name: traefik ############################################################### # Networks ############################################################### networks: socket_proxy: driver: bridge driver_opts: com.docker.network.bridge.name: br-traefik_sx traefik-net: external: true mariadb-net: external: true ############################################################### # Docker Secrets # Owner (default): root:root # Recommend Set Owner to match container user Example: UID=1100, GID=1100 # Permissions of files & directory on host to: 0400 (-r--) ############################################################### secrets: ## Cloudflare / Traefik cf_dns_api_token: file: ${SECRETSDIR}/cf_dns_api_token ############################################################### services: traefik: image: traefik:v3.2.1 # traefik:v3.1.7 # traefik:3.1.2 # traefik:v3.1.7-nanoserver-ltsc2022 hostname: traefik restart: unless-stopped env_file: .traefik.env security_opt: - no-new-privileges=true depends_on: - socket-proxy # Comment out if not using socket-proxy networks: - traefik-net - socket_proxy - mariadb-net command: - --configFile=/config/traefik.yml ports: - name: "web" target: 80 # container port host_ip: 0.0.0.0 # host IP; 0.0.0.0 binds to all network interfaces published: "80" # publicly exposed port, defined as a string protocol: tcp # port protocol app_protocol: http # application protocol (TCP/IP level 4 / OSI level 7) this port is used for mode: host # how port is published in swarm setup - name: "websecure" target: 443 host_ip: 0.0.0.0 published: "443" protocol: tcp app_protocol: http mode: host # - name: "traefik" # dashboard port - use when not using labels below / reverse proxy for traefik itself # target: 8080 # host_ip: 0.0.0.0 # published: "8080" # protocol: tcp # app_protocol: http # mode: host # - target: 51820 # published: "51820" # protocol: udp # mode: host # - target: 32400 # published: "32400" # protocol: tcp # mode: host # - target: 1883 # published: "1883" # protocol: tcp # mode: host # - target: 8883 # published: "8883" # protocol: tcp # mode: host # - target: 19132 # published: "19132" # protocol: udp # mode: host # - target: 25565 # published: "25565" # protocol: udp # mode: host # - target: 25575 # published: "25575" # protocol: tcp # mode: host # - target: 8083 # published: "8083" # protocol: tcp # mode: host # - target: 8306 # published: "8306" # protocol: tcp # mode: host # - target: 9306 # published: "9306" # protocol: tcp # mode: host secrets: - cf_dns_api_token volumes: - $STACKSDIR/config:/config # traefik.yaml - $STACKSDIR/rules:/rules # Dynamic File Provider directory - $STACKSDIR/users:/mnt/users # basic-auth username and password hashes - $DATADIR/appdata:/data # acme.json defined in traefik.yaml - $DATADIR/logs:/logs labels: - traefik.enable=true # # http routers # ------------ # http://traefik-px.sthome.org/ping - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.entrypoints=web - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.rule=Host(`${WEBAPP_PING}.${DOMAINNAME}`)&& PathPrefix(`/`) - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) # https://appname.domainname/ - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${WEBAPP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true # - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options.yml@file - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].main=${DOMAINNAME}" #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.domains[0].sans=*.${DOMAINNAME}" # # http basic-auth middlewares # --------------------------- - traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt # # assign middlewares to routers # ----------------------------- - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth # # http services # ------------- - traefik.http.services.${APPLICATION_NAME}-ping-svc.loadbalancer.server.port=${PING_PORT} # assign services to routers - traefik.http.routers.${APPLICATION_NAME}-ping-rtr.service=${APPLICATION_NAME}-ping-svc - traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal ############################################################### socket-proxy: image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2 hostname: traefik_socket-proxy restart: unless-stopped env_file: .socket-proxy.env security_opt: - no-new-privileges=true networks: - socket_proxy privileged: true # true for VM. false for unprivileged LXC container. #depends_on: # - traefik ports: - 127.0.0.1:2375:2375 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro ############################################################### # whoami: # image: traefik/whoami:latest # container_name: whoami # restart: unless-stopped # security_opt: # - no-new-privileges=true # depends_on: # - traefik # networks: # - traefik # environment: # - TZ # labels: # - "traefik.enable=true" # ## HTTP Routers # - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)" ###############################################################