Skip to content

Instantly share code, notes, and snippets.

@piihuynh

piihuynh/traefik-host.yml

Last active January 4, 2022 08:47
Show Gist options
  • Save piihuynh/ebbf31e1808cb4c2ca23786990a5a8e8 to your computer and use it in GitHub Desktop.
Save piihuynh/ebbf31e1808cb4c2ca23786990a5a8e8 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. piihuynh revised this gist Jan 4, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion traefik-host.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    version: '3.3'
    version: '3.7'

    services:

  2. piihuynh created this gist Nov 25, 2021.
    102 changes: 102 additions & 0 deletions traefik-host.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,102 @@
    version: '3.3'

    services:

    traefik:
    # Use the latest Traefik image
    image: traefik:v2.5
    ports:
    # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
    - target: 80
    published: 80
    mode: host
    # Listen on port 443, default for HTTPS
    - target: 443
    published: 443
    mode: host
    deploy:
    placement:
    constraints:
    # Make the traefik service run only on the node with this label
    # as the node with it has the volume for the certificates
    - node.labels.traefik-public.traefik-public-certificates == true
    labels:
    # Enable Traefik for this service, to make it available in the public network
    - traefik.enable=true
    # Use the traefik-public network (declared below)
    - traefik.docker.network=traefik-public
    # Use the custom label "traefik.constraint-label=traefik-public"
    # This public Traefik will only use services with this label
    # That way you can add other internal Traefik instances per stack if needed
    - traefik.constraint-label=traefik-public
    # admin-auth middleware with HTTP Basic auth
    # Using the environment variables USERNAME and HASHED_PASSWORD
    - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
    # https-redirect middleware to redirect HTTP to HTTPS
    # It can be re-used by other stacks in other Docker Compose files
    - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
    - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
    # traefik-http set up only to use the middleware to redirect to https
    # Uses the environment variable DOMAIN
    - traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
    - traefik.http.routers.traefik-public-http.entrypoints=http
    - traefik.http.routers.traefik-public-http.middlewares=https-redirect
    # traefik-https the actual router using HTTPS
    # Uses the environment variable DOMAIN
    - traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
    - traefik.http.routers.traefik-public-https.entrypoints=https
    - traefik.http.routers.traefik-public-https.tls=true
    # Use the special Traefik service api@internal with the web UI/Dashboard
    - traefik.http.routers.traefik-public-https.service=api@internal
    # Use the "le" (Let's Encrypt) resolver created below
    - traefik.http.routers.traefik-public-https.tls.certresolver=le
    # Enable HTTP Basic auth, using the middleware created above
    - traefik.http.routers.traefik-public-https.middlewares=admin-auth
    # Define the port inside of the Docker service to use
    - traefik.http.services.traefik-public.loadbalancer.server.port=8080
    volumes:
    # Add Docker as a mounted volume, so that Traefik can read the labels of other services
    - /var/run/docker.sock:/var/run/docker.sock:ro
    # Mount the volume to store the certificates
    - traefik-public-certificates:/certificates
    command:
    # Enable Docker in Traefik, so that it reads labels from Docker services
    - --providers.docker
    # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
    - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
    # Do not expose all Docker services, only the ones explicitly exposed
    - --providers.docker.exposedbydefault=false
    # Enable Docker Swarm mode
    - --providers.docker.swarmmode
    # Create an entrypoint "http" listening on address 80
    - --entrypoints.http.address=:80
    # Create an entrypoint "https" listening on address 443
    - --entrypoints.https.address=:443
    # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
    - --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
    # Store the Let's Encrypt certificates in the mounted volume
    - --certificatesresolvers.le.acme.storage=/certificates/acme.json
    # Use the TLS Challenge for Let's Encrypt
    - --certificatesresolvers.le.acme.tlschallenge=true
    # Enable the access log, with HTTP requests
    - --accesslog
    # Enable the Traefik log, for configurations and errors
    - --log
    # Enable the Dashboard and API
    - --api
    networks:
    # Use the public network created to be shared between Traefik and
    # any other service that needs to be publicly available with HTTPS
    - traefik-public

    volumes:
    # Create a volume to store the certificates, there is a constraint to make sure
    # Traefik is always deployed to the same Docker node with the same volume containing
    # the HTTPS certificates
    traefik-public-certificates:

    networks:
    # Use the previously created public network "traefik-public", shared with other
    # services that need to be publicly available via this Traefik
    traefik-public:
    external: true