Modify

2025-03-04 21:00:45 +02:00
parent 030c5d2025
commit 352ddeb5fd
5 changed files with 83 additions and 54 deletions
--- a/docker/compose/networks/default.yaml
+++ b/docker/compose/networks/default.yaml
@@ -1,4 +1,4 @@
 networks:
  default:
-#    name: default
+    name: default
    driver: bridge
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -28,10 +28,10 @@ networks:
 # Docker Compose v2.20 or greater required to use "include"
 include:
 ########################### SERVICES
-  - compose/dc-traefik.yml
-  - compose/dc-socket-proxy.yml
-  - compose/dc-crowdsec.yml
-  - compose/dc-traefik-bouncer.yml
+  - services/dc-traefik.yml
+  - services/dc-socket-proxy.yml
+  - services/dc-crowdsec.yml
+  - services/dc-traefik-bouncer.yml

  # Portainer - WebUI for Containers
 # portainer:
--- a/docker/env/common.env
+++ b/docker/env/common.env
@@ -1,6 +1,8 @@
 ##### SYSTEM
 UID=1000
 GID=1000
+PUID=1000
+PGID=1000
 TZ=Europe/HelsinkI

 #USERDIR=/home/gurulandia
--- a/docker/services/dc-traefik.yml
+++ b/docker/services/dc-traefik.yml
@@ -1,13 +1,15 @@
 ########################### SECRETS
 secrets:
-  cloudflare_email:
-    file: ${SECRETSDIR}/cloudflare_email
-  cloudflare_api_key:
-    file: ${SECRETSDIR}/cloudflare_api_key
+  #cloudflare_email:
+  #  file: ${SECRETSDIR}/cloudflare_email
+  #cloudflare_api_key:
+  #  file: ${SECRETSDIR}/cloudflare_api_key
+  basic_auth_credentials:
+    file: $DOCKERDIR/secrets/basic_auth_credentials
  cloudflare_api_token:
    file: ${SECRETSDIR}/cloudflare_dns_api_token
 services:
-  # Traefik 2 - Reverse Proxy
+  # Traefik 3 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
@@ -22,73 +24,97 @@ services:
      proxy:
      socket_proxy:
    ports:
-      - 80:80
-      - 443:443
-      - 465:465
-      - 587:587
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
+      #- target: 465
+      #  published: 465
+      #  protocol: tcp
+      #  mode: host
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
+      #- 465:465
+      #- 587:587
    #env_file:
    #- path: ./traefik.env
    #  required: true # default
    #- path: ./override.env
    #  required: false
    environment:
-      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
-      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      #- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
+      #- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
+      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
+      - DOMAINNAME0 # Passing the domain name to traefik container to be able to use the variable in rules. 
+      - DOMAINNAME1
+      - DOMAINNAME2
+      - DOMAINNAME3
+      #- CF_API_EMAIL
+
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false #true
-      - --entryPoints.http.address=:80
-      - --entrypoints.http.http.redirections.entryPoint.to=https
-      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
-      - --entryPoints.https.address=:443
-      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
-      - --entrypoints.mailsecure.address=:465
-      - --entrypoints.maildefault.address=:587
-#      - --entryPoints.traefik.address=:8080
-#      - --entryPoints.ping.address=:8081
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.traefik.address=:8080
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --api=true
-#      - --api.insecure=true)
      - --api.dashboard=true
-#      - --ping=true)
-#      - --pilot.token=$TRAEFIK_PILOT_TOKEN)
-      - --serversTransport.insecureSkipVerify=true
+      # - --serversTransport.insecureSkipVerify=true
+      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
+      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
+      - --log.filePath=/logs/traefik.log
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
-      - --log.filePath= /var/log/traefik/traefik.log
      - --accessLog=true
-      - --accessLog.filePath=/var/log/traefik/access.log
+      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
-      - --accessLog.filters.statusCodes=400-499
+      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      - --providers.docker.endpoint=${DOCKER_ENDPOINT} # Use Docker Socket Proxy instead for improved security
-      # Automatically set Host rule for services
-#      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
      - --providers.docker.exposedByDefault=false
-#      - --providers.redis=true
-#      - --providers.redis.endpoints=redis:6379
-      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file
-      - --entrypoints.https.http.tls.options=tls-opts@file
-      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
-      - --entrypoints.https.http.tls.certresolver=${CERTRESOLVER}
-      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
-      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
-      - --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
-      - --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
-      - --entrypoints.https.http.tls.domains[2].main=$DOMAINNAME2
-      - --entrypoints.https.http.tls.domains[2].sans=*.$DOMAINNAME2
-      - --entrypoints.https.http.tls.domains[3].main=$DOMAINNAME3 # Pulls main cert for second domain
-      - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
-
      - --providers.docker.network=proxy
+      - --entrypoints.websecure.http.tls=true
+      - --entrypoints.websecure.http.tls.options=tls-opts@file
+      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
+      - --entrypoints.websecure.http.tls.certresolver=${CERTRESOLVER}
+      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME0
+      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME0
+      - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME1
+      - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME1
+      - --entrypoints.websecure.http.tls.domains[2].main=$DOMAINNAME2
+      - --entrypoints.websecure.http.tls.domains[2].sans=*.$DOMAINNAME2
+      - --entrypoints.websecure.http.tls.domains[3].main=$DOMAINNAME3
+      - --entrypoints.websecure.http.tls.domains[3].sans=*.$DOMAINNAME3
      - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
-#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
      - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
-      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0} #,$RESOLVER1
+      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=${RESOLVER0},${RESOLVER1}
      - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
+#      - --certificatesResolvers.$CERTRESOLVER.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
+
+
+#      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
+      - --entrypoints.mailsecure.address=:465
+      - --entrypoints.maildefault.address=:587
+#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
+#      - --entryPoints.ping.address=:8081
+#      - --api.insecure=true)
+#      - --ping=true)
+#      - --providers.redis=true
+#      - --providers.redis.endpoints=redis:6379
+#      - --entrypoints.https.http.middlewares=middlewares-crowdsec-bouncer@file      
 #    healthcheck:
 #      test: ["CMD", "traefik", "healthcheck", "--ping"]
 #      interval: 5s
@@ -100,9 +126,10 @@ services:
      - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
      - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
    secrets:
-      - cloudflare_email
-      - cloudflare_api_key
+      #- cloudflare_email
+      #- cloudflare_api_key
      - cloudflare_api_token
+      - basic_auth_credentials
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.entrypoints: http