Skip to content

Instantly share code, notes, and snippets.

@renalpha
Last active January 5, 2024 16:04
Show Gist options
  • Save renalpha/8a3c10a442277cce0a0a518bfcc93b4d to your computer and use it in GitHub Desktop.
Save renalpha/8a3c10a442277cce0a0a518bfcc93b4d to your computer and use it in GitHub Desktop.
Traefik
version: '3.7'
services:
nginx:
image: 'nginx:latest'
restart: unless-stopped
tty: true
volumes:
- ./artifacts/vhost.conf:/etc/nginx/conf.d/default.conf
- .:/var/www/
labels:
- "traefik.enable=true"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.entrypoints=http"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.rule=Host(`${DOCKER_TRAEFIK_DOMAIN}`)"
- "traefik.http.middlewares.${DOCKER_TRAEFIK_IDENTIFIER}-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}.middlewares=${DOCKER_TRAEFIK_IDENTIFIER}-https-redirect"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.entrypoints=https"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.rule=Host(`${DOCKER_TRAEFIK_DOMAIN}`)"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.tls=true"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.tls.certresolver=http"
- "traefik.http.routers.${DOCKER_TRAEFIK_IDENTIFIER}-secure.service=${DOCKER_TRAEFIK_IDENTIFIER}"
- "traefik.http.services.${DOCKER_TRAEFIK_IDENTIFIER}.loadbalancer.server.port=80"
- "traefik.docker.network=traefik"
networks:
- traefik
- default
php:
build: ./artifacts/
expose:
- 9000
volumes:
- .:/var/www/
networks:
- default
networks:
default:
traefik:
external: true
http:
middlewares:
https-redirect:
redirectScheme:
scheme: https
version: '3'
services:
traefik:
image: "traefik:latest"
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./traefik-certs:/tools/certs
- ./config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.localhost`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.middlewares.RuleGrpMain.chain.middlewares=compress_all,ratelimit_all,retry_all,header_all,slash_step1,slash_step2"
- "traefik.http.middlewares.compress_all.compress=true"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.header_all.headers.sslredirect=true"
networks:
- traefik
networks:
traefik:
external: true
FROM php:7.4-fpm
RUN apt-get update && apt-get install -y libldb-dev libldap2-dev libzip-dev libpng-dev libjpeg62-turbo-dev libfreetype6-dev \
&& docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
&& docker-php-ext-install -j$(nproc) zip pdo pdo_mysql gd ldap pcntl opcache
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
tls:
certificates:
- certFile: /tools/certs/cert.crt
keyFile: /tools/certs/cert.key
server {
index index.php index.html;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/public;
sendfile off;
error_log /dev/stdout info;
access_log /var/log/nginx/access.log;
location / {
absolute_redirect off;
try_files $uri $uri/ /index.php$is_args$args;
}
# TYPO3 11 Backend URL rewriting support
location = /typo3 {
rewrite ^ /typo3/;
}
location /typo3/ {
absolute_redirect off;
try_files $uri /typo3/index.php$is_args$args;
}
# pass the PHP scripts to FastCGI server listening on socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php:9000;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
fastcgi_param TYPO3_CONTEXT Development/Dev;
# fastcgi_read_timeout should match max_execution_time in php.ini
fastcgi_read_timeout 10m;
fastcgi_param SERVER_NAME $host;
}
# Expire rules for static content
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
# Access to `/.well-known/` is allowed.
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known\/) {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
# TYPO3 - Block access to composer files
location ~* composer\.(?:json|lock) {
deny all;
}
# TYPO3 - Block access to flexform files
location ~* flexform[^.]*\.xml {
deny all;
}
# TYPO3 - Block access to language files
location ~* locallang[^.]*\.(?:xml|xlf)$ {
deny all;
}
# TYPO3 - Block access to static typoscript files
location ~* ext_conf_template\.txt|ext_typoscript_constants\.(?:txt|typoscript)|ext_typoscript_setup\.(?:txt|typoscript) {
deny all;
}
# TYPO3 - Block access to miscellaneous protected files
location ~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql)$ {
deny all;
}
# TYPO3 - Block access to recycler and temporary directories
location ~ _(?:recycler|temp)_/ {
deny all;
}
# TYPO3 - Block access to configuration files stored in fileadmin
location ~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$ {
deny all;
}
# TYPO3 - Block access to libaries, source and temporary compiled data
location ~ ^(?:vendor|typo3_src|typo3temp/var) {
deny all;
}
# TYPO3 - Block access to protected extension directories
location ~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ {
deny all;
}
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
}
server {
index index.html index.php;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/public;
location / {
try_files $uri /index.php$is_args$args;
# serve static files directly
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
access_log off;
expires max;
log_not_found off;
}
# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d $request_filename)
{
rewrite ^/(.+)/$ /$1 permanent;
}
# enforce NO www
if ($host ~* ^www\.(.*))
{
set $host_without_www $1;
rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent;
}
# unless the request is for a valid file (image, js, css, etc.), send to bootstrap
if (!-e $request_filename)
{
rewrite ^/(.*)$ /index.php?$query_string last;
break;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
internal;
}
}
}
@renalpha
Copy link
Author

renalpha commented Jan 14, 2021

Please note: typo3 configuration requires reverseProxy entries in Sys =>
'SYS' => [ 'devIPmask' => '*', 'sqlDebug' => true, 'displayErrors' => true, 'systemLogLevel' => 0, 'reverseProxyIP' => 'TRAEFIK IP ADRESS', 'reverseProxyHeaderMultiValue' => 'first', 'reverseProxySSL' => '*', 'trustedHostsPattern' => '.*', ],

@jartaud
Copy link

jartaud commented Apr 5, 2021

Is that an alternative to Laravel Sail? Where to put all these files?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment