Merge pull request #16 from codeagencybe/main

Fabio | Feature | Traefik reverse proxy
2025-11-04 15:19:22 +01:00 · 2024-01-20 05:16:28 -07:00
parent 7568dbc44f 5620db94a1
commit 2f1f6fc63b
5 changed files with 90 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -144,6 +144,7 @@ ODOO_PROFILES="odoo"
 POSTGRES_PROFILES="postgres"
 NGINX_PROFILES="nginx"
 NGINX_PROXY_PROFILES="proxy"
+TRAEFIK_PROFILES="traefik"
 ACME_COMPANION_PROFILES="acme"
 KEYDB_PROFILES="keydb"
 MINIO_PROFILES="minio"
@@ -156,6 +157,7 @@ KEYDB_TAG=latest
 MINIO_TAG=latest
 NGINX_TAG=1.25.3
 NGINX_PROXY_TAG=1.4.0
+TRAEFIK_TAG=2.11
 ACME_COMPANION_TAG=2.2.9
 PGADMIN_TAG=8.1

@@ -313,6 +315,40 @@ POSTGRES_USER=${POSTGRES_MAIN_USER}
 POSTGRES_PASSWORD=${POSTGRES_MAIN_PASSWORD}
 PGDATA=/var/lib/postgresql/data/${PROJECT_NAME}

+#---------------#
+#    Traefik    #
+#---------------#
+# Volumes
+ACME_JSON=/acme.json
+TRAEFIK_LOGS=/var/log/traefik
+
+# Command
+API_DASHBOARD=true
+API_INSECURE=true
+API_DEBUG=false
+ENTRYPOINTS_WEB_ADDRESS=:80
+ENTRYPOINTS_WEBSECURE_ADDRESS=:443
+TRAEFIK_LOG_LEVEL=INFO
+ACCESSLOG_FILEPATH=${TRAEFIK_LOGS}/access.log
+ACME_HTTPCHALLENGE=true
+ACME_HTTPCHALLENGE_ENTRYPOINT=web
+ACME_EMAIL=mail@example.com
+ACME_STORAGE=${ACME_JSON}
+# For prod use: https://acme-v02.api.letsencrypt.org/directory
+ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
+INSERCURE_SKIP_VERIFY=true
+
+# Labels
+TRAEFIK_ENABLE=true
+HTTP_CATCHALL_ENTRYPOINTS=web
+HTTP_CATCHALL_MIDDLEWARES=redirect-to-https
+MIDDLEWARES_REDIRECT_SCHEME=https
+
+TRAEFIK_DASHBOARD_DOMAIN=traefik.odoocker.test
+TRAEFIK_DASHBOARD_ENTRYPOINTS=websecure
+TRAEFIK_DASHBOARD_TLS_CERTRESOLVER=leresolver
+TRAEFIK_DASHBOARD_SERVICE=api@internal
+
 #-------------#
 #    Nginx    #
 #-------------#
--- a/docker-compose.override.local.yml
+++ b/docker-compose.override.local.yml
@@ -21,6 +21,12 @@ services:
      - 80:80
      - 443:443

+  traefik: 
+    restart: 'no'
+    ports:
+      - 80:80
+      - 443:443
+
  letsencrypt:
    restart: 'no'

--- a/docker-compose.override.production.yml
+++ b/docker-compose.override.production.yml
@@ -21,6 +21,24 @@ services:
      - 80:80
      - 443:443

+  traefik: 
+    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+    command:
+      - --entrypoints.websecure.address=${ENTRYPOINTS_WEBSECURE_ADDRESS}
+      - --certificatesresolvers.leresolver.acme.httpchallenge=${ACME_HTTPCHALLENGE}
+      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=${ACME_HTTPCHALLENGE_ENTRYPOINT}
+      - --certificatesresolvers.leresolver.acme.email=${ACME_EMAIL}
+      - --certificatesresolvers.leresolver.acme.storage=${ACME_STORAGE}
+      - --certificatesresolvers.leresolver.acme.caserver=${ACME_CASERVER}
+    labels:
+      - traefik.http.routers.http-catchall.middlewares=${HTTP_CATCHALL_MIDDLEWARES}
+      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=${MIDDLEWARES_REDIRECT_SCHEME}
+      - traefik.http.routers.traefik-dashboard.entrypoints=${TRAEFIK_DASHBOARD_ENTRYPOINTS}
+      - traefik.http.routers.traefik-dashboard.tls.certresolver=${TRAEFIK_DASHBOARD_TLS_CERTRESOLVER}
+
  letsencrypt:
    restart: unless-stopped

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -117,6 +117,35 @@ services:
      - internal
    profiles: [$NGINX_PROXY_PROFILES]

+  traefik:
+    container_name: traefik
+    image: "traefik:${TRAEFIK_TAG}"
+    networks:
+      - internal
+    command:
+      - --api.dashboard=${API_DASHBOARD}
+      - --api.insecure=${API_INSECURE}
+      - --api.debug=${API_DEBUG}
+      - --entrypoints.web.address=${ENTRYPOINTS_WEB_ADDRESS}
+      - --providers.docker
+      - --log.level=${TRAEFIK_LOG_LEVEL}
+      - --accesslog.filepath=${ACCESSLOG_FILEPATH}
+      - --serversTransport.insecureSkipVerify=${INSERCURE_SKIP_VERIFY}
+    tty: true
+    volumes:
+      - ${DOCKER_SOCK}:${DOCKER_SOCK}:ro
+      - ./acme.json:${ACME_JSON}
+      - traefik_logs:${TRAEFIK_LOGS}
+    labels:
+      - traefik.enable=${TRAEFIK_ENABLE}
+      # Catch all HTTP trafic and redirect it to HTTPS
+      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
+      - traefik.http.routers.http-catchall.entrypoints=${HTTP_CATCHALL_ENTRYPOINTS}
+      # Traefik Dashboard route
+      - traefik.http.routers.traefik-dashboard.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)
+      - traefik.http.routers.traefik-dashboard.service=${TRAEFIK_DASHBOARD_SERVICE}
+    profiles: [$TRAEFIK_PROFILES]
+
  letsencrypt:
    image: nginxproxy/acme-companion:${ACME_COMPANION_TAG}
    depends_on:
@@ -216,6 +245,7 @@ volumes:
  vhost:
  certs:
  acme:
+  traefik_logs:

 networks:
  internal:
--- a/traefik/acme.json
+++ b/traefik/acme.json