fosc
/
wiki
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

docs: update traefik

This commit is contained in:
Pablo Moyano 2019-12-28 17:37:39 +00:00 committed by FOSC
parent f613911819
commit 695f0876f0
1 changed files with 158 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

243
traefik.md
View File

@ -2,7 +2,7 @@
title: Traefik
description: Hypercharged reverse proxy with Docker autodiscovery and other goodies
published: true
date: 2019-07-01T15:21:53.482Z
date: 2019-12-28T17:37:38.426Z
tags:
---
@ -29,93 +29,166 @@ On NixOS:
};
```
# Configuration
`traefik.toml`
Using docker-compose:
```
logLevel = "INFO"
version: '3.7'
defaultEntryPoints = ["http", "https"]
[accessLog]
filePath = "/var/lib/traefik/access.log"
format = "json"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
sniStrict = true
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
[entryPoints.bitwarden]
address = ":3012"
[entryPoints.traefik]
address = ":8080"
# [entryPoints.traefik.auth]
# [entryPoints.traefik.auth.basic]
# users = [
# "Enter your magic apache htaccess basic auth string here"
# ]
[api]
dashboard = true
entryPoint = "traefik"
[file]
watch = true
filename = "/var/lib/traefik/rules.toml"
# Let's encrypt configuration
[acme]
email = "fosc@fosc.space"
storage = "/var/lib/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging = true
onDemand = false
onHostRule = true
[acme.tlsChallenge]
[docker]
services:
traefik:
image: traefik:latest
network_mode: host
volumes:
- ./config/:/etc/traefik/
- /var/run/docker.sock:/var/run/docker.sock
```
# Manual routes
`rules.toml`
```
[frontends]
[frontends.netdata]
backend = "b_netdata"
[frontends.netdata.routes.r1]
rule = "Host: netdata.fosc.space"
[frontends.transmission]
backend = "b_transmission"
[frontends.transmission.routes.r1]
rule = "Host: transmission.fosc.space"
[frontends.router]
backend = "b_router"
[frontends.router.routes.r1]
rule = "Host: router.fosc.space"
# Traefik Configuration
Paths vary between a docker-compose install or a NixOS install. The container wants its files placed at `/etc/traefik/` while a native install is most likely to prefer `/var/lib/traefik/`.
[backends]
[backends.b_netdata]
[backends.b_netdata.servers.localhost]
url = "http://fosc.lan:19999"
weight = 1
[backends.b_transmission]
[backends.b_transmission.servers.localhost]
url = "http://fosc.lan:9091"
[backends.b_router]
[backends.b_router.servers.router]
url = "http://openwrt.lan:19999"
Paths provided in this example use the `/etc/traefik/` route.
An `acme` folder needs to exist with `700` permissions, inside there should be an `acme.json` with 600 permissions. Without them, Let's Encrypt certificates will never work.
## Static configuration
Changing this requires a Traefik restart.
`/etc/traefik/traefik.yml`
```
api:
dashboard: true
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /etc/traefik/config.yml
watch: true
certificatesResolvers:
default:
acme:
email: example@changeme.com
storage: /etc/traefik/acme/acme.json
tlsChallenge: {}
log:
level: WARNING
filePath: /etc/traefik/debug.log
format: json
```
## Dynamic configuration
Traefik live reloads this file.
All http input is elevated to https using the "redirect" middleware. `traefik` and `netdata` routers listen on 443. `traefik` also runs the "auth" middleware to ask for password.
`/etc/traefik/config.yml`
```
http:
routers:
redirector:
rule: HostRegexp(`{any:.*}`)
entryPoints:
- "web"
service: dummy
middlewares:
- redirect
traefik:
rule: Host(`traefik.your.domain`)
entryPoints:
- "web-secure"
service: api@internal
middlewares:
- auth
tls:
certResolver: default
netdata:
rule: Host(`netdata.your.domain`)
entryPoints:
- "web-secure"
service: netdata
tls:
certResolver: default
services:
dummy:
loadBalancer:
servers:
- url: http://127.0.0.1
netdata:
loadBalancer:
servers:
- url: http://localhost:19999
middlewares:
redirect:
redirectScheme:
scheme: https
auth:
basicAuth:
users:
- 'test:$apr1$tyoqkxlc$BbG4rHVMcV7mSQWIgEZQT0' #test/test
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
mintls13:
minVersion: VersionTLS13
```
# Configuring a docker-compose Service
This is the most usual configuration a service will need, which is self explanatory.
```
version: '3.7'
services:
whoami:
image: containous/whoami
labels:
- traefik.enable=true
- traefik.http.routers.whoami.entryPoints=web-secure
- traefik.http.routers.whoami.rule=Host(`whoami.your.domain`)
- traefik.http.routers.whoami.tls.certresolver=default
```
A more verbose one is needed when a specific port must be used or a middleware is needed, such as asking for basic authentication.
Here shown a Caddy download page that asks for the username and password defined in the dynamic configuration.
It also doesn't use Let's Encrypt and will serve Traefik's default certificate, as the machine this configuration is pulled from is running behind Cloudflare.
```
version: '3.7'
services:
private-caddy:
image: abiosoft/caddy:php
restart: unless-stopped
volumes:
- ./srv:/srv
labels:
- traefik.enable=true
- traefik.http.routers.private-caddy.entryPoints=web-secure
- traefik.http.routers.private-caddy.rule=Host(`private.your.domain`)
- traefik.http.routers.private-caddy.tls=true
- traefik.http.routers.private-caddy.middlewares=auth@file
- traefik.http.services.private-caddy.loadbalancer.server.port=2015
```