Last active
January 5, 2024 16:04
-
-
Save renalpha/8a3c10a442277cce0a0a518bfcc93b4d to your computer and use it in GitHub Desktop.
Traefik
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3.7' | |
| services: | |
| nginx: | |
| image: 'nginx:latest' | |
| restart: unless-stopped | |
| tty: true | |
| volumes: | |
| - ./artifacts/vhost.conf:/etc/nginx/conf.d/default.conf | |
| - .:/var/www/ | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.entrypoints=http" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.rule=Host(`${DOCKER_TRAEFIK_DOMAIN}`)" | |
| - "traefik.http.middlewares.${DOCKER_TRAEFIK_IDENTIFIER}-https-redirect.redirectscheme.scheme=https" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.middlewares=${DOCKER_TRAEFIK_IDENTIFIER}-https-redirect" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.entrypoints=https" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.rule=Host(`${DOCKER_TRAEFIK_DOMAIN}`)" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.tls=true" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.tls.certresolver=http" | |
| - "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.service=${DOCKER_TRAEFIK_IDENTIFIER}" | |
| - "traefik.http.services.${DOCKER_TRAEFIK_IDENTIFIER}.loadbalancer.server.port=80" | |
| - "traefik.docker.network=traefik" | |
| networks: | |
| - traefik | |
| - default | |
| php: | |
| build: ./artifacts/ | |
| expose: | |
| - 9000 | |
| volumes: | |
| - .:/var/www/ | |
| networks: | |
| - default | |
| networks: | |
| default: | |
| traefik: | |
| external: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http: | |
| middlewares: | |
| https-redirect: | |
| redirectScheme: | |
| scheme: https | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| traefik: | |
| image: "traefik:latest" | |
| restart: always | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| volumes: | |
| - /var/run/docker.sock:/var/run/docker.sock:ro | |
| - ./traefik.yml:/traefik.yml:ro | |
| - ./traefik-certs:/tools/certs | |
| - ./config.yml:/config.yml:ro | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.http.routers.traefik.entrypoints=http" | |
| - "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)" | |
| - "traefik.http.middlewares.traefik-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/" | |
| - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" | |
| - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" | |
| - "traefik.http.routers.traefik-secure.entrypoints=https" | |
| - "traefik.http.routers.traefik-secure.rule=Host(`traefik.localhost`)" | |
| - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" | |
| - "traefik.http.routers.traefik-secure.tls=true" | |
| - "traefik.http.routers.traefik-secure.tls.certresolver=http" | |
| - "traefik.http.routers.traefik-secure.service=api@internal" | |
| - "traefik.http.middlewares.RuleGrpMain.chain.middlewares=compress_all,ratelimit_all,retry_all,header_all,slash_step1,slash_step2" | |
| - "traefik.http.middlewares.compress_all.compress=true" | |
| - "traefik.http.services.traefik.loadbalancer.server.port=8080" | |
| - "traefik.http.routers.http-catchall.entrypoints=web" | |
| - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)" | |
| - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" | |
| - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" | |
| - "traefik.http.middlewares.header_all.headers.sslredirect=true" | |
| networks: | |
| - traefik | |
| networks: | |
| traefik: | |
| external: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM php:7.4-fpm | |
| RUN apt-get update && apt-get install -y libldb-dev libldap2-dev libzip-dev libpng-dev libjpeg62-turbo-dev libfreetype6-dev \ | |
| && docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \ | |
| && docker-php-ext-install -j$(nproc) zip pdo pdo_mysql gd ldap pcntl opcache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| api: | |
| dashboard: true | |
| debug: true | |
| entryPoints: | |
| http: | |
| address: ":80" | |
| http: | |
| redirections: | |
| entryPoint: | |
| to: https | |
| https: | |
| address: ":443" | |
| providers: | |
| docker: | |
| endpoint: "unix:///var/run/docker.sock" | |
| exposedByDefault: false | |
| file: | |
| filename: /config.yml | |
| tls: | |
| certificates: | |
| - certFile: /tools/certs/cert.crt | |
| keyFile: /tools/certs/cert.key | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| index index.php index.html; | |
| error_log /var/log/nginx/error.log; | |
| access_log /var/log/nginx/access.log; | |
| root /var/www/public; | |
| sendfile off; | |
| error_log /dev/stdout info; | |
| access_log /var/log/nginx/access.log; | |
| location / { | |
| absolute_redirect off; | |
| try_files $uri $uri/ /index.php$is_args$args; | |
| } | |
| # TYPO3 11 Backend URL rewriting support | |
| location = /typo3 { | |
| rewrite ^ /typo3/; | |
| } | |
| location /typo3/ { | |
| absolute_redirect off; | |
| try_files $uri /typo3/index.php$is_args$args; | |
| } | |
| # pass the PHP scripts to FastCGI server listening on socket | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass php:9000; | |
| fastcgi_buffers 16 16k; | |
| fastcgi_buffer_size 32k; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_index index.php; | |
| include fastcgi_params; | |
| fastcgi_intercept_errors off; | |
| fastcgi_param TYPO3_CONTEXT Development/Dev; | |
| # fastcgi_read_timeout should match max_execution_time in php.ini | |
| fastcgi_read_timeout 10m; | |
| fastcgi_param SERVER_NAME $host; | |
| } | |
| # Expire rules for static content | |
| # Media: images, icons, video, audio, HTC | |
| location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | |
| expires 1M; | |
| access_log off; | |
| add_header Cache-Control "public"; | |
| } | |
| # Prevent clients from accessing hidden files (starting with a dot) | |
| # This is particularly important if you store .htpasswd files in the site hierarchy | |
| # Access to `/.well-known/` is allowed. | |
| # https://www.mnot.net/blog/2010/04/07/well-known | |
| # https://tools.ietf.org/html/rfc5785 | |
| location ~* /\.(?!well-known\/) { | |
| deny all; | |
| } | |
| # Prevent clients from accessing to backup/config/source files | |
| location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { | |
| deny all; | |
| } | |
| location = /favicon.ico { | |
| log_not_found off; | |
| access_log off; | |
| } | |
| # TYPO3 - Block access to composer files | |
| location ~* composer\.(?:json|lock) { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to flexform files | |
| location ~* flexform[^.]*\.xml { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to language files | |
| location ~* locallang[^.]*\.(?:xml|xlf)$ { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to static typoscript files | |
| location ~* ext_conf_template\.txt|ext_typoscript_constants\.(?:txt|typoscript)|ext_typoscript_setup\.(?:txt|typoscript) { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to miscellaneous protected files | |
| location ~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql)$ { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to recycler and temporary directories | |
| location ~ _(?:recycler|temp)_/ { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to configuration files stored in fileadmin | |
| location ~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$ { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to libaries, source and temporary compiled data | |
| location ~ ^(?:vendor|typo3_src|typo3temp/var) { | |
| deny all; | |
| } | |
| # TYPO3 - Block access to protected extension directories | |
| location ~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ { | |
| deny all; | |
| } | |
| if (!-e $request_filename) { | |
| rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| index index.html index.php; | |
| error_log /var/log/nginx/error.log; | |
| access_log /var/log/nginx/access.log; | |
| root /var/www/public; | |
| location / { | |
| try_files $uri /index.php$is_args$args; | |
| # serve static files directly | |
| location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ { | |
| access_log off; | |
| expires max; | |
| log_not_found off; | |
| } | |
| # removes trailing slashes (prevents SEO duplicate content issues) | |
| if (!-d $request_filename) | |
| { | |
| rewrite ^/(.+)/$ /$1 permanent; | |
| } | |
| # enforce NO www | |
| if ($host ~* ^www\.(.*)) | |
| { | |
| set $host_without_www $1; | |
| rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent; | |
| } | |
| # unless the request is for a valid file (image, js, css, etc.), send to bootstrap | |
| if (!-e $request_filename) | |
| { | |
| rewrite ^/(.*)$ /index.php?$query_string last; | |
| break; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| fastcgi_pass php:9000; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| include fastcgi_params; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_param PATH_INFO $fastcgi_path_info; | |
| internal; | |
| } | |
| } | |
| } |
- updated default & typo3 nginx vhost configs.
- experienced issue with default, parsing the URL paths as request parameters.
Please note: typo3 configuration requires reverseProxy entries in Sys =>
'SYS' => [ 'devIPmask' => '*', 'sqlDebug' => true, 'displayErrors' => true, 'systemLogLevel' => 0, 'reverseProxyIP' => 'TRAEFIK IP ADRESS', 'reverseProxyHeaderMultiValue' => 'first', 'reverseProxySSL' => '*', 'trustedHostsPattern' => '.*', ],
Is that an alternative to Laravel Sail? Where to put all these files?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Takeout
Use takeout for running mariaDB etc.
https://github.com/tighten/takeout
Move files to the corresponding folders as described in the docker-compose.yml volumes entries
Run docker-compose.yml
The application docker-compose.yml can be placed in the application root. This will read the .env file
Traefik Docker ENV
DOCKER_TRAEFIK_IDENTIFIER=application
DOCKER_TRAEFIK_DOMAIN=application.test
Application URL
application.test
Traefik dashboard
traefik.localhost
user: test
pas: test
SSL
brew install mkcert
brew install nss
mkcert -cert-file cert.crt -key-file cert.key "domain.test" "*.domain.test" "etc.test"