traefik: ausbau nforwardauth + error-pages (#560)
Reviewed-on: #560 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
This commit is contained in:
parent
ef771f4bd0
commit
fe494f1819
7 changed files with 6 additions and 85 deletions
|
@ -19,15 +19,6 @@ services:
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: true
|
com.centurylinklabs.watchtower.enable: true
|
||||||
|
|
||||||
traefik.http.routers.homer.rule: Host(`www.mgrote.net`,`mgrote.net`)
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.homer.tls: true
|
|
||||||
traefik.http.routers.homer.tls.certresolver: resolver_letsencrypt
|
|
||||||
traefik.http.routers.homer.entrypoints: entry_https
|
|
||||||
traefik.http.services.homer.loadbalancer.server.port: 8080
|
|
||||||
|
|
||||||
traefik.http.routers.homer.middlewares: nforwardauth
|
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
traefik:
|
traefik:
|
||||||
|
|
|
@ -29,8 +29,6 @@ services:
|
||||||
traefik.http.routers.miniflux.entrypoints: entry_https
|
traefik.http.routers.miniflux.entrypoints: entry_https
|
||||||
traefik.http.services.miniflux.loadbalancer.server.port: 8080
|
traefik.http.services.miniflux.loadbalancer.server.port: 8080
|
||||||
|
|
||||||
traefik.http.routers.miniflux.middlewares: error-pages-middleware
|
|
||||||
|
|
||||||
com.centurylinklabs.watchtower.enable: true
|
com.centurylinklabs.watchtower.enable: true
|
||||||
com.centurylinklabs.watchtower.depends-on: mf-db
|
com.centurylinklabs.watchtower.depends-on: mf-db
|
||||||
|
|
||||||
|
|
|
@ -36,8 +36,6 @@ services:
|
||||||
traefik.http.routers.navidrome-mg.entrypoints: entry_https
|
traefik.http.routers.navidrome-mg.entrypoints: entry_https
|
||||||
traefik.http.services.navidrome-mg.loadbalancer.server.port: 4533
|
traefik.http.services.navidrome-mg.loadbalancer.server.port: 4533
|
||||||
|
|
||||||
traefik.http.routers.navidrome-mg.middlewares: error-pages-middleware
|
|
||||||
|
|
||||||
com.centurylinklabs.watchtower.enable: true
|
com.centurylinklabs.watchtower.enable: true
|
||||||
ports:
|
ports:
|
||||||
- "4533:4533"
|
- "4533:4533"
|
||||||
|
|
|
@ -28,7 +28,7 @@ services:
|
||||||
traefik.http.routers.registry.entrypoints: entry_https
|
traefik.http.routers.registry.entrypoints: entry_https
|
||||||
traefik.http.services.registry.loadbalancer.server.port: 5000
|
traefik.http.services.registry.loadbalancer.server.port: 5000
|
||||||
|
|
||||||
traefik.http.routers.registry.middlewares: error-pages-middleware,registry-ipwhitelist
|
traefik.http.routers.registry.middlewares: registry-ipwhitelist
|
||||||
|
|
||||||
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
|
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
|
||||||
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
|
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
|
||||||
|
|
|
@ -29,74 +29,6 @@ services:
|
||||||
# beim Einsatz von nforwardauth:
|
# beim Einsatz von nforwardauth:
|
||||||
# Beispiel: YYYYY
|
# Beispiel: YYYYY
|
||||||
|
|
||||||
# Middleware default
|
|
||||||
# enthält Rate-Limiting, Error-Pages und ZZZ?
|
|
||||||
|
|
||||||
|
|
||||||
######## error-pages ########
|
|
||||||
# https://github.com/tarampampam/error-pages/wiki/Traefik-(docker-compose)
|
|
||||||
error-pages:
|
|
||||||
container_name: "traefik-error-pages"
|
|
||||||
image: tarampampam/error-pages:2
|
|
||||||
restart: always
|
|
||||||
environment:
|
|
||||||
TEMPLATE_NAME: ghost
|
|
||||||
labels:
|
|
||||||
com.centurylinklabs.watchtower.depends-on: traefik
|
|
||||||
com.centurylinklabs.watchtower.enable: true
|
|
||||||
|
|
||||||
traefik.enable: true
|
|
||||||
# use as "fallback" for any NON-registered services (with priority below normal)
|
|
||||||
traefik.http.routers.error-pages-router.rule: HostRegexp(`{host:.+}`)
|
|
||||||
traefik.http.routers.error-pages-router.priority: 10
|
|
||||||
# should say that all of your services work on https
|
|
||||||
traefik.http.routers.error-pages-router.entrypoints: entry_https
|
|
||||||
traefik.http.routers.error-pages-router.middlewares: error-pages-middleware
|
|
||||||
# "errors" middleware settings
|
|
||||||
traefik.http.middlewares.error-pages-middleware.errors.status: 400-599
|
|
||||||
traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service
|
|
||||||
traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html
|
|
||||||
# define service properties
|
|
||||||
traefik.http.services.error-pages-service.loadbalancer.server.port: 8080
|
|
||||||
depends_on:
|
|
||||||
- traefik
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
|
|
||||||
######## nforwardauth ########
|
|
||||||
# https://github.com/NOSDuco/nforwardauth
|
|
||||||
nforwardauth:
|
|
||||||
container_name: "traefik-nforwardauth"
|
|
||||||
image: nosduco/nforwardauth:v1
|
|
||||||
restart: always
|
|
||||||
depends_on:
|
|
||||||
- traefik
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
volumes:
|
|
||||||
- ./passwd:/passwd:ro # Mount local passwd file at /passwd as ready only
|
|
||||||
environment:
|
|
||||||
TOKEN_SECRET: {{ lookup('keepass', 'traefik-nforwardauth-token-secret', 'password') }} # Secret to use when signing auth token
|
|
||||||
AUTH_HOST: auth.mgrote.net
|
|
||||||
#COOKIE_DOMAIN: mgrote.net # Set domain for the cookies. This value will allow cookie and auth on *.yourdomain.com (including base domain)
|
|
||||||
PORT: 3000 # Set specific port to listen on
|
|
||||||
labels:
|
|
||||||
com.centurylinklabs.watchtower.depends-on: traefik
|
|
||||||
com.centurylinklabs.watchtower.enable: true
|
|
||||||
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
|
||||||
|
|
||||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
|
||||||
|
|
||||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
|
||||||
traefik.http.routers.nforwardauth.tls: true
|
|
||||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
|
||||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
|
||||||
|
|
||||||
# traefik.http.routers.nforwardauth.middlewares: error-pages-middleware
|
|
||||||
|
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
traefik:
|
traefik:
|
||||||
|
|
|
@ -25,8 +25,6 @@ http:
|
||||||
- entry_https
|
- entry_https
|
||||||
tls:
|
tls:
|
||||||
certresolver: resolver_letsencrypt
|
certresolver: resolver_letsencrypt
|
||||||
middlewares:
|
|
||||||
- error-pages-middleware@docker
|
|
||||||
router_gitea:
|
router_gitea:
|
||||||
rule: "Host(`git.mgrote.net`)"
|
rule: "Host(`git.mgrote.net`)"
|
||||||
service: "service_gitea"
|
service: "service_gitea"
|
||||||
|
|
|
@ -9,7 +9,11 @@ services:
|
||||||
- traefik
|
- traefik
|
||||||
labels:
|
labels:
|
||||||
traefik.http.routers.whoami.rule: Host(`whoami.mgrote.net`)
|
traefik.http.routers.whoami.rule: Host(`whoami.mgrote.net`)
|
||||||
traefik.http.routers.whoami.middlewares: nforwardauth
|
traefik.http.routers.whoami.middlewares: whoami-ipwhitelist
|
||||||
|
|
||||||
|
traefik.http.middlewares.whoami-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
|
||||||
|
|
||||||
|
traefik.http.middlewares.whoami-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.http.routers.whoami.tls: true
|
traefik.http.routers.whoami.tls: true
|
||||||
traefik.http.routers.whoami.tls.certresolver: resolver_letsencrypt
|
traefik.http.routers.whoami.tls.certresolver: resolver_letsencrypt
|
||||||
|
|
Loading…
Reference in a new issue