Skip to content

Commit

Permalink
Enhance Traefik config for secure redirections
Browse files Browse the repository at this point in the history 
Enabled dashboard and debug API settings for easier monitoring and troubleshooting. Introduced HTTP to HTTPS redirection for improved security. Updated certificate resolver email and enabled Docker provider to ensure proper certificate acquisition. Adjusted TLS settings for better domain control and certificate management. These changes aim to enhance the security and manageability of the Traefik setup.
  • Loading branch information
@yousecjoe
yousecjoe committed Oct 8, 2024
1 parent f037e54 commit f477a54
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 39 deletions.
45 changes: 20 additions & 25 deletions src/docker/containers/traefik/data/traefik.yml
View file
Original file line number Diff line number Diff line change
@@ -1,52 +1,47 @@
#api:
# dashboard: true
# insecure: true
# debug: true
api:
dashboard: true
insecure: true
debug: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https

websecure:
address: ":443"

certificatesResolvers:
myresolver:
acme:
email: "${EMAIL}"
email: "[email protected]"
storage: /letsencrypt/acme.json
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
httpChallenge:
# used during the challenge
entryPoint: web


http:
routers:
blog:
rule: "Host(`home.youngsecurity.net`) && Path(`/`)"
rule: "Host(`*.home.youngsecurity.net`) && Path(`/`)"
tls:
certResolver: myresolver
#entryPoints:
# web:
# address: ":80"
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
# websecure:
# address: ":443"


#serversTransport:
# insecureSkipVerify: true
#providers:
# docker:
# endpoint: "unix:///var/run/docker.sock"
# exposedByDefault: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
# file:
# filename: /config.yml
#certificatesResolvers:
# youngsecurity:
# acme:
# email: "${EMAIL}"
# storage: /letsencrypt/acme.json


# cloudflare:
# acme:
Expand Down
26 changes: 12 additions & 14 deletions src/docker/containers/traefik/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,18 @@ services:
container_name: traefik
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
#- "--api.insecure=true"
#- "--providers.docker=true"
#- "--providers.docker.exposedbydefault=false"
#- "--entryPoints.web.address=:80"
#- "--entryPoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
#- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
#- "--certificatesresolvers.myresolver.acme.email=${EMAIL}"
#- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80" # For HTTP (usually serves HTTP/1.1 traffic)
- "8080:8080" # Web UI
- "443:443"
- "443:443/tcp" # For HTTPS (HTTP/2 or fallback to HTTP/1.1 via TLS over TCP)
- "443:443/udp" # For HTTP/3 (which runs over QUIC using UDP)
restart: unless-stopped
Expand All @@ -36,12 +35,12 @@ services:
volumes:
#- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
#- ./data/traefik.yml:/etc/traefik/traefik.yml:ro
- ./data/traefik.yml:/etc/traefik/traefik.yml:ro
- ./data/letsencrypt:/letsencrypt
# - ./data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
#- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_RULE}"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
Expand All @@ -51,11 +50,10 @@ services:
- "traefik.http.routers.traefik-secure.rule=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_RULE}"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
#- "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
#- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
- "traefik.http.routers.traefik-secure.tls.certresolver=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_CERTRESOLVER}"
#- "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_MAIN}"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_TLS_DOMAINS_0_SANS}"
- "traefik.http.routers.traefik-secure.service=${TRAEFIK_HTTP_ROUTERS_TRAEFIK_SECURE_SERVICE}"

whoami:
Expand All @@ -65,7 +63,7 @@ services:
macvlan255:
labels:
- "traefik.enable=true"
#- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.home.youngsecurity.net`)"
- "traefik.http.routers.whoami.tls=true"
Expand Down

0 comments on commit f477a54

Please sign in to comment.