Local HTTPS and load balancing for docker compose projects

acme-route53.awscfg

[default]
aws_access_key_id =
aws_secret_access_key = 

docker-compose.traefik.yml

## Requirements
# * Two environment variables: ACME_EMAIL (for letsencrypt registration)
#   and DOMAIN_NAME which will be the base host for your projects
# * acme-route53.awscfg file containing aws credentials. Just set up
#   a default profile according to the following format: 
#   https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
# * touch ./traefik/acme directory to store certificates there
## Modus operandi
# * The `www` service will use letsencrypt to get a wildcard domain for 
#   your $DOMAIN_NAME. It will then strip SSL and forward all traffic
#   to the second service: traefic. This is why `www` binds both 80 and 443 ports,
#   and `traefik` neither (its not directly exposed)
# * Each docker compose service exposing a default port will be available at:
#   https://{service-name}.$DOMAIN_NAME
#   You can inspect it at the traefic dashboard at https://$DOMAIN_NAME
# * You can modify this default routing at `traefik.yml` using the
#   `defaultRule` config option. You can also configure each service
#   independently, pls refer to the traefik docker documentation:
#   https://doc.traefik.io/traefik/providers/docker/#configuration-examples
# * It uses AWS Route53 for letsencrypt DNS challenges, but obviously
#   you can configure any other provider

services:
  # strips https and forwards all traffic to traefik service
  www:
    image: traefik:v2.11
    command: >
      traefik 
        --entryPoints.http.address=:80
        --entryPoints.https.address=:443
        --providers.file.filename=/etc/traefik/load-balancer.yml
        --certificatesResolvers.letsencrypt.acme.email=${ACME_EMAIL}
        --certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json
        --certificatesResolvers.letsencrypt.acme.dnsChallenge.provider=route53
        --certificatesResolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
    labels:
      - traefik.enable=false
    environment:
      - DOMAIN_NAME=${DOMAIN_NAME}
      - AWS_SHARED_CREDENTIALS_FILE=/run/secrets/acme_route53
    volumes:
      - ./traefik/load-balancer.yml:/etc/traefik/load-balancer.yml:ro
      - ./traefik/acme/:/etc/traefik/acme:rw
    ports:
      - "443:443"
      - "80:80"
    secrets:
      - acme_route53

  traefik:
    image: traefik:v2.11
    environment:
      - DOMAIN_NAME=${DOMAIN_NAME}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
    labels:
      - 'traefik.http.routers.api.service=api@internal'
      - "traefik.http.routers.api.rule=Host(`$DOMAIN_NAME`)"

secrets:
  acme_route53:
    file: ./acme-route53.awscfg

load-balancer.yml

# traefik/load-balancer.yml, but gists can’t do subdirectories
http:
  routers:
    http-catchall:
      rule: PathPrefix(`/`)
      entryPoints:
        - http
      middlewares:
        - redirect-to-https
      service: secure

    https-catchall:
      rule: PathPrefix(`/`)
      entryPoints:
        - https
      service: secure
      tls:
        certResolver: letsencrypt
        domains:
          - main: '{{ env "DOMAIN_NAME" }}'
            sans:
              - '*.{{ env "DOMAIN_NAME" }}'
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: false

  services:
    secure:
      loadBalancer:
        servers:
          - url: http://traefik

traefik.yml

# traefik/traefik.yml, but gists can’t do subdirectories
entryPoints:
  http:
    address: :80
    forwardedHeaders:
      insecure: true

providers:
  providersThrottleDuration: 2s
  docker:
    defaultRule: >
        Host(`{{index .Labels "com.docker.compose.service"}}.{{ env "DOMAIN_NAME" }}`)
    watch: true
    exposedByDefault: true

api:
  dashboard: true