diff --git a/Traefikv3/.env b/Traefikv3/.env new file mode 100644 index 0000000..1b9ee20 --- /dev/null +++ b/Traefikv3/.env @@ -0,0 +1 @@ +TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$2y$$05$$3A1ctqF6JF4F4Jk2UsMhnevo6DHogXKb5IrnJyz53F3xUqoWvVx.i \ No newline at end of file diff --git a/Traefikv3/cf-token b/Traefikv3/cf-token new file mode 100644 index 0000000..f54b492 --- /dev/null +++ b/Traefikv3/cf-token @@ -0,0 +1 @@ +# replace this line entirely with your API token \ No newline at end of file diff --git a/Traefikv3/config/config.yaml b/Traefikv3/config/config.yaml new file mode 100644 index 0000000..71f739b --- /dev/null +++ b/Traefikv3/config/config.yaml @@ -0,0 +1,37 @@ +http: + middlewares: + default-security-headers: + headers: + browserXssFilter: true # X-XSS-Protection=1; mode=block + contentTypeNosniff: true # X-Content-Type-Options=nosniff + forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP + frameDeny: false # X-Frame-Options=deny + referrerPolicy: "strict-origin-when-cross-origin" + stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header + stsPreload: true # Add preload flag appended to the Strict-Transport-Security header + stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years) + contentSecurityPolicy: "default-src 'self'" + customRequestHeaders: + X-Forwarded-Proto: https + https-redirectscheme: + redirectScheme: + scheme: https + permanent: true + + routers: + portainer: + entryPoints: + - "https" + rule: "Host(`portainer-demo.jimsgarage.co.uk`)" + middlewares: + - default-security-headers + - https-redirectscheme + tls: {} + service: portainer + + services: + portainer: + loadBalancer: + servers: + - url: "https://192.168.200.122:9443" + passHostHeader: true \ No newline at end of file diff --git a/Traefikv3/config/traefik.yaml b/Traefikv3/config/traefik.yaml new file mode 100644 index 0000000..49cf37e --- /dev/null +++ b/Traefikv3/config/traefik.yaml @@ -0,0 +1,49 @@ +api: + dashboard: true + debug: true +entryPoints: + http: + address: ":80" + http: + # middlewares: # uncomment if using CrowdSec - see my video + # - crowdsec-bouncer@file + redirections: + entrypoint: + to: https + scheme: https + https: + address: ":443" + # http: + # middlewares: # uncomment if using CrowdSec - see my video + # - crowdsec-bouncer@file + # tcp: + # address: ":10000" + # apis: + # address: ":33073" +serversTransport: + insecureSkipVerify: true +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + file: + filename: /config.yaml # example provided gives A+ rating https://www.ssllabs.com/ssltest/ +certificatesResolvers: + cloudflare: + acme: + # caServer: https://acme-v02.api.letsencrypt.org/directory # production (default) + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing) + email: your@email.com # Cloudflare email (or other provider) + storage: acme.json + dnsChallenge: + provider: cloudflare # change as required + # disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues. + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53" + +log: + level: "INFO" + filePath: "/var/log/traefik/traefik.log" +accessLog: + filePath: "/var/log/traefik/access.log" diff --git a/Traefikv3/docker-compose.yaml b/Traefikv3/docker-compose.yaml new file mode 100644 index 0000000..f0d5563 --- /dev/null +++ b/Traefikv3/docker-compose.yaml @@ -0,0 +1,54 @@ +secrets: + cf-token: + file: ./cf-token +services: + traefik: + image: traefik:latest # or traefik:v3.3 to pin a version + container_name: traefik + restart: unless-stopped + security_opt: + - no-new-privileges:true # helps to increase security + secrets: + - cf-token # the secret at the top of this file + env_file: + - .env # store other secrets e.g., dashboard password + networks: + proxy: + ports: + - 80:80 + - 443:443 + # - 10000:10000 # optional + # - 33073:33073 # optional + environment: + - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS} + # - CF_API_EMAIL=your@email.com # Cloudflare email + # - CF_DNS_API_TOKEN=YOUR-TOKEN # Cloudflare API Token + - CF_DNS_API_TOKEN_FILE=/run/secrets/cf-token # see https://doc.traefik.io/traefik/https/acme/#providers + # token file is the proper way to do it + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - /home/ubuntu/docker/traefik/traefik.yaml:/traefik.yaml:ro + - /home/ubuntu/docker/traefik/acme.json:/acme.json + - /home/ubuntu/docker/traefik/config.yaml:/config.yaml:ro + - /home/ubuntu/docker/traefik/logs:/var/log/traefik + labels: + - "traefik.enable=true" + - "traefik.http.routers.traefik.entrypoints=http" + - "traefik.http.routers.traefik.rule=Host(`traefik-docker.jimsgarage.co.uk`)" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}" + - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" + - "traefik.http.routers.traefik-secure.entrypoints=https" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.jimsgarage.co.uk`)" + - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" + - "traefik.http.routers.traefik-secure.tls=true" + - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" + - "traefik.http.routers.traefik-secure.tls.domains[0].main=jimsgarage.co.uk" + - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.jimsgarage.co.uk" + - "traefik.http.routers.traefik-secure.service=api@internal" + +networks: + proxy: + external: true # or comment this line to auto create the network \ No newline at end of file