name: traefik ############################################################### # Networks ############################################################### networks: socket_proxy: driver: bridge driver_opts: com.docker.network.bridge.name: "br-traefik_sx" traefik-net: external: true mariadb-net: external: true ############################################################### # Docker Secrets # Owner (default): root:root # Recommend Set Owner to match container user Example: UID=1100, GID=1100 # Permissions of files & directory on host to: 0400 (-r--) ############################################################### secrets: ## Cloudflare / Traefik cf_dns_api_token: file: ${SECRETSDIR}/cf_dns_api_token ############################################################### services: traefik: image: traefik:v3.3.3 # v3.2.1 # v3.1.7 # 3.1.2 # v3.1.7-nanoserver-ltsc2022 hostname: traefik restart: unless-stopped env_file: .traefik.env security_opt: - no-new-privileges=true depends_on: - socket-proxy # Comment out if not using socket-proxy networks: - traefik-net - socket_proxy - mariadb-net command: - "--configFile=/config/traefik.yml" ports: - target: 80 # Container Port host_ip: 0.0.0.0 # All interfaces, not a specific one published: "80" # STRING protocol: tcp # tcp or udp mode: host # or Ingress for load balancing - target: 443 host_ip: 0.0.0.0 published: "443" protocol: tcp mode: host - target: 51820 # wg-easy udp port published: "51820" protocol: udp mode: host - target: 32400 # plex remote access tcp port published: "32400" protocol: tcp mode: host - target: 1883 # mosquitto port published: "1883" protocol: tcp mode: host - target: 8883 # mosquitto secure port published: "8883" protocol: tcp mode: host - target: 9001 # mosquitto websocket port published: "9001" protocol: tcp mode: host - target: 19132 # minecraft-bedrock port published: "19132" protocol: udp mode: host - target: 25565 # minecraft-java port published: "25565" protocol: udp mode: host - target: 25575 # minecraft-java rcon port published: "25575" protocol: tcp mode: host - target: 8083 # ping port published: "8083" protocol: tcp mode: host - target: 8306 # mariadb port published: "8306" protocol: tcp mode: host - target: 9306 # mysql port published: "9306" protocol: tcp mode: host - target: 2022 # sftp port1 published: "2022" protocol: tcp mode: host - target: 2023 # sftp port2 published: "2023" protocol: tcp mode: host - target: 2024 # sftp port3 published: "2024" protocol: tcp mode: host - target: 2025 # sftp port4 published: "2025" protocol: tcp mode: host - target: 2026 # sftp port5 published: "2026" protocol: tcp mode: host - target: 2027 # sftp port6 published: "2027" protocol: tcp mode: host - target: 2028 # sftp port7 published: "2028" protocol: tcp mode: host - target: 2029 # sftp port8 published: "2029" protocol: tcp mode: host secrets: - cf_dns_api_token volumes: - "$STACKSDIR/config:/config" # traefik.yml - "$STACKSDIR/rules:/rules" # Dynamic File Provider directory - "$STACKSDIR/users:/mnt/users" # basic-auth username and password hashes - "$DATADIR/appdata:/data" # acme.json defined in traefik.yaml - "$DATADIR/logs:/logs" labels: - traefik.enable=true - traefik.docker.network=traefik-net # # http basic-auth middlewares # --------------------------- - "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt" # # http routers # ------------ # http - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web" - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)" # attach middlewares to router - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress-redirect@file" # assign svc target to router - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal" # https - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)" # attach middlewares to routers - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress@file" # tls - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file" - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns" # assign svc target to router - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal" ############################################################### socket-proxy: image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2 hostname: traefik_socket-proxy restart: unless-stopped env_file: .socket-proxy.env security_opt: - no-new-privileges=true networks: - socket_proxy privileged: true # true for VM. false for unprivileged LXC container. #depends_on: # - traefik ports: - "127.0.0.1:2375:2375" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" # the following bind is to persist the non-zero setting of backend docker-events.timeout server - type: bind source: "${DATADIR}/haproxy/haproxy.cfg.template" target: /usr/local/etc/haproxy/haproxy.cfg.template ############################################################### whoami: image: traefik/whoami:latest container_name: whoami restart: unless-stopped security_opt: - no-new-privileges=true depends_on: - traefik networks: - traefik-net environment: - TZ labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.whoami-rtr.entrypoints=web" - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)" ###############################################################