docker-compose-traefik.yml

docker-compose-traefik.yml

@@ -0,0 +1,135 @@
+version: "3.3"
+
+services:
+
+  traefik:
+    image: "traefik:v3.1"
+    container_name: "traefik"
+    command:
+      - "--core.defaultRuleSyntax=v2"
+      - "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.email=dj@d-jorgensen.com"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acmewildcard.json"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
+      - "--providers.file.filename=/traefik-provider.toml"
+      - "--providers.file.watch=true"
+    labels:
+      #for proxy to jellyfin testing
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.tls.domains[0].main=djorgensen.com"
+      - "traefik.http.routers.traefik.tls.domains[0].sans=*.djorgensen.com"
+      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
+        #HTTP
+      - "traefik.http.routers.jellyfin-web.entrypoints=web"
+      - "traefik.http.routers.jellyfin-web.rule=Host(`jellyfintest.djorgensen.com`)"
+      - "traefik.http.routers.jellyfin-web.middlewares=jellyfin-web-https-redirect"
+      - "traefik.http.middlewares.jellyfin-web-https-redirect.redirectscheme.scheme=https"
+      # Https
+      - "traefik.http.routers.jellyfin-web-secure.entrypoints=websecure"
+      - "traefik.http.routers.jellyfin-web-secure.rule=Host(`jellyfintest.djorgensen.com`)"
+      - "traefik.http.routers.jellyfin-web-secure.tls=true"
+      - "traefik.http.routers.jellyfin-web-secure.tls.certresolver=myresolver"
+      #Middleware
+      - 'traefik.http.routers.jellyfin-web-secure.middlewares=jellyfin-mw'
+      #### The customResponseHeaders option lists the Header names and values to apply to the response.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex'
+      #### The sslRedirect is set to true, then only allow https requests.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect=true'
+      #### The sslHost option is the host name that is used to redirect http requests to https.
+      #### This is the exact URL that will be redirected to, so you can remove the :9999 port if using default SSL port
+      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLHost=jellyfintest.djorgensen.com'
+      #### Set sslForceHost to true and set SSLHost to forced requests to use SSLHost even the ones that are already using SSL.
+      #### Note that this uses SSLHost verbatim, so add the port to SSLHost if you are using an alternate port.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost=true'
+      #### The stsSeconds is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000'
+      #### The stsIncludeSubdomains is set to true, the includeSubDomains directive will be
+      #### appended to the Strict-Transport-Security header.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true'
+      #### Set stsPreload to true to have the preload flag appended to the Strict-Transport-Security header.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true'
+      #### Set forceSTSHeader to true, to add the STS header even when the connection is HTTP.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true'
+      #### Set frameDeny to true to add the X-Frame-Options header with the value of DENY.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true'
+      #### Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true'
+      #### Set browserXssFilter to true to add the X-XSS-Protection header with the value 1; mode=block.
+      - 'traefik.http.middlewares.jellyfin-mw.headers.customresponseheaders.X-XSS-PROTECTION=0'
+      #### The customFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This
+            #### overrides the FrameDeny option.
+      - "traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://djorgensen.com'"
+      ## HTTP Service
+      # We define the port here as a port is required, but note that the service is pointing to the service defined in @file
+      - 'traefik.http.routers.jellyfin-web-secure.service=jellyfin-svc@file'
+      - 'traefik.http.services.jellyfin-svc@file.loadBalancer.server.port=8096'
+      - 'traefik.http.services.jellyfin-svc@file.loadBalancer.passHostHeader=true'
+       #for proxy to vault testing
+        #HTTP
+      - "traefik.http.routers.vault-web.entrypoints=web"
+      - "traefik.http.routers.vault-web.rule=Host(`vault.djorgensen.com`)"
+      - "traefik.http.routers.vault-web.middlewares=vault-web-https-redirect"
+      - "traefik.http.middlewares.vault-web-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.vault-web-secure.middlewares=vault-web-ipallowlist"
+      - "traefik.http.middlewares.vault-web-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24"
+      # Https
+      - "traefik.http.routers.vault-web-secure.entrypoints=websecure"
+      - "traefik.http.routers.vault-web-secure.rule=Host(`vault.djorgensen.com`)"
+      - "traefik.http.routers.vault-web-secure.tls=true"
+      - "traefik.http.routers.vault-web-secure.tls.certresolver=myresolver"
+      ## HTTP Service
+      # We define the port here as a port is required, but note that the service is pointing to the service defined in @file
+      - "traefik.http.routers.vault-web-secure.service=vault-svc@file"
+      - "traefik.http.services.vault-svc@file.loadBalancer.server.port=8000"
+      - "traefik.http.services.vault-svc@file.loadBalancer.passHostHeader=true"
+      - "traefik.http.services.vault-svc@file.loadbalancer.server.scheme=http"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8088:8080"
+    environment:
+      - CF_API_EMAIL=dj@d-jorgensen.com
+      - CF_DNS_API_TOKEN=Uh69ING68kV9hfQDAXXBUUyo1PJrI9PNcjWrOQNq
+    volumes:
+      - "/docker/letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/docker/traefik/traefik-provider.toml:/traefik-provider.toml"
+    networks:
+      - traefik_proxy
+
+  nginx:
+    image: "nginx"
+    container_name: "djorgensen.com"
+    restart: "always"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.port=80"
+      - "traefik.http.routers.nginx.rule=Host(`djorgensen.com`, `www.djorgensen.com`)"
+      - "traefik.http.routers.nginx.tls=true"
+      - "traefik.http.routers.nginx.tls.certresolver=myresolver"
+      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
+      - "traefik.http.routers.http_catchall.entrypoints=web"
+      - "traefik.http.routers.http_catchall.middlewares=https_redirect"
+      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
+      - "traefik.http.middlewares.non_www.redirectregex.regex=^https://(?:www\\.)?(.+)"
+      - "traefik.http.middlewares.non_www.redirectregex.replacement=https://$${1}"
+      - "traefik.http.middlewares.non_www.redirectregex.permanent=true"
+      - "traefik.http.routers.nginx.middlewares=https_redirect@docker, non_www@docker"
+    volumes:
+      - "/var/www/html:/usr/share/nginx/html"
+    networks:
+      - traefik_proxy
+
+networks:
+  traefik_proxy:
+    external: true