version: '3.8' services: reverse-proxy: image: traefik:latest command: - "--log" - "--log.level=debug" - "--log.format=json" - "--api.insecure=true" - "--providers.docker" - "--providers.docker.exposedbydefault=false" - "--providers.file.directory=/config" - "--providers.file.watch=true" - "--serversTransport.insecureSkipVerify=true" # Allow self-signed certificates for target hosts - https://doc.traefik.io/traefik/routing/overview/#insecureskipverify - "--metrics" - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.websecure.address=:443" - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0s" - "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=0s" - "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=5m" - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certresolver=letsencrypt" - "--entrypoints.webinternal.address=:82" - "--certificatesresolvers.letsencrypt.acme.email=kasperj@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53" environment: - CLOUDFLARE_DNS_API_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW - CLOUDFLARE_API_KEY=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW - CLOUDFLARE_HTTP_TIMEOUT=${HTTP_TIMEOUT} - CLOUDFLARE_POLLING_INTERVAL=${POLLING_INTERVAL} - CLOUDFLARE_PROPAGATION_TIMEOUT=${PROPAGATION_TIMEOUT} - CLOUDFLARE_TTL=${TTL} deploy: labels: - traefik.enable=true - traefik.http.routers.api.rule=Host(`traefik-api.kaspers.us`) - traefik.http.routers.api.service=api@internal - traefik.http.routers.api.entrypoints=websecure - traefik.http.routers.api.tls=true - traefik.http.services.api.loadbalancer.server.port=8080 - traefik.docker.network=proxy - traefik.http.routers.api.tls.certresolver=letsencrypt - traefik.http.routers.dashboard.rule=Host(`traefik.kaspers.us`) - traefik.http.routers.dashboard.entrypoints=web - traefik.http.routers.dashboard.service=api@internal - traefik.http.routers.dashboard.tls=true - traefik.http.routers.dashboard.tls.certresolver=myresolver ports: # HTTP - target: 80 published: 80 # HTTPS - target: 443 published: 443 # Web UI (enabled by --api.insecure=true) - target: 8080 published: 8182 networks: - proxy - internal volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock - /share/Media/container-station-data/traefik/acme:/etc/traefik/acme/ - /share/Media/container-station-data/traefik/origcerts:/etc/traefik/certs/ - /share/Media/container-station-data/traefik:/config - /var/run/docker.sock:/var/run/docker.sock - /share/Media/container-station-data/traefik/cloudflare:/cloudflare # traefik-forward-auth: # image: thomseddon/traefik-forward-auth:2.1.0 # networks: # - traefik # environment: # - PROVIDERS_GOOGLE_CLIENT_ID=${PROVIDERS_GOOGLE_CLIENT_ID} # - PROVIDERS_GOOGLE_CLIENT_SECRET=${PROVIDERS_GOOGLE_CLIENT_SECRET} # - SECRET=${SECRET} # - AUTH_HOST=auth.${ROOT_DOMAIN} # - COOKIE_DOMAIN=${ROOT_DOMAIN} # - WHITELIST=${WHITELIST} # deploy: # labels: # - traefik.enable=true # - traefik.docker.network=traefik # # - traefik.http.routers.auth.rule=Host(`auth.${ROOT_DOMAIN}`) # - traefik.http.routers.auth.entrypoints=websecure # - traefik.http.routers.auth.tls=true # - traefik.http.routers.auth.tls.domains[0].main=${ROOT_DOMAIN} # - traefik.http.routers.auth.tls.domains[0].sans=*.${ROOT_DOMAIN} # - traefik.http.routers.auth.tls.certresolver=letsencrypt # - traefik.http.routers.auth.service=auth@docker # # - traefik.http.services.auth.loadbalancer.server.port=4181 # # - traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181 # - traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true # - traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User # # - traefik.http.routers.auth.middlewares=forward-auth # # - traefik.constraint=proxy-public tunnel: container_name: cloudflared-tunnel image: cloudflare/cloudflared restart: unless-stopped command: tunnel run networks: - proxy environment: - TUNNEL_TOKEN=${TUNNEL_TOKEN} error-pages: image: tarampampam/error-pages:2.26.0 environment: TEMPLATE_NAME: l7-dark networks: - proxy deploy: labels: - traefik.enable=true - traefik.docker.network=traefik # use as "fallback" for any non-registered services (with priority below normal) - traefik.http.routers.error-pages.rule=HostRegexp(`{host:.+}`) - traefik.http.routers.error-pages.priority=10 # should say that all of your services work on https - traefik.http.routers.error-pages.tls='true' - traefik.http.routers.error-pages.entrypoints=websecure - traefik.http.routers.error-pages.middlewares=error-pages - traefik.http.services.error-pages.loadbalancer.server.port=8080 # "errors" middleware settings - traefik.http.middlewares.error-pages.errors.status=400-599 - traefik.http.middlewares.error-pages.errors.service=error-pages - traefik.http.middlewares.error-pages.errors.query=/{status}.html cloudflare-companion: image: ghcr.io/tiredofit/docker-traefik-cloudflare-companion:latest volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - TIMEZONE=America/New_York - LOG_TYPE=CONSOLE - LOG_LEVEL=INFO - TRAEFIK_VERSION=2 - RC_TYPE=CNAME - TARGET_DOMAIN=8b520bb5-6093-4c17-a5b1-f8facb18db47.cfargotunnel.com - DOMAIN1_TARGET_DOMAIN=8b520bb5-6093-4c17-a5b1-f8facb18db47.cfargotunnel.com - REFRESH_ENTRIES=TRUE - TRAEFIK_DEFAULT_RULE=FALSE - TRAEFIK_ENABLE_LABEL_ONLY=TRUE - DEFAULT_MODE=SKIP - PURGE_ON_DELETE=TRUE - ENABLE_TRAEFIK_POLL=TRUE - TRAEFIK_POLL_URL=http://reverse-proxy:8080/ - TRAEFIK_FILTER_LABEL=traefik.constraint - TRAEFIK_FILTER=proxy-public - DOMAIN1=${ROOT_DOMAIN} - DOMAIN1_ZONE_ID=${ZONE_ID} - DOMAIN1_PROXIED=TRUE - TRAEFIK_EXCLUDED_HOST1=.* - CF_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW restart: always networks: - internal networks: proxy: external: true internal: