version: '3' services: ######## traefik ######## traefik: container_name: "traefik" image: traefik:2.9 restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/etc/traefik/traefik.yml - ./file-provider.yml:/etc/traefik/file-provider.yml - acme_data:/etc/traefik/acme networks: - traefik ports: - "80:80" # HTTP - "8081:8080" # Web-GUI - "443:443" # HTTPS - "2222:2222" # SSH environment: TZ: Europe/Berlin labels: com.centurylinklabs.watchtower.enable: true # hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst # CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig # Aufbau: traefik.http.middlewares..chain.middlewares: middleware1,middleware2,middleware3 # diese kann dann direkt eingebunden werden: # Beispiel: XXXXX # beim Einsatz von nforwardauth: # Beispiel: YYYYY # Middleware default # enthält Rate-Limiting, Error-Pages und ZZZ? ######## error-pages ######## # https://github.com/tarampampam/error-pages/wiki/Traefik-(docker-compose) error-pages: container_name: "traefik-error-pages" image: tarampampam/error-pages:2 restart: always environment: TEMPLATE_NAME: ghost labels: com.centurylinklabs.watchtower.depends-on: traefik com.centurylinklabs.watchtower.enable: true traefik.enable: true # use as "fallback" for any NON-registered services (with priority below normal) traefik.http.routers.error-pages-router.rule: HostRegexp(`{host:.+}`) traefik.http.routers.error-pages-router.priority: 10 # should say that all of your services work on https traefik.http.routers.error-pages-router.entrypoints: entry_https traefik.http.routers.error-pages-router.middlewares: error-pages-middleware # "errors" middleware settings traefik.http.middlewares.error-pages-middleware.errors.status: 400-599 traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html # define service properties traefik.http.services.error-pages-service.loadbalancer.server.port: 8080 depends_on: - traefik networks: - traefik ######## nforwardauth ######## # https://github.com/NOSDuco/nforwardauth nforwardauth: container_name: "traefik-nforwardauth" image: nosduco/nforwardauth:v1 restart: always depends_on: - traefik networks: - traefik volumes: - ./passwd:/passwd:ro # Mount local passwd file at /passwd as ready only environment: TOKEN_SECRET: {{ lookup('keepass', 'traefik-nforwardauth-token-secret', 'password') }} # Secret to use when signing auth token AUTH_HOST: auth.mgrote.net #COOKIE_DOMAIN: mgrote.net # Set domain for the cookies. This value will allow cookie and auth on *.yourdomain.com (including base domain) PORT: 3000 # Set specific port to listen on labels: com.centurylinklabs.watchtower.depends-on: traefik com.centurylinklabs.watchtower.enable: true traefik.enable: true traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`) traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000 traefik.http.services.nforwardauth.loadbalancer.server.port: 3000 traefik.http.routers.nforwardauth.tls: true traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt traefik.http.routers.nforwardauth.entrypoints: entry_https # traefik.http.routers.nforwardauth.middlewares: error-pages-middleware ######## Networks ######## networks: traefik: external: true ######## Volumes ######## volumes: acme_data: