log | |
| - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines | |
| - --accessLog.filters.statusCodes=400-499 | |
| labels: | |
| - "traefik.enable=true" | |
| # HTTP-to-HTTPS Redirect | |
| - "traefik.http.routers.http-catchall.entrypoints=http" | |
| - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" | |
| - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" | |
| - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" | |
| # HTTP Routers | |
| - "traefik.http.routers.traefik-rtr.entrypoints=https" | |
| - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)" | |
| - "traefik.http.routers.traefik-rtr.tls=true" | |
| - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs | |
| - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME" | |
| - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME" | |
| ## Services - API | |
| - "traefik.http.routers.traefik-rtr.service=api@internal" | |
| ## Middlewares | |
| - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" | |
| networks: | |
| - traefik_proxy | |
| - default | |
| security_opt: | |
| - no-new-privileges:true | |
| ports: | |
| - "80:80" # <== http | |
| - "443:443" # <== https | |
| - "8080:8080" # <== :8080 is where the dashboard runs on | |
| volumes: | |
| - /etc/localtime:/etc/localtime:ro | |
| - /etc/timezone:/etc/timezone:ro | |
| - /var/run/docker.sock:/var/run/docker.sock:ro | |
| - $DOCKERDIR/traefik/rules:/rules | |
| - $DOCKERDIR/traefik/acme/acme.json:/acme.json | |
| - $DOCKERDIR/traefik/traefik.log:/traefik.log | |
| - $DOCKERDIR/shared:/shared | |
| environment: | |
| - CF_API_EMAIL=$CLOUDFLARE_EMAIL | |
| - CF_API_KEY=$CLOUDFLARE_API_KEY | |
| restart: unless-stopped | |
| whoami: | |
| # A container that exposes an API to show its IP address | |
| image: containous/whoami | |
| networks: | |
| - traefik_proxy | |
| labels: | |
| - traefik.enable=true | |
| ## HTTP Routers | |
| # - "traefik.http.routers.whoami.entrypoints=http" | |
| - "traefik.http.routers.whoami.rule=HostHeader(`who.$DOMAINNAME`)" | |
| - traefik.http.routers.whoami.tls=true | |
| networks: | |
| traefik_proxy: | |
| external: | |
| name: traefik_proxy | |
| default: | |
| driver: bridge |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [http.middlewares.chain-basic-auth] | |
| [http.middlewares.chain-basic-auth.chain] | |
| middlewares = ["middlewares-basic-auth"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [http.middlewares] | |
| [http.middlewares.middlewares-basic-auth] | |
| [http.middlewares.middlewares-basic-auth.basicAuth] | |
| realm = "Traefik2 Basic Auth" | |
| usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment