From 20af2f7ca459bf47b9ee15ffd6294173287f06ac Mon Sep 17 00:00:00 2001 From: djorgensen Date: Thu, 15 Aug 2024 16:32:53 -0600 Subject: [PATCH] docker-compose-traefik.yml --- docker-compose-traefik.yml | 135 +++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 docker-compose-traefik.yml diff --git a/docker-compose-traefik.yml b/docker-compose-traefik.yml new file mode 100644 index 0000000..b13cfc5 --- /dev/null +++ b/docker-compose-traefik.yml @@ -0,0 +1,135 @@ +version: "3.3" + +services: + + traefik: + image: "traefik:v3.1" + container_name: "traefik" + command: + - "--core.defaultRuleSyntax=v2" + - "--log.level=DEBUG" + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.web.address=:80" + - "--entrypoints.web.http.redirections.entryPoint.to=websecure" + - "--entrypoints.web.http.redirections.entryPoint.scheme=https" + - "--certificatesresolvers.myresolver.acme.dnschallenge=true" + - "--certificatesresolvers.myresolver.acme.email=dj@d-jorgensen.com" + - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acmewildcard.json" + - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare" + - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53" + - "--providers.file.filename=/traefik-provider.toml" + - "--providers.file.watch=true" + labels: + #for proxy to jellyfin testing + - "traefik.enable=true" + - "traefik.http.routers.traefik.tls.domains[0].main=djorgensen.com" + - "traefik.http.routers.traefik.tls.domains[0].sans=*.djorgensen.com" + - "traefik.http.routers.traefik.tls.certresolver=myresolver" + #HTTP + - "traefik.http.routers.jellyfin-web.entrypoints=web" + - "traefik.http.routers.jellyfin-web.rule=Host(`jellyfintest.djorgensen.com`)" + - "traefik.http.routers.jellyfin-web.middlewares=jellyfin-web-https-redirect" + - "traefik.http.middlewares.jellyfin-web-https-redirect.redirectscheme.scheme=https" + # Https + - "traefik.http.routers.jellyfin-web-secure.entrypoints=websecure" + - "traefik.http.routers.jellyfin-web-secure.rule=Host(`jellyfintest.djorgensen.com`)" + - "traefik.http.routers.jellyfin-web-secure.tls=true" + - "traefik.http.routers.jellyfin-web-secure.tls.certresolver=myresolver" + #Middleware + - 'traefik.http.routers.jellyfin-web-secure.middlewares=jellyfin-mw' + #### The customResponseHeaders option lists the Header names and values to apply to the response. + - 'traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex' + #### The sslRedirect is set to true, then only allow https requests. + - 'traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect=true' + #### The sslHost option is the host name that is used to redirect http requests to https. + #### This is the exact URL that will be redirected to, so you can remove the :9999 port if using default SSL port + - 'traefik.http.middlewares.jellyfin-mw.headers.SSLHost=jellyfintest.djorgensen.com' + #### Set sslForceHost to true and set SSLHost to forced requests to use SSLHost even the ones that are already using SSL. + #### Note that this uses SSLHost verbatim, so add the port to SSLHost if you are using an alternate port. + - 'traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost=true' + #### The stsSeconds is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header. + - 'traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000' + #### The stsIncludeSubdomains is set to true, the includeSubDomains directive will be + #### appended to the Strict-Transport-Security header. + - 'traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true' + #### Set stsPreload to true to have the preload flag appended to the Strict-Transport-Security header. + - 'traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true' + #### Set forceSTSHeader to true, to add the STS header even when the connection is HTTP. + - 'traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true' + #### Set frameDeny to true to add the X-Frame-Options header with the value of DENY. + - 'traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true' + #### Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff. + - 'traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true' + #### Set browserXssFilter to true to add the X-XSS-Protection header with the value 1; mode=block. + - 'traefik.http.middlewares.jellyfin-mw.headers.customresponseheaders.X-XSS-PROTECTION=0' + #### The customFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This + #### overrides the FrameDeny option. + - "traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://djorgensen.com'" + ## HTTP Service + # We define the port here as a port is required, but note that the service is pointing to the service defined in @file + - 'traefik.http.routers.jellyfin-web-secure.service=jellyfin-svc@file' + - 'traefik.http.services.jellyfin-svc@file.loadBalancer.server.port=8096' + - 'traefik.http.services.jellyfin-svc@file.loadBalancer.passHostHeader=true' + #for proxy to vault testing + #HTTP + - "traefik.http.routers.vault-web.entrypoints=web" + - "traefik.http.routers.vault-web.rule=Host(`vault.djorgensen.com`)" + - "traefik.http.routers.vault-web.middlewares=vault-web-https-redirect" + - "traefik.http.middlewares.vault-web-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.vault-web-secure.middlewares=vault-web-ipallowlist" + - "traefik.http.middlewares.vault-web-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24" + # Https + - "traefik.http.routers.vault-web-secure.entrypoints=websecure" + - "traefik.http.routers.vault-web-secure.rule=Host(`vault.djorgensen.com`)" + - "traefik.http.routers.vault-web-secure.tls=true" + - "traefik.http.routers.vault-web-secure.tls.certresolver=myresolver" + ## HTTP Service + # We define the port here as a port is required, but note that the service is pointing to the service defined in @file + - "traefik.http.routers.vault-web-secure.service=vault-svc@file" + - "traefik.http.services.vault-svc@file.loadBalancer.server.port=8000" + - "traefik.http.services.vault-svc@file.loadBalancer.passHostHeader=true" + - "traefik.http.services.vault-svc@file.loadbalancer.server.scheme=http" + ports: + - "80:80" + - "443:443" + - "8088:8080" + environment: + - CF_API_EMAIL=dj@d-jorgensen.com + - CF_DNS_API_TOKEN=Uh69ING68kV9hfQDAXXBUUyo1PJrI9PNcjWrOQNq + volumes: + - "/docker/letsencrypt:/letsencrypt" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "/docker/traefik/traefik-provider.toml:/traefik-provider.toml" + networks: + - traefik_proxy + + nginx: + image: "nginx" + container_name: "djorgensen.com" + restart: "always" + labels: + - "traefik.enable=true" + - "traefik.port=80" + - "traefik.http.routers.nginx.rule=Host(`djorgensen.com`, `www.djorgensen.com`)" + - "traefik.http.routers.nginx.tls=true" + - "traefik.http.routers.nginx.tls.certresolver=myresolver" + - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)" + - "traefik.http.routers.http_catchall.entrypoints=web" + - "traefik.http.routers.http_catchall.middlewares=https_redirect" + - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true" + - "traefik.http.middlewares.non_www.redirectregex.regex=^https://(?:www\\.)?(.+)" + - "traefik.http.middlewares.non_www.redirectregex.replacement=https://$${1}" + - "traefik.http.middlewares.non_www.redirectregex.permanent=true" + - "traefik.http.routers.nginx.middlewares=https_redirect@docker, non_www@docker" + volumes: + - "/var/www/html:/usr/share/nginx/html" + networks: + - traefik_proxy + +networks: + traefik_proxy: + external: true \ No newline at end of file