2025-02-25 09:28:44 +00:00
3 changed files with 3 additions and 107 deletions
--- a/examples/traefik/README.md
+++ b/examples/traefik/README.md
@ -8,21 +8,8 @@

 # Notes

-Spawning up a Traefik reverse proxy can be done in various ways. 
-
-There are options to outsource the Traefik configuration into static and dynamic YAML configuration files. Alternatively, the configuration parameters can be defined directly as command definitions, which are applied during runtime of the Traefik container. We've provided both options as Docker Compose examples.
-
-Please remember to configure logrotation on your Docker host server if you've enabled Traefik access logs. See `logrotate_example.txt` as example. The logs will increase in size and may cause disk space issues, if not handled properly.
-
-### Spawning up Traefik with outsourced configuration files
-
 1. Put the provided `traefik.yml` (static) and `fileConfig.yml` (dynamic) configuration files to your volume bind mount (here `/mnt/docker-volumes/traefik`). 
 2. Add your Cloudflare API token as environment variable to the `docker-compose.yml` file and define your Cloudflare email address in the `traefik.yml` file.
-3. Adjust the static and dynamic configuration files to your needs. Especially replace the `example.com` strings with your domain name in the `traefik.yml` static configuration file. Also adjust the authelia and basic auth definitions in the `fileConfig.yml` dynamic configuration file with secure values and your domain names.
+3. Adjust the static and dynamic configuration files to your needs. Especially replace the `example.com` strings with your domain name.

-### Spawning up Traefik with configuration command definitions
-
-1. Use the `docker-compose-command-config.yml` example as a reference point.
-2. Put the provided `fileConfig.yml` (dynamic) configuration file to your volume bind mount (here `/mnt/docker-volumes/traefik`).
-3. Add your Cloudflare API token as environment variable in the compose file. Define your Cloudflare email address in the command definitions of the compose file. May adjust to your preferred certresolver. The example given is for Cloudflare.
-4. Adjust the dynamic configuration file `fileConfig.yml` to your needs. Especially adjust the authelia and basic auth definitions with secure values and your domain names.
+Optionally configure logrotation on your Docker host server if you've enabled Traefik access logs. See `logrotate_example.txt` as example.
--- a/examples/traefik/docker-compose-command-config.yml
+++ b/examples/traefik/docker-compose-command-config.yml
@ -1,91 +0,0 @@
-# This docker compose example configures traefik by command definitions.
-# This makes the traefik.yml static configuration obsolete.
-# Note that we still reference a dynamic configuration for best practice
-
-version: '3.8'
-
-services:
-  traefik:
-    image: traefik:v2.9
-    container_name: traefik
-    command:
-      - --global.checkNewVersion=true # check for updates
-      - --global.sendAnonymousUsage=false # do not send anonymous statistics
-      - --providers.docker=true # enable docker provider
-      - --providers.docker.network=proxy # define default network to monitor for docker provider
-      - --providers.docker.exposedbydefault=false # do not expose docker hosts per default
-      - --providers.docker.swarmModeRefreshSeconds=15s # defeine swarm mode fresh seconds
-      - --providers.providersThrottleDuration=2s # define throttle duration
-      - --providers.file.watch=true # monitor file provider for changes
-      - --providers.file.filename=/etc/traefik/fileConfig.yml # location of the dynamic configuration
-      - --entrypoints.http.address=:80 # entrypoint for unencrypted http
-      - --entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.http.http.redirections.entryPoint.to=https # automatic redirect from http to https
-      - --entrypoints.http.http.redirections.entryPoint.scheme=https # automatic redirect from http to https
-      - --entrypoints.https.address=:443 # entrypoint for encrypted https
-      - --entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.https.http.middlewares=security-headers@file,rate-limit@file # define default middlewares for all proxy entries
-      - --api.dashboard=true # enable traefik api dashboard
-      - --api.insecure=true # expose traefik api dashboard on TCP/8080 without need for router
-      ####################################################
-      # !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
-      - --entrypoints.https.http.tls.certresolver=cloudflare # define default cert resolver
-      - --entrypoints.https.http.tls.domains[0].main=example.com # define main domain, change to your domain
-      - --entrypoints.https.http.tls.domains[0].sans=*.example.com # define sans domain, change to your domain
-      - --certificatesresolvers.cloudflare.acme.email=mycloudflareemail@domain.tld # define your cloudflare email address
-      - --certificatesresolvers.cloudflare.acme.dnschallenge=true # enable dns challenge to obtain wildcard certificates
-      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare # define provider for certificates
-      - --certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme.json # define acme path for certificate information
-      - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53 # define cloudflare dns servers as the resolver
-      ####################################################
-      - --log.level=INFO # enable log level
-      - --accesslog=true # enable access logs
-      - --accesslog.filepath=/logs/traefik.log # define access log path
-      - --accesslog.format=json # set access log format to json instead clm
-      - --accesslog.bufferingsize=0 # set access log buffer size to 0
-      - --accesslog.filters.statuscodes=400-599 # only log http errors in logs; alternatively set 200-599 to include successful http requests
-      - --accesslog.fields.headers.defaultmode=drop # drop all headers
-      - --serversTransport.insecureSkipVerify=true # set insecureSkipVerify to true to allow self-signed certificates
-    labels:
-      - traefik.enable=true # enable traefik
-      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
-      - traefik.http.routers.api.service=api@internal # enable traefik api dashboard
-      - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only    
-    ports:
-      - 80:80 # http
-      - 443:443 # https
-      - 127.0.0.1:8080:8080 # traefik api dashboard
-    networks:
-      - proxy # define traefik docker network
-    environment:
-      - TZ=Europe/Berlin # define timezone
-      - CF_DNS_API_TOKEN=<MY-CF-API-TOKEN> # define your cloudflare api token
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # bind mount volume for persistent traefik data
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs # bind mount volume for persistent traefik logs
-    restart: always # always restart traefik
-    extra_hosts:
-      - host.docker.internal:172.17.0.1 # define internal ip; helps for proxying to home assistant
-
-  whoami:
-    image: traefik/whoami
-    networks:
-      - proxy
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
-      - traefik.http.services.whoami.loadbalancer.server.port=80
-      #- traefik.http.services.whoami.loadbalancer.server.scheme=https # optional, but sometines necessary when proxying to https services
-      #- traefik.http.services.whoami.loadbalancer.serverstransport=insecureTransport@file # optional, but sometines necessary when proxying to https services
-      #- traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      #- traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      #- traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      #- traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
-      - traefik.docker.network=proxy
-      # Part for optional traefik middlewares
-      - traefik.http.routers.whoami.middlewares=local-ipwhitelist@file
-
-networks:
-  proxy:
-    external: true
--- a/examples/traefik/docker-compose.yml
+++ b/examples/traefik/docker-compose.yml
@ -6,7 +6,7 @@ services:
    ports:
      - 80:80 # HTTP
      - 443:443 # HTTPS
-      - 127.0.0.1:8080:8080 # MGMT WEB UI
+      - 8080:8080 # MGMT WEB UI
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # put the provided traefik.yml and fileConfig.yml files at this location