Replace nginx reverse proxy by traefik

2025-12-25 13:46:59 +01:00 · 2018-04-25 15:26:28 +02:00 · 2018-04-25 15:26:28 +02:00 · cfaa48e02a
commit cfaa48e02a
parent fd30d66ffb
30 changed files with 271 additions and 161 deletions
--- a/roles/traefik-proxy-docker/files/traefik/data/traefik.toml
+++ b/roles/traefik-proxy-docker/files/traefik/data/traefik.toml
@ -0,0 +1,40 @@
+debug = false
+
+logLevel = "ERROR"
+defaultEntryPoints = ["https","http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+  [entryPoints.traefik]
+  address = ":8080"
+
+# Activate API and Dashboard
+[api]
+entryPoint = "traefik"
+dashboard = true
+
+[retry]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+domain = "banditlair.com"
+watch = true
+exposedbydefault = false
+
+[acme]
+email = "letsencrypt.account@banditlair.com"
+storage = "acme.json"
+entryPoint = "https"
+OnHostRule = true
+[acme.httpChallenge]
+entryPoint = "http"
+
+[[acme.domains]]
+main = "banditlair.com"
+sans = ["mail.banditlair.com"]
--- a/roles/traefik-proxy-docker/files/traefik/docker-compose.yml
+++ b/roles/traefik-proxy-docker/files/traefik/docker-compose.yml
@ -0,0 +1,49 @@
+version: '3'
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:1.6.0-rc6-alpine
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/etc/traefik
+      - ./certs/acme.json:/acme.json
+    labels:
+      - "traefik.backend=traefik"
+      - "traefik.docker.network=web"
+      - "traefik.frontend.rule=Host:traefik.banditlair.com"
+      - "traefik.enable=true"
+      - "traefik.port=8080"
+      - "traefik.default.protocol=http"
+      - "traefik.frontend.auth.basic=admin:${TRAEFIK_DASHBOARD_PASSWORD_HASH}"
+    networks:
+      - web
+    restart: always
+
+  # Watch acme.json and dump certificates to files
+  certdumper:
+    container_name: traefik_certdumper
+    image: alpine:latest
+    depends_on:
+      - traefik
+    restart: unless-stopped
+    volumes:
+      - ./certs:/traefik
+    command: >
+      ash -c " \
+        apk --no-cache add inotify-tools jq openssl util-linux bash && \
+        wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh && \
+        mkdir -p /traefik/ssl/ && \
+        while true; do \
+          inotifywait -e modify /traefik/acme.json && \
+            bash dumpcerts.sh /traefik/acme.json /traefik/ssl/ && \
+            ln -f /traefik/ssl/certs/* /traefik/ssl/ && \
+            ln -f /traefik/ssl/private/* /traefik/ssl/; \
+        done"
+
+networks:
+  web:
+    external: true