Separate traefik dashboard and update traefik configs

2025-07-25 17:53:07 +05:30
parent b038e39f11
commit ee57c9f750
5 changed files with 75 additions and 63 deletions
--- a/traefik-dashboard/config.yml
+++ b/traefik-dashboard/config.yml
@@ -0,0 +1,52 @@
+http:
+ #region routers 
+  routers:
+    example:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`example.local.domain.name`)"
+      middlewares:
+        - default-headers
+        - https-redirectscheme
+      tls: {}
+      service: example
+#endregion
+
+#region services
+  services:
+    example:
+      loadBalancer:
+        servers:
+          - url: "http://ip:port/"
+        passHostHeader: true
+#endregion
+
+  middlewares:
+    https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    default-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      ipAllowList:
+        sourceRange:
+        - "127.0.0.1/32"
+        - "local ip subnet"
+
+    secured:
+      chain:
+        middlewares:
+        - default-whitelist
+        - default-headers
--- a/traefik-dashboard/docker-compose.yml
+++ b/traefik-dashboard/docker-compose.yml
@@ -0,0 +1,49 @@
+services:
+  traefik:
+    container_name: traefik
+    image: docker.io/library/traefik:v3.5.0
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    secrets:
+      - cf_api_token
+    env_file: .env
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.traefik.entrypoints=web
+      - traefik.http.routers.traefik.rule=Host(`traefik.local.${DOMAIN_NAME}`)
+      - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}
+      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
+      - traefik.http.routers.traefik-secure.entrypoints=websecure
+      - traefik.http.routers.traefik-secure.rule=Host(`traefik.local.${DOMAIN_NAME}`)
+      - traefik.http.routers.traefik-secure.middlewares=traefik-auth
+      - traefik.http.routers.traefik-secure.service=api@internal
+    environment:
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_api_token
+      - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
+    volumes:
+      - ./data/traefik.yml:/traefik.yml:ro
+      - ./data/acme.json:/acme.json # chmod 600
+      - ./data/config.yml:/config.yml:ro
+      - ./logs:/var/log/traefik
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - 80:80
+      - 81:81
+      - 443:443
+      - 443:443/udp
+      - 444:444
+      - 444:444/udp
+    networks:
+      - frontend
+
+networks:
+  frontend:
+    external: true
+
+secrets:
+  cf_api_token:
+    file: ./cf_api_token.txt
--- a/traefik-dashboard/traefik.yml
+++ b/traefik-dashboard/traefik.yml
@@ -0,0 +1,70 @@
+api:
+  dashboard: true
+  debug: true
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      middlewares:
+        - default-whitelist@file
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - default-whitelist@file
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: '*.local.domain.name'
+  web-external:
+    address: ":81"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure-external
+          scheme: https
+  websecure-external:
+    address: ":444"
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.name
+            sans:
+              - '*.domain.name'
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: email@domain.name
+      storage: acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+  maxSize: 10
+  maxBackups: 5
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  fields:
+    names:
+      StartUTC: drop