Skip to content

Instantly share code, notes, and snippets.

@natcl

natcl/docker-compose.yaml

Last active May 21, 2024 04:37
Show Gist options
  • Save natcl/ed8253a34e7b87d879baabeba82cb846 to your computer and use it in GitHub Desktop.
Save natcl/ed8253a34e7b87d879baabeba82cb846 to your computer and use it in GitHub Desktop.
Download ZIP
traefik: node-red + mosquitto using letsencrypt
Raw
docker-compose.yaml
version: "3.3"
services:
traefik:
image: "traefik:v2.2"
container_name: "traefik"
command:
- "--api=true"
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# Entrypoints
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.mqtt.address=:8883"
# Redirect http to https
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Let's encrypt configuration
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "[email protected]"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
- "8883:8883"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.zoo.ocean.mofa.studio`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.certresolver=myresolver"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
whoami:
image: "containous/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.zoo.ocean.mofa.studio`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
mqtt:
image: "eclipse-mosquitto"
container_name: "mosquitto"
expose:
- "8883"
- "9001"
volumes:
- "./mosquitto.conf:/mosquitto/config/mosquitto.conf"
labels:
- "traefik.enable=true"
- "traefik.http.routers.mqtt.rule=Host(`mqtt.zoo.ocean.mofa.studio`)"
- "traefik.http.routers.mqtt.entrypoints=websecure"
- "traefik.http.routers.mqtt.tls.certresolver=myresolver"
- "traefik.tcp.routers.mqtt.rule=HostSNI(`*`)"
- "traefik.tcp.routers.mqtt.tls.certresolver=myresolver"
- "traefik.tcp.services.mqtt.loadbalancer.server.port=8883"
- "traefik.tcp.routers.mqtt.entrypoints=mqtt"
- "traefik.http.services.mqtt.loadbalancer.server.port=9001"
nodered:
image: "nodered/node-red"
container_name: "nodered"
labels:
- "traefik.enable=true"
- "traefik.http.routers.nodered.rule=Host(`nodered.zoo.ocean.mofa.studio`)"
- "traefik.http.routers.nodered.entrypoints=websecure"
- "traefik.http.routers.nodered.tls.certresolver=myresolver"
- "traefik.http.services.nodered.loadbalancer.server.port=1880"
Raw
mosquitto.conf
port 8883
listener 9001
protocol websockets
@natcl
Copy link
Author

natcl commented May 19, 2022

I believe this could work but I doubt you'll be able to make it work using let's encrypt, you'll probably need you own certificates.

@panda1100
Copy link

Yes, without reverse proxy, client cert authentication works perfect with own ca. but behind traefik it doesn’t work,,
Thank you

@iboluda
Copy link

iboluda commented Oct 10, 2023

Hi, a doubt..in your docker-compose file why are you using the entrypoint for 8883 if you are using the websecure entrypoint in the mqtt section config?

@natcl
Copy link
Author

natcl commented Oct 10, 2023

@iboluda The 8883 entry point is for TCP connections while the 443 is for web sockets, does that answer your question ?

@iboluda
Copy link

iboluda commented Oct 10, 2023

Thanks for clarify me that point. Yes that answer my question

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment