diff --git a/docker/compose/networks/default.yaml b/docker/compose/networks/default.yaml index 7961d45..44563a3 100644 --- a/docker/compose/networks/default.yaml +++ b/docker/compose/networks/default.yaml @@ -1,4 +1,4 @@ networks: default: -# name: default + name: default driver: bridge diff --git a/docker/compose/networks/proxy.yaml b/docker/compose/networks/proxy.yaml index b594ad0..1862ea2 100644 --- a/docker/compose/networks/proxy.yaml +++ b/docker/compose/networks/proxy.yaml @@ -1,4 +1,4 @@ networks: proxy: name: proxy - external: true \ No newline at end of file + external: true \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index fa05376..832c575 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -28,10 +28,10 @@ networks: # Docker Compose v2.20 or greater required to use "include" include: ########################### SERVICES - - compose/dc-traefik.yml - - compose/dc-socket-proxy.yml - - compose/dc-crowdsec.yml - - compose/dc-traefik-bouncer.yml + - services/dc-traefik.yml + - services/dc-socket-proxy.yml + - services/dc-crowdsec.yml + - services/dc-traefik-bouncer.yml # Portainer - WebUI for Containers # portainer: diff --git a/docker/env/common.env b/docker/env/common.env index 6797fca..a0f02e5 100644 --- a/docker/env/common.env +++ b/docker/env/common.env @@ -1,6 +1,8 @@ ##### SYSTEM UID=1000 GID=1000 +PUID=1000 +PGID=1000 TZ=Europe/HelsinkI #USERDIR=/home/gurulandia diff --git a/docker/services/dc-traefik.yml b/docker/services/dc-traefik.yml index 83a3d19..6a9c192 100644 --- a/docker/services/dc-traefik.yml +++ b/docker/services/dc-traefik.yml @@ -1,13 +1,15 @@ ########################### SECRETS secrets: - cloudflare_email: - file: ${SECRETSDIR}/cloudflare_email - cloudflare_api_key: - file: ${SECRETSDIR}/cloudflare_api_key + #cloudflare_email: + # file: ${SECRETSDIR}/cloudflare_email + #cloudflare_api_key: + # file: ${SECRETSDIR}/cloudflare_api_key + basic_auth_credentials: + file: $DOCKERDIR/secrets/basic_auth_credentials cloudflare_api_token: file: ${SECRETSDIR}/cloudflare_dns_api_token services: - # Traefik 2 - Reverse Proxy + # Traefik 3 - Reverse Proxy # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600. # touch $DOCKERDIR/traefik2/acme/acme.json # chmod 600 $DOCKERDIR/traefik2/acme/acme.json @@ -22,73 +24,97 @@ services: proxy: socket_proxy: ports: - - 80:80 - - 443:443 - - 465:465 - - 587:587 + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + #- target: 465 + # published: 465 + # protocol: tcp + # mode: host + - target: 587 + published: 587 + protocol: tcp + mode: host + #- 465:465 + #- 587:587 #env_file: #- path: ./traefik.env # required: true # default #- path: ./override.env # required: false environment: - - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email - - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key + #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email + #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token + - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials + - DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules. + - DOMAINNAME1 + - DOMAINNAME2 + - DOMAINNAME3 + #- CF_API_EMAIL + command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=false #true - - --entryPoints.http.address=:80 - - --entrypoints.http.http.redirections.entryPoint.to=https - - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file - - --entryPoints.https.address=:443 - - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS - - --entrypoints.mailsecure.address=:465 - - --entrypoints.maildefault.address=:587 -# - --entryPoints.traefik.address=:8080 -# - --entryPoints.ping.address=:8081 + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + - --entrypoints.traefik.address=:8080 + - --entrypoints.web.http.redirections.entrypoint.to=websecure + - --entrypoints.web.http.redirections.entrypoint.scheme=https + - --entrypoints.web.http.redirections.entrypoint.permanent=true - --api=true -# - --api.insecure=true) - --api.dashboard=true -# - --ping=true) -# - --pilot.token=$TRAEFIK_PILOT_TOKEN) - - --serversTransport.insecureSkipVerify=true + # - --serversTransport.insecureSkipVerify=true + # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/ + - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS - --log=true + - --log.filePath=/logs/traefik.log - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - - --log.filePath= /var/log/traefik/traefik.log - --accessLog=true - - --accessLog.filePath=/var/log/traefik/access.log + - --accessLog.filePath=/logs/access.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - - --accessLog.filters.statusCodes=400-499 + - --accessLog.filters.statusCodes=204-299,400-499,500-599 - --providers.docker=true - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security - # Automatically set Host rule for services -# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`) - --providers.docker.exposedByDefault=false -# - --providers.redis=true -# - --providers.redis.endpoints=redis:6379 - - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file - - --entrypoints.https.http.tls.options=tls-opts@file - # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services - - --entrypoints.https.http.tls.certresolver=${CERTRESOLVER} - - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0 - - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0 - - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain - - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain - - --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2 - - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2 - - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain - - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain - - --providers.docker.network=proxy + - --entrypoints.websecure.http.tls=true + - --entrypoints.websecure.http.tls.options=tls-opts@file + # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services + - --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER} + - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0 + - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0 + - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1 + - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1 + - --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2 + - --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2 + - --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3 + - --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3 - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory - --providers.file.watch=true # Only works on top level files in the rules folder -# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL} - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER} - - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1 + - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1} - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate +# - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing + + +# - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file + - --entrypoints.mailsecure.address=:465 + - --entrypoints.maildefault.address=:587 +# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file +# - --entryPoints.ping.address=:8081 +# - --api.insecure=true) +# - --ping=true) +# - --providers.redis=true +# - --providers.redis.endpoints=redis:6379 +# - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file # healthcheck: # test: ["CMD", "traefik", "healthcheck", "--ping"] # interval: 5s @@ -100,9 +126,10 @@ services: - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600 - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container secrets: - - cloudflare_email - - cloudflare_api_key + #- cloudflare_email + #- cloudflare_api_key - cloudflare_api_token + - basic_auth_credentials labels: traefik.enable: true traefik.http.routers.traefik.entrypoints: http