New Files for Traefik Reverse Proxy

docker/.env

@@ -9,36 +9,37 @@ TZ=Europe/HelsinkI
 DOCKERDIR=/gurulandia/data
 SECRETSDIR=/gurulandia/docker-shared/secrets
 
+##### ProxyName
+PROXYNAME=proxy
+
 ##### DOMAIN
 DOMAINNAME0=gurulandia.eu
-DOMAINNAME1=home.gurulandia.eu
+DOMAINNAME1=lab.gurulandia.eu
 DOMAINNAME2=gurulandia.fi
 DOMAINNAME3=home.gurulandia.fi
 
 ##### SUBNETS
-
-PROXY_SUBNET=192.168.91.0/24
-SOCKET_PROXY_SUBNET=192.168.92.0/24
+#PROXY_SUBNET=192.168.91.0/24
+#SOCKET_PROXY_SUBNET=192.168.92.0/24
 
 ##### GATEWAYS
-
-PROXY_GATEWAY=192.168.91.1
-SOCKET_PROXY_GATEWAY=192.168.92.1
+#PROXY_GATEWAY=192.168.91.1
+#SOCKET_PROXY_GATEWAY=192.168.92.1
 
 ##### Traefik Container
 TRAEFIK_CONTAINER_NAME=traefik
 TRAEFIK_IMAGE=traefik
-TRAEFIK_VERSION=v3.0.0-rc1 #latest
+TRAEFIK_VERSION=latest
 TRAEFIK_RESTART_POLICY=unless-stopped
-TRAEFIK_IP0=192.168.91.254
-TRAEFIK_IP1=192.168.92.252
+#TRAEFIK_IP0=192.168.91.254
+#TRAEFIK_IP1=192.168.92.252
 
 ##### socket-proxy Container
 SOCKET_PROXY_CONTAINER_NAME=socket-proxy
 SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
 SOCKET_PROXY_VERSION=latest
 SOCKET_PROXY_RESTART_POLICY=always
-SOCKET_PROXY_IP=192.168.92.254
+#SOCKET_PROXY_IP=192.168.92.254
 
 DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
 
@@ -64,14 +65,15 @@ CROWDSEC_VERSION=latest
 CROWDSEC_RESTART_POLICY=unless-stopped
 #CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
 CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"
-CROWDSEC_IP=192.168.92.253
+#CROWDSEC_IP=192.168.92.253
 
 ##### bouncer-traefik Container
 BT_CONTAINER_NAME=bouncer-traefik
 BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
 BT_VERSION=latest
 BT_RESTART_POLICY=unless-stopped
-BT_IP=192.168.92.251
+GIN_MODE=release
+#BT_IP=192.168.92.251
 
 ##### IP ADDRESSES
 

docker/.env.template

@@ -0,0 +1,27 @@
+COMPOSE_PROJECT_NAME=proxy
+
+##### SYSTEM
+PUID=1000
+PGID=1000
+TZ=Europe/HelsinkI
+
+#USERDIR=/home/gurulandia
+DOCKERDIR=/gurulandia/data
+SECRETSDIR=/gurulandia/docker-shared/secrets
+
+##### ProxyName
+PROXYNAME=proxy
+
+##### Traefik Container
+TRAEFIK_CONTAINER_NAME=traefik
+TRAEFIK_IMAGE=traefik
+TRAEFIK_VERSION=latest
+TRAEFIK_RESTART_POLICY=unless-stopped
+
+##### socket-proxy Container
+SOCKET_PROXY_CONTAINER_NAME=socket-proxy
+SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+SOCKET_PROXY_VERSION=latest
+SOCKET_PROXY_RESTART_POLICY=always
+
+DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375

docker/compose/crowdsec.env

@@ -0,0 +1,2 @@
+#CROWDSEC_COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik"
+CROWDSEC_COLLECTIONS="crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux fulljackz/proxmox"

docker/compose/dc-crowdsec.yml

@@ -7,11 +7,10 @@ services:
       - no-new-privileges:true
     networks:
       - proxy
-      #proxy:
-      #  ipv4_address: ${CROWDSEC_IP} # You can specify a static IP
     environment:
       GID: "${GID-1000}"
-      COLLECTIONS: ${CROWDSEC_COLLECTIONS}
+    env_file:
+      - path: ./crowdsec.env
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - ${DOCKERDIR}/crowdsec/acquis.d:/etc/crowdsec/acquis.d

docker/compose/dc-socket-proxy.yml

@@ -4,11 +4,9 @@ services:
   socket-proxy:
     container_name: ${SOCKET_PROXY_CONTAINER_NAME}
     image: ${SOCKET_PROXY_IMAGE}:${SOCKET_PROXY_VERSION}
-#    image: ghcr.io/tecnativa/docker-socket-proxy:latest
     restart: ${SOCKET_PROXY_RESTART_POLICY}
     networks:
       socket_proxy:
-        ipv4_address: ${SOCKET_PROXY_IP} 
     privileged: true
     ports:
     #  - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
@@ -18,28 +16,3 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock"
     env_file:
     - path: ./socket-proxy.env
-    #environment:
-    #  - LOG_LEVEL=${LOG_LEVEL}
-    #  - EVENTS=${EVENTS}
-    #  - PING=${PING}
-    #  - VERSION=${VERSION}
-    #  - AUTH=${AUTH}
-    #  - SECRETS=${SECRETS}
-    #  - POST=${POST}
-    #  - BUILD=${BUILD}
-    #  - COMMIT=${COMMIT}
-    #  - CONFIGS=${CONFIGS}
-    #  - CONTAINERS=${CONTAINERS}
-    #  - DISTRIBUTION=${DISTRIBUTION}
-    #  - EXEC=${EXEC}
-    #  - IMAGES=${IMAGES}
-    #  - INFO=${INFO}
-    #  - NETWORKS=${NETWORKS}
-    #  - NODES=${NODES}
-    #  - PLUGINS=${PLUGINS}
-    #  - SERVICES=${SERVICES}
-    #  - SESSION=${SESSION}
-    #  - SWARM=${SWARM}
-    #  - SYSTEM=${SYSTEM}
-    #  - TASKS=${TASKS}
-    #  - VOLUMES=${VOLUMES}

docker/compose/dc-traefik-bouncer.yml

@@ -3,14 +3,9 @@ services:
     image: ${BT_IMAGE}:${BT_VERSION}
     container_name: ${BT_CONTAINER_NAME}
     restart: ${BT_RESTART_POLICY}
-    environment:
-      CROWDSEC_BOUNCER_API_KEY: uT3zy+bBevD4kQkEuxGEMrjWnW1yjHjqOw+8AbxPJIQ # docker exec -t crowdsec cscli bouncers add traefik-bouncer
-      CROWDSEC_AGENT_HOST: ${CROWDSEC_CONTAINER_NAME}:8080
+    env_file:
+    - path: ./traefik-bouncer.env
     networks:
       - proxy
-      #proxy:
-        #ipv4_address: ${BT_IP} 
-#    depends_on:
-#      - crowdsec
     security_opt:
       - no-new-privileges:true

docker/compose/dc-traefik.yml

@@ -1,3 +1,11 @@
+########################### SECRETS
+secrets:
+  cloudflare_email:
+    file: ${SECRETSDIR}/cloudflare_email
+  cloudflare_api_key:
+    file: ${SECRETSDIR}/cloudflare_api_key
+  cloudflare_api_token:
+    file: ${SECRETSDIR}/cloudflare_dns_api_token
 services:
   # Traefik 2 - Reverse Proxy
   # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
@@ -12,9 +20,7 @@ services:
       - no-new-privileges:true
     networks:
       proxy:
-        ipv4_address: ${TRAEFIK_IP0} # You can specify a static IP
       socket_proxy:
-        ipv4_address: ${TRAEFIK_IP1}
     ports:
       - 80:80
       - 443:443
@@ -23,15 +29,16 @@ services:
     #  required: true # default
     #- path: ./override.env
     #  required: false
-    #environment:
-    #  - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
-    #  - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
+    environment:
+      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
+      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
+      - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
     command: # CLI arguments
       - --global.checkNewVersion=true
       - --global.sendAnonymousUsage=false #true
       - --entryPoints.http.address=:80
       - --entrypoints.http.http.redirections.entryPoint.to=https
-      #- --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
+      - --entrypoints.http.http.middlewares=middlewares-crowdsec-bouncer@file
       - --entryPoints.https.address=:443
       - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
 #      - --entryPoints.traefik.address=:8080
@@ -43,7 +50,7 @@ services:
       #(- --pilot.token=$TRAEFIK_PILOT_TOKEN)
       - --serversTransport.insecureSkipVerify=true
       - --log=true
-      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
+      - --log.level=DEBUG #INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
       - --log.filePath= /var/log/traefik/traefik.log
       - --accessLog=true
       - --accessLog.filePath=/var/log/traefik/access.log
@@ -70,9 +77,8 @@ services:
       - --entrypoints.https.http.tls.domains[3].sans=*.$DOMAINNAME3 # Pulls wildcard cert for second domain
       - --providers.docker.network=proxy
       - --providers.file.directory=/config # Load dynamic configuration from one or more .toml or .yml files in a directory
-     #(- --providers.file.filename=/path/to/file # Load dynamic configuration from a file)
       - --providers.file.watch=true # Only works on top level files in the rules folder
-      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
+      #- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
       - --certificatesResolvers.$CERTRESOLVER.acme.email=${CF_API_EMAIL}
       - --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
       - --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=${DNS_PROVIDER}
@@ -88,18 +94,20 @@ services:
       - ${DOCKERDIR}/traefik/config:/config:ro # file provider directory
       - ${DOCKERDIR}/traefik/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
       - ${DOCKERDIR}/traefik/logs:/var/log/traefik # for crowdsec - make sure to touch file before starting container
-    #secrets:
-    #  - cloudflare_email
+    secrets:
+      - cloudflare_email
+      - cloudflare_api_key
+      - cloudflare_api_token
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.traefik.entrypoints=http"
-      - "traefik.http.routers.traefik.rule=Host(`test-proxy.${DOMAINNAME1}`)"
+      - "traefik.http.routers.traefik.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
       - "traefik.http.middlewares.traefik-auth.basicauth.users=${BASICAUTHUSER}"
       - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
       - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
       - "traefik.http.routers.traefik-secure.entrypoints=https"
-      - "traefik.http.routers.traefik-secure.rule=Host(`test-proxy.${DOMAINNAME1}`)"
+      - "traefik.http.routers.traefik-secure.rule=Host(`${PROXYNAME}.${DOMAINNAME1}`)"
       - "traefik.http.routers.traefik-secure.middlewares=chain-no-auth@file"
       #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
       - "traefik.http.routers.traefik-secure.service=api@internal"

docker/compose/traefik-bouncer.env

@@ -0,0 +1,3 @@
+CROWDSEC_BOUNCER_API_KEY: DCorbNfoRexKZR7QGyhdkiBgmvATNMKTZZh2fVpTvSo # docker exec -t crowdsec cscli bouncers add traefik-bouncer
+CROWDSEC_AGENT_HOST: ${CROWDSEC_CONTAINER_NAME}:8080
+GIN_MODE: release

docker/docker-compose.yml

@@ -1,29 +1,15 @@
 ########################### NETWORKS
 # There is no need to create any networks outside this docker-compose file.
-# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
-# Docker Compose version 3.5 or higher required to define networks this way.
 networks:
   proxy:
     name: proxy
     driver: bridge
-    ipam:
-      config:
-        - subnet: $PROXY_SUBNET
-          gateway: $PROXY_GATEWAY
   socket_proxy:
     name: socket_proxy
     driver: bridge
-    ipam:
-      config:
-        - subnet: $SOCKET_PROXY_SUBNET
-          gateway: $SOCKET_PROXY_GATEWAY
 
 ########################### SECRETS
 #secrets:
-#  cloudflare_email:
-#    file: ${SECRETSDIR}/cloudflare_email
-  #cloudflare_api_token:
-  #  file: ${SECRETSDIR}/cloudflare_api_token
   #authelia_jwt_secret:
   #  file: $SECRETSDIR/authelia_jwt_secret
   #authelia_session_secret:

docker/proxy/.env

@@ -0,0 +1,62 @@
+COMPOSE_PROJECT_NAME=proxy
+
+##### SYSTEM
+PUID=1000
+PGID=1000
+TZ=Europe/HelsinkI
+
+#USERDIR=/home/gurulandia
+DOCKERDIR=/gurulandia/data
+SECRETSDIR=/gurulandia/docker-shared/secrets
+
+##### ProxyName
+PROXYNAME=proxy
+
+##### DOMAIN
+DOMAINNAME0=gurulandia.eu
+DOMAINNAME1=lab.gurulandia.eu
+DOMAINNAME2=gurulandia.fi
+DOMAINNAME3=home.gurulandia.fi
+
+
+##### Traefik Container
+TRAEFIK_CONTAINER_NAME=traefik
+TRAEFIK_IMAGE=traefik
+TRAEFIK_VERSION=latest
+TRAEFIK_RESTART_POLICY=unless-stopped
+
+##### socket-proxy Container
+SOCKET_PROXY_CONTAINER_NAME=socket-proxy
+SOCKET_PROXY_IMAGE=ghcr.io/tecnativa/docker-socket-proxy
+SOCKET_PROXY_VERSION=latest
+SOCKET_PROXY_RESTART_POLICY=always
+
+DOCKER_ENDPOINT=tcp://${SOCKET_PROXY_CONTAINER_NAME}:2375
+
+BASICAUTHUSER=gurulandia:$$apr1$$kBqxEDFb$$aOgGWvLwFUDhSymDy430m.
+# create basic auth with: echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
+
+##### trustedIPs
+CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
+
+##### Certificate
+CF_API_EMAIL=gurulandia@outlook.com
+
+CERTRESOLVER=dns-cloudflare
+DNS_PROVIDER=cloudflare
+RESOLVER0=1.1.1.1:53
+RESOLVER1=1.0.0.1:53
+
+##### Crowdsec Container
+CROWDSEC_CONTAINER_NAME=crowdsec
+CROWDSEC_IMAGE=crowdsecurity/crowdsec
+CROWDSEC_VERSION=latest
+CROWDSEC_RESTART_POLICY=unless-stopped
+
+##### bouncer-traefik Container
+BT_CONTAINER_NAME=bouncer-traefik
+BT_IMAGE=docker.io/fbonalair/traefik-crowdsec-bouncer
+BT_VERSION=latest
+BT_RESTART_POLICY=unless-stopped
+GIN_MODE=release

docker/proxy/docker-compose.yml

@@ -0,0 +1,17 @@
+########################### NETWORKS
+# There is no need to create any networks outside this docker-compose file.
+networks:
+  proxy:
+    name: proxy
+    driver: bridge
+  socket_proxy:
+    name: socket_proxy
+    driver: bridge
+
+# Docker Compose v2.20 or greater required to use "include"
+include:
+########################### SERVICES
+  - ../compose/dc-traefik.yml
+  - ../compose/dc-socket-proxy.yml
+  - ../compose/dc-crowdsec.yml
+  - ../compose/dc-traefik-bouncer.yml