prayagsingh/docker-compose-traefik.yaml

## docker-compose-traefik.yaml
# Providers :- discover the services that live on your infrastructure (their IP, health, ...)
# Entrypoints :- listen for incoming traffic (ports, ...)
# Routers :- analyse the requests (host, path, headers, SSL, ...). A router is in charge of connecting incoming requests to the services that can handle them.
# Services :- forward the request to your services (load balancing, ...). The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
# Middlewares :- may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)


version: "3.7"

networks:
  test-network:
    external: true
    name: test-network

services:
  traefik:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 5
      placement:
        constraints:
          - node.hostname == gcloud1
          - node.role == manager
      labels:
        - "traefik.enable=true"

    secrets:
      - source: custom_crt
        target: /run/secrets/server.crt
        mode: 0400

      - source: custom_key
        target: /run/secrets/server.key
        mode: 0400

    hostname: traefik
    image: "traefik:v2.1"
    #user: "${UID}:1002"

     #Static configuration
    command:
      - --providers.file.filename=/etc/traefik/proxy-config.toml # Using file for reading the config
      - --providers.file.watch=true

      - --entrypoints.web.address=:6060
      - --entrypoints.websecure.address=:443
      #- --api.insecure # enabling dashboard on insecure connection
      - --api=true
      - --api.dashboard=true
      - --api.debug=true
      - --log.level=DEBUG

      #lets encrypt : for production by default url is "https://acme-v02.api.letsencrypt.org/directory"
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.email=myemail@gmail.com
      - --certificatesresolvers.myresolver.acme.storage=acme.json
      - --certificatesresolvers.myresolver.acme.tlschallenge=true

    volumes:
      - ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
        #- /home/prayag/GoWorkspace/src/github.com/test/certs/:/etc/traefik/certs:ro  <-- was giving permission error in logs hence I switched to docker secrets
      - letsencrypt:/letsencrypt/acme.json:wo

    ports:
      - target: 6060
        published: 6060
        #protocol: tcp
        mode: host
      - target: 443
        published: 443
        #protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        #protocol: tcp
        mode: ingress # traefik dashboard

    networks:
      - test-network

volumes:
  letsencrypt:

secrets:
  custom_crt:
    external: true
    name: server.crt

  custom_key:
    external: true
    name: server.key

## proxy-config.toml
# ENTRYPOINT / ROUTER

[http.routers]
  [http.routers.myrouter]
    rule = "Host(`bchain.example.in`)"
    middlewares = ["auth"]
    service = "goserver"
    entryPoints = ["websecure"]

    # will route TLS requests (and ignore non tls requests)
    [http.routers.myrouter.tls]
      options = "myoptions"
      #certResolver = "myresolver"  <--- using custom tls certs because its a REST API and client need to send its cert for authentication which is not possible with letsencrypt
      #[[http.routers.myrouter.tls.domains]]
       # main = "bchain.example.in"

  [http.routers.api]
    rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
    entryPoints = ["websecure"]  # <-- changed to `websecure` for https else moved it back to `web`
    middlewares = ["auth"]
    service = "api@internal"

    # will route TLS requests (and ignore non tls requests)
    [http.routers.api.tls]
      certResolver = "myresolver"
      # https://docs.traefik.io/routing/routers/#domains
      [[http.routers.api.tls.domains]]
        main = "traefik.example.in"

  # redirecting http to https for dashboard
  [http.routers.api-http]
    entryPoints = ["web"]
    rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
    middlewares = ["auth", "redirect-to-https"]
    service = "api@internal"

# MIDDLEWARES

[http.middlewares]
  [http.middlewares.auth.basicAuth]
    users = ["test:XXXX"]

  [http.middlewares.redirect-to-https.redirectScheme]
    scheme = "https"
    port = "443"
    permanent = true

# SERVICES

[http.services]
  [http.services.goserver.loadBalancer]
    [[http.services.goserver.loadBalancer.servers]]
      url = "http://INSTANCE_PRIVATE-IP:8001"


# CUSTOM TLS CERT

[tls]
  [[tls.certificates]]
    certFile = "/run/secrets/server.crt"
    keyFile = "/run/secrets/server.key"

  [tls.stores]
    [tls.stores.default]
      [tls.stores.default.defaultCertificate]
        certFile = "/run/secrets/server.crt"
        keyFile = "/run/secrets/server.key"

  [tls.options]
    [tls.options.myoptions]
      minVersion = "VersionTLS12"
      sniStrict = true
    #[tls.options.mintls13]
    #  minVersion = "VersionTLS13"
	# Providers :- discover the services that live on your infrastructure (their IP, health, ...)
	# Entrypoints :- listen for incoming traffic (ports, ...)
	# Routers :- analyse the requests (host, path, headers, SSL, ...). A router is in charge of connecting incoming requests to the services that can handle them.
	# Services :- forward the request to your services (load balancing, ...). The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
	# Middlewares :- may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)


	version: "3.7"

	networks:
	test-network:
	external: true
	name: test-network

	services:
	traefik:
	deploy:
	replicas: 1
	restart_policy:
	condition: on-failure
	delay: 5s
	max_attempts: 5
	placement:
	constraints:
	- node.hostname == gcloud1
	- node.role == manager
	labels:
	- "traefik.enable=true"

	secrets:
	- source: custom_crt
	target: /run/secrets/server.crt
	mode: 0400

	- source: custom_key
	target: /run/secrets/server.key
	mode: 0400

	hostname: traefik
	image: "traefik:v2.1"
	#user: "${UID}:1002"

	#Static configuration
	command:
	- --providers.file.filename=/etc/traefik/proxy-config.toml # Using file for reading the config
	- --providers.file.watch=true

	- --entrypoints.web.address=:6060
	- --entrypoints.websecure.address=:443
	#- --api.insecure # enabling dashboard on insecure connection
	- --api=true
	- --api.dashboard=true
	- --api.debug=true
	- --log.level=DEBUG

	#lets encrypt : for production by default url is "https://acme-v02.api.letsencrypt.org/directory"
	- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
	- --certificatesresolvers.myresolver.acme.email=myemail@gmail.com
	- --certificatesresolvers.myresolver.acme.storage=acme.json
	- --certificatesresolvers.myresolver.acme.tlschallenge=true

	volumes:
	- ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
	#- /home/prayag/GoWorkspace/src/github.com/test/certs/:/etc/traefik/certs:ro <-- was giving permission error in logs hence I switched to docker secrets
	- letsencrypt:/letsencrypt/acme.json:wo

	ports:
	- target: 6060
	published: 6060
	#protocol: tcp
	mode: host
	- target: 443
	published: 443
	#protocol: tcp
	mode: host
	- target: 8080
	published: 8080
	#protocol: tcp
	mode: ingress # traefik dashboard

	networks:
	- test-network

	volumes:
	letsencrypt:

	secrets:
	custom_crt:
	external: true
	name: server.crt

	custom_key:
	external: true
	name: server.key
	# ENTRYPOINT / ROUTER

	[http.routers]
	[http.routers.myrouter]
	rule = "Host(`bchain.example.in`)"
	middlewares = ["auth"]
	service = "goserver"
	entryPoints = ["websecure"]

	# will route TLS requests (and ignore non tls requests)
	[http.routers.myrouter.tls]
	options = "myoptions"
	#certResolver = "myresolver" <--- using custom tls certs because its a REST API and client need to send its cert for authentication which is not possible with letsencrypt
	#[[http.routers.myrouter.tls.domains]]
	# main = "bchain.example.in"

	[http.routers.api]
	rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) \|\| PathPrefix(`/dashboard`))"
	entryPoints = ["websecure"] # <-- changed to `websecure` for https else moved it back to `web`
	middlewares = ["auth"]
	service = "api@internal"

	# will route TLS requests (and ignore non tls requests)
	[http.routers.api.tls]
	certResolver = "myresolver"
	# https://docs.traefik.io/routing/routers/#domains
	[[http.routers.api.tls.domains]]
	main = "traefik.example.in"

	# redirecting http to https for dashboard
	[http.routers.api-http]
	entryPoints = ["web"]
	rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) \|\| PathPrefix(`/dashboard`))"
	middlewares = ["auth", "redirect-to-https"]
	service = "api@internal"

	# MIDDLEWARES

	[http.middlewares]
	[http.middlewares.auth.basicAuth]
	users = ["test:XXXX"]

	[http.middlewares.redirect-to-https.redirectScheme]
	scheme = "https"
	port = "443"
	permanent = true

	# SERVICES

	[http.services]
	[http.services.goserver.loadBalancer]
	[[http.services.goserver.loadBalancer.servers]]
	url = "http://INSTANCE_PRIVATE-IP:8001"


	# CUSTOM TLS CERT

	[tls]
	[[tls.certificates]]
	certFile = "/run/secrets/server.crt"
	keyFile = "/run/secrets/server.key"

	[tls.stores]
	[tls.stores.default]
	[tls.stores.default.defaultCertificate]
	certFile = "/run/secrets/server.crt"
	keyFile = "/run/secrets/server.key"

	[tls.options]
	[tls.options.myoptions]
	minVersion = "VersionTLS12"
	sniStrict = true
	#[tls.options.mintls13]
	# minVersion = "VersionTLS13"