docker-compose/QNAP/traefik/docker-compose.yml

version: '3.8'

services:
  reverse-proxy:
    image: traefik:latest
    command:
      - "--log"
      - "--log.level=debug"
      - "--log.format=json"
      - "--api.insecure=true"
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/config"
      - "--providers.file.watch=true"
      - "--serversTransport.insecureSkipVerify=true" # Allow self-signed certificates for target hosts - https://doc.traefik.io/traefik/routing/overview/#insecureskipverify
      - "--metrics"
      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0s"
      - "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=0s"
      - "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=5m"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
      - "--entrypoints.webinternal.address=:82"
      - "--certificatesresolvers.letsencrypt.acme.email=kasperj@gmail.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/letsencrypt.json"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=300"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=8.8.8.8:53"

    environment:
      - CLOUDFLARE_DNS_API_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW
      - CLOUDFLARE_API_KEY=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW
      - CLOUDFLARE_HTTP_TIMEOUT=${HTTP_TIMEOUT}
      - CLOUDFLARE_POLLING_INTERVAL=${POLLING_INTERVAL}
      - CLOUDFLARE_PROPAGATION_TIMEOUT=${PROPAGATION_TIMEOUT}
      - CLOUDFLARE_TTL=${TTL}
    deploy:
      labels:
        - traefik.enable=true
        - traefik.http.routers.api.rule=Host(`traefik-api.kaspers.us`)
        - traefik.http.routers.api.service=api@internal
        - traefik.http.routers.api.entrypoints=websecure
        - traefik.http.routers.api.tls=true
        - traefik.http.services.api.loadbalancer.server.port=8080
        - traefik.docker.network=proxy
        - traefik.http.routers.api.tls.certresolver=letsencrypt
        - traefik.http.routers.dashboard.rule=Host(`traefik.kaspers.us`)
        - traefik.http.routers.dashboard.entrypoints=web
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.routers.dashboard.tls=true
        - traefik.http.routers.dashboard.tls.certresolver=myresolver
    ports:
      # HTTP
      - target: 80
        published: 80
      # HTTPS
      - target: 443
        published: 443
      # Web UI (enabled by --api.insecure=true)
      - target: 8080
        published: 8182
    networks:
      - proxy
      - internal
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - /share/Media/container-station-data/traefik/acme:/etc/traefik/acme/
      - /share/Media/container-station-data/traefik/origcerts:/etc/traefik/certs/
      - /share/Media/container-station-data/traefik:/config
      - /var/run/docker.sock:/var/run/docker.sock
      - /share/Media/container-station-data/traefik/cloudflare:/cloudflare

#  traefik-forward-auth:
#    image: thomseddon/traefik-forward-auth:2.1.0
#    networks:
#      - traefik
#    environment:
#      - PROVIDERS_GOOGLE_CLIENT_ID=${PROVIDERS_GOOGLE_CLIENT_ID}
#      - PROVIDERS_GOOGLE_CLIENT_SECRET=${PROVIDERS_GOOGLE_CLIENT_SECRET}
#      - SECRET=${SECRET}
#      - AUTH_HOST=auth.${ROOT_DOMAIN}
#      - COOKIE_DOMAIN=${ROOT_DOMAIN}
#      - WHITELIST=${WHITELIST}
#    deploy:
#      labels:
#        - traefik.enable=true
#        - traefik.docker.network=traefik
#
#        - traefik.http.routers.auth.rule=Host(`auth.${ROOT_DOMAIN}`)
#        - traefik.http.routers.auth.entrypoints=websecure
#        - traefik.http.routers.auth.tls=true
#        - traefik.http.routers.auth.tls.domains[0].main=${ROOT_DOMAIN}
#        - traefik.http.routers.auth.tls.domains[0].sans=*.${ROOT_DOMAIN}
#        - traefik.http.routers.auth.tls.certresolver=letsencrypt
#        - traefik.http.routers.auth.service=auth@docker
#
#        - traefik.http.services.auth.loadbalancer.server.port=4181
#
#        - traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181
#        - traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true
#        - traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User
#
#        - traefik.http.routers.auth.middlewares=forward-auth
#
#        - traefik.constraint=proxy-public

  tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    networks:
      - proxy
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}

  error-pages:
    image: tarampampam/error-pages:2.26.0
    environment:
      TEMPLATE_NAME: l7-dark
    networks:
      - proxy
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik

        # use as "fallback" for any non-registered services (with priority below normal)
        - traefik.http.routers.error-pages.rule=HostRegexp(`{host:.+}`)
        - traefik.http.routers.error-pages.priority=10

        # should say that all of your services work on https
        - traefik.http.routers.error-pages.tls='true'
        - traefik.http.routers.error-pages.entrypoints=websecure
        - traefik.http.routers.error-pages.middlewares=error-pages
        - traefik.http.services.error-pages.loadbalancer.server.port=8080

        # "errors" middleware settings
        - traefik.http.middlewares.error-pages.errors.status=400-599
        - traefik.http.middlewares.error-pages.errors.service=error-pages
        - traefik.http.middlewares.error-pages.errors.query=/{status}.html

  cloudflare-companion:
    image: ghcr.io/tiredofit/docker-traefik-cloudflare-companion:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - TIMEZONE=America/New_York
      - LOG_TYPE=CONSOLE
      - LOG_LEVEL=INFO
      - TRAEFIK_VERSION=2
      - RC_TYPE=CNAME
      - TARGET_DOMAIN=8b520bb5-6093-4c17-a5b1-f8facb18db47.cfargotunnel.com
      - DOMAIN1_TARGET_DOMAIN=8b520bb5-6093-4c17-a5b1-f8facb18db47.cfargotunnel.com
      - REFRESH_ENTRIES=TRUE
      - TRAEFIK_DEFAULT_RULE=FALSE
      - TRAEFIK_ENABLE_LABEL_ONLY=TRUE
      - DEFAULT_MODE=SKIP
      - PURGE_ON_DELETE=TRUE
      - ENABLE_TRAEFIK_POLL=TRUE
      - TRAEFIK_POLL_URL=http://reverse-proxy:8080/
      - TRAEFIK_FILTER_LABEL=traefik.constraint
      - TRAEFIK_FILTER=proxy-public
      - DOMAIN1=${ROOT_DOMAIN}
      - DOMAIN1_ZONE_ID=${ZONE_ID}
      - DOMAIN1_PROXIED=TRUE
      - TRAEFIK_EXCLUDED_HOST1=.* 
      - CF_TOKEN=n-iAlyJaGKcJwUcbxiIYA6kmxTVPBF_ez-g0fglW
    restart: always
    networks:
      - internal
      
networks:
  proxy:
    external: true
  internal: