diff --git a/traefik/config.yml b/traefik-dashboard/config.yml similarity index 97% rename from traefik/config.yml rename to traefik-dashboard/config.yml index 1d0d414..97cf778 100644 --- a/traefik/config.yml +++ b/traefik-dashboard/config.yml @@ -42,6 +42,7 @@ http: default-whitelist: ipAllowList: sourceRange: + - "127.0.0.1/32" - "local ip subnet" secured: diff --git a/traefik/docker-compose-dashboard.yml b/traefik-dashboard/docker-compose.yml similarity index 97% rename from traefik/docker-compose-dashboard.yml rename to traefik-dashboard/docker-compose.yml index 2b72ecb..eb97cdb 100644 --- a/traefik/docker-compose-dashboard.yml +++ b/traefik-dashboard/docker-compose.yml @@ -32,8 +32,11 @@ services: - /var/run/docker.sock:/var/run/docker.sock:ro ports: - 80:80 + - 81:81 - 443:443 - 443:443/udp + - 444:444 + - 444:444/udp networks: - frontend diff --git a/traefik-dashboard/traefik.yml b/traefik-dashboard/traefik.yml new file mode 100644 index 0000000..3ad62de --- /dev/null +++ b/traefik-dashboard/traefik.yml @@ -0,0 +1,70 @@ +api: + dashboard: true + debug: true +entryPoints: + web: + address: ":80" + http: + middlewares: + - default-whitelist@file + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ":443" + http: + middlewares: + - default-whitelist@file + tls: + certResolver: letsencrypt + domains: + - main: '*.local.domain.name' + web-external: + address: ":81" + http: + redirections: + entryPoint: + to: websecure-external + scheme: https + websecure-external: + address: ":444" + http: + tls: + certResolver: letsencrypt + domains: + - main: domain.name + sans: + - '*.domain.name' +serversTransport: + insecureSkipVerify: true +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + file: + filename: /config.yml +certificatesResolvers: + letsencrypt: + acme: + email: email@domain.name + storage: acme.json + caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default) + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging + dnsChallenge: + provider: cloudflare + #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers. + #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53" +log: + level: "INFO" + filePath: "/var/log/traefik/traefik.log" + maxSize: 10 + maxBackups: 5 +accessLog: + filePath: "/var/log/traefik/access.log" + fields: + names: + StartUTC: drop \ No newline at end of file diff --git a/traefik/compose.yml b/traefik/compose.yml deleted file mode 100644 index ecde5fd..0000000 --- a/traefik/compose.yml +++ /dev/null @@ -1,59 +0,0 @@ -services: - traefik: - container_name: traefik - image: docker.io/library/traefik:v3.5.0 - restart: unless-stopped - security_opt: - - no-new-privileges:true - secrets: - - cf_api_token - command: - - --log.level=DEBUG - - --log.filepath=/var/log/traefik/traefik.log - - --accesslog=true - - --accesslog.format=json - - --accesslog.filepath=/var/log/traefik/access.log - - --api.dashboard=false - - --providers.docker=true - - --providers.docker.exposedbydefault=false - - --providers.docker.network=frontend - # Set up LetsEncrypt certificate resolver - - --certificatesresolvers.letsencrypt.acme.dnschallenge=true - - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare - - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - - --certificatesresolvers.letsencrypt.acme.dnschallenge.delayBeforeCheck=20 - - --certificatesresolvers.letsencrypt.acme.email=${CF_EMAIL} - - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json - # staging environment of LE, remove for real certs - # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - # Set up an insecure listener that redirects all traffic to TLS - - --entrypoints.web.address=:80 - - --entrypoints.websecure.address=:443 - - --entrypoints.web.http.redirections.entrypoint.to=websecure - - --entrypoints.web.http.redirections.entrypoint.scheme=https - # Set up the TLS configuration for our websecure listener - - --entrypoints.websecure.http.tls=true - - --entrypoints.websecure.http.tls.certResolver=letsencrypt - - --entrypoints.websecure.http.tls.domains[0].main=${DOMAIN} - - --entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN} - environment: - - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token - volumes: - - ${APPDATA_PATH}/traefik/letsencrypt/acme.json:/acme.json - - ${APPDATA_PATH}/traefik/logs:/var/log/traefik - - /etc/localtime:/etc/localtime:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - ports: - - 80:80 - - 443:443 - - 443:443/udp - networks: - - frontend - -networks: - frontend: - external: true - -secrets: - cf_api_token: - file: ${APPDATA_PATH}/traefik/secrets/cf_api_token diff --git a/traefik/traefik.yml b/traefik/traefik.yml index 4d24402..9c8a4e7 100644 --- a/traefik/traefik.yml +++ b/traefik/traefik.yml @@ -18,15 +18,12 @@ entryPoints: - main: domain.name sans: - '*.domain.name' - - '*.local.domain.name' serversTransport: - insecureSkipVerify: true + insecureSkipVerify: false providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false - file: - filename: /config.yml certificatesResolvers: letsencrypt: acme: