chore: use socket-proxy for traefik

2025-02-21 15:52:09 +00:00 · 2025-02-19 16:13:51 +01:00 · 2025-02-19 16:13:51 +01:00 · 70c24a7ece
commit 70c24a7ece
parent 7987eb8b13
3 changed files with 75 additions and 39 deletions
--- a/examples/traefik/docker-compose-command-config.yml
+++ b/examples/traefik/docker-compose-command-config.yml
@ -8,41 +8,42 @@ services:
    container_name: traefik
    restart: always
    command:
-      - --providers.docker=true # enable docker provider
-      - --providers.docker.network=proxy # define default network to monitor for docker provider
-      - --providers.docker.exposedbydefault=false # do not expose docker hosts per default
-      - --providers.file.watch=true # monitor file provider for changes
-      - --providers.file.filename=/etc/traefik/fileConfig.yml # location of the dynamic configuration
-      - --entrypoints.http.address=:80 # entrypoint for unencrypted http
-      - --entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.http.http.redirections.entryPoint.to=https # automatic redirect from http to https
-      - --entrypoints.http.http.redirections.entryPoint.scheme=https # automatic redirect from http to https
-      - --entrypoints.https.address=:443 # entrypoint for encrypted https
-      - --entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.https.http.middlewares=security-headers@file,rate-limit@file # define default middlewares for all proxy entries
-      - --api.dashboard=true # enable traefik api dashboard
-      - --api.insecure=true # expose traefik api dashboard on TCP/8080 without need for router
+      - "--providers.docker=true" # enable docker provider
+      - "--providers.docker.network=proxy" # define default network to monitor for docker provider
+      - "--providers.docker.endpoint=tcp://socket-proxy:2375" # define socket-proxy as docker socket
+      - "--providers.docker.exposedbydefault=false" # do not expose docker hosts per default
+      - "--providers.file.watch=true" # monitor file provider for changes
+      - "--providers.file.filename=/etc/traefik/fileConfig.yml" # location of the dynamic configuration
+      - "--entrypoints.http.address=:80" # entrypoint for unencrypted http
+      - "--entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
+      - "--entrypoints.http.http.redirections.entryPoint.to=https" # automatic redirect from http to https
+      - "--entrypoints.http.http.redirections.entryPoint.scheme=https" # automatic redirect from http to https
+      - "--entrypoints.https.address=:443" # entrypoint for encrypted https
+      - "--entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
+      - "--entrypoints.https.http.middlewares=security-headers@file,rate-limit@file" # define default middlewares for all proxy entries
+      - "--api.dashboard=true" # enable traefik api dashboard
+      - "--api.insecure=true" # expose traefik api dashboard on TCP/8080 without need for router
      ####################################################
      # !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
-      - --entrypoints.https.http.tls.certresolver=myresolver # define default cert resolver
-      - --entrypoints.https.http.tls.domains[0].main=example.com # define main domain, change to your domain
-      - --entrypoints.https.http.tls.domains[0].sans=*.example.com # define sans domain, change to your domain
-      - --certificatesresolvers.myresolver.acme.email=myemail@domain.tld # define your email address
-      #- --certificatesresolvers.myresolver.acme.httpchallenge=true # use http challenge
-      #- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http # define entrypoint for http challenge
-      - --certificatesresolvers.myresolver.acme.dnschallenge=true # enable dns challenge to obtain wildcard certificates
-      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare # define provider for certificates
-      - --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json # define acme path for certificate information
-      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53 # define dns servers for your resolver, here cloudflare
+      - "--entrypoints.https.http.tls.certresolver=myresolver" # define default cert resolver
+      - "--entrypoints.https.http.tls.domains[0].main=example.com" # define main domain, change to your domain
+      - "--entrypoints.https.http.tls.domains[0].sans=*.example.com" # define sans domain, change to your domain
+      - "--certificatesresolvers.myresolver.acme.email=myemail@domain.tld" # define your email address
+      #- "--certificatesresolvers.myresolver.acme.httpchallenge=true" # use http challenge
+      #- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http" # define entrypoint for http challenge
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true" # enable dns challenge to obtain wildcard certificates
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare" # define provider for certificates
+      - "--certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json" # define acme path for certificate information
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # define dns servers for your resolver, here cloudflare
      ####################################################
-      - --log.level=INFO # enable log level
-      - --accesslog=true # enable access logs
-      - --accesslog.filepath=/logs/traefik.log # define access log path
-      - --accesslog.format=json # set access log format to json instead clm
-      - --accesslog.bufferingsize=0 # set access log buffer size to 0
-      - --accesslog.filters.statuscodes=400-599 # only log http errors in logs; alternatively set 200-599 to include successful http requests
-      - --accesslog.fields.headers.defaultmode=drop # drop all headers
-      - --serversTransport.insecureSkipVerify=true # set insecureSkipVerify to true to allow self-signed certificates
+      - "--log.level=INFO" # enable log level
+      - "--accesslog=true" # enable access logs
+      - "--accesslog.filepath=/logs/traefik.log" # define access log path
+      - "--accesslog.format=json" # set access log format to json instead clm
+      - "--accesslog.bufferingsize=0" # set access log buffer size to 0
+      - "--accesslog.filters.statuscodes=400-599" # only log http errors in logs; alternatively set 200-599 to include successful http requests
+      - "--accesslog.fields.headers.defaultmode=drop" # drop all headers
+      - "--serversTransport.insecureSkipVerify=true" # set insecureSkipVerify to true to allow self-signed certificates
    labels:
      - traefik.enable=true # enable traefik
      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
@ -67,7 +68,25 @@ services:
      - host.docker.internal:172.17.0.1 # define internal ip; helps traefik to resolve containers running in host network mode
    networks:
      - proxy # define traefik docker network
+      - docker-proxynet
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:1.26.2
+    container_name: socket-proxy
+    environment:
+      - CONTAINERS=1
+      - EVENTS=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - docker-proxynet
+    restart: always
+    read_only: true
+    tmpfs:
+      - /run

 networks:
  proxy:
    external: true
+  docker-proxynet:
+    internal: true
--- a/examples/traefik/docker-compose.yml
+++ b/examples/traefik/docker-compose.yml
@ -14,7 +14,7 @@ services:
      - 443 # https
      - 8080 # http api dashboard
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
+      #- /var/run/docker.sock:/var/run/docker.sock:ro # better use socket-proxy instead
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # put the provided traefik.yml and fileConfig.yml files at this location
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs
    environment:
@ -30,7 +30,25 @@ services:
      - host.docker.internal:172.17.0.1
    networks:
      - proxy
+      - docker-proxynet
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:1.26.2
+    container_name: socket-proxy
+    environment:
+      - CONTAINERS=1
+      - EVENTS=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - docker-proxynet
+    restart: always
+    read_only: true
+    tmpfs:
+      - /run

 networks:
  proxy:
    external: true
+  docker-proxynet:
+    internal: true
--- a/examples/traefik/traefik.yml
+++ b/examples/traefik/traefik.yml
@ -59,7 +59,7 @@ entryPoints:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
-        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
+        # start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
@ -82,7 +82,7 @@ entryPoints:
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
-        # End of Cloudlare public IP list
+        # end of Cloudlare public IP list
    http:
      redirections:
        entryPoint:
@ -93,7 +93,7 @@ entryPoints:
  https:
    address: :443
    forwardedHeaders:
-      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
+      # reuse list of Cloudflare Trusted IP's above for HTTPS requests
      trustedIPs: *trustedIps
    # enable HTTP3 QUIC via UDP/443
    #http3:
@ -122,9 +122,8 @@ providers:
  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
-    network: proxy # Add Your Docker Network Name Here
-    #endpoint: "tcp://socket-proxy:2375"
-    # Default host rule to containername.domain.example
+    network: proxy # add Your Docker Network Name Here
+    endpoint: "tcp://socket-proxy:2375" # use socket-proxy for secure access to docker api
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)" # change 'example.com' to your proxy domain
    exposedByDefault: false