⚡ mprove traefik

2024-06-29 18:45:38 +02:00 · 2023-10-04 07:19:03 +02:00 · 2023-10-04 07:19:03 +02:00 · f9974dbdb3
commit f9974dbdb3
parent e545efa02f
9 changed files with 144 additions and 52 deletions
--- a/traefik/README.md
+++ b/traefik/README.md
@ -1,13 +1,40 @@
 # Installation

+Prerequisites,
+
+```bash
+sudo apt install apache2-utils
+```
+
 ```
 git clone https://github.com/atareao/self-hosted.git
 cd self-hosted/traefik
+```
+
+Change `FQDN` for your server in `.env`,
+
+```bash
 cp sample.env .env
-cp sample.traefik.yml traefik.yml
-touch acme.json
-chmod 600 acme.json
-htpasswd -nb usuario contraseña >> users.txt
+```
+
+
+Generate credentials for your user,
+
+```bash
+htpasswd -nb usuario contraseña >> config/users.txt
+```
+
+
+Change the email for letsencrypt,
+
+```bash
+sed -i "s/tu@correo.es/<tu-correo>/g" config/traefik.yml
+```
+
+
+
+
+```bash
 docker network create proxy
 docker-compose up -d
 docker-compose logs -f
--- a/traefik/config/acme.json
+++ b/traefik/config/acme.json
--- a/traefik/config/dynamic.yml
+++ b/traefik/config/dynamic.yml
@ -0,0 +1,26 @@
+http:
+  middlewares:
+    myauth:
+      basicAuth:
+        users:
+          - "user:XXXXXXXXXXXXXXXXXXXXXX"
+#    torblock:
+#      plugin:
+#        torblock:
+#          enabled: true
+#    mygeoblock:
+#      plugin:
+#        GeoBlock:
+#          allowLocalRequests: true
+#          logLocalRequests: false
+#          logAllowedRequests: false
+#          logApiRequests: false
+#          api: "https://get.geojs.io/v1/ip/country/{ip}"
+#          apiTimeoutMs: 500
+#          cacheSize: 25
+#          forceMonthlyUpdate: true
+#          allowUnknownCountries: false
+#          unknownCountryApiResponse: "nil"
+#          countries:
+#            - ES
+#            - US
--- a/traefik/config/traefik.yml
+++ b/traefik/config/traefik.yml
@ -0,0 +1,71 @@
+api:
+  dashboard: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certresolver: letsencrypt
+      # middlewares:
+      #  - mygeoblock@file
+      #  - torblock@file
+
+serversTransport:
+  maxIdleConnsPerHost: 1
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: true
+    network: proxy
+  file:
+    filename: /dynamic.yml
+
+log:
+  level: INFO
+  filePath: "/var/log/traefik/traefik.log"
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  bufferingSize: 100
+  fields:
+    defaultMode: keep
+    names:
+      ClientUsername: keep
+    headers:
+      defaultMode: keep
+      names:
+        Content-Type: keep
+        X-Forwarded-For: keep
+  filters:
+    statusCodes:
+      - "300-302"
+      - "400-409"
+    retryAttempts: true
+    minDuration: "10ms"
+
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: tu@correo.es
+      storage: acme.json
+      httpChallenge:
+        entryPoint: web
+
+#experimental:
+#  plugins:
+#    GeoBlock:
+#      moduleName: "github.com/PascalMinder/geoblock"
+#      version: "v0.2.5"
+#    torblock:
+#      moduleName: "github.com/jpxd/torblock"
+#      version: "v0.1.1"
--- a/traefik/config/users.txt
+++ b/traefik/config/users.txt
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@ -1,9 +1,10 @@
-version: '3'
+version: "3.7"

 services:
  traefik:
-    image: traefik:v2.7.1
+    image: traefik:v2.10
    container_name: traefik
+    init: true
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
@ -12,22 +13,25 @@ services:
    ports:
      - 80:80
      - 443:443
+    environment:
+      - TZ=Europe/Madrid
    volumes:
-      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik.yml:/traefik.yml:ro
-      - ./users.txt:/users.txt:ro
-      - ./acme.json:/acme.json
+      - ./config/traefik.yml:/traefik.yml:ro
+      - ./config/dynamic.yml:/dynamic.yml:ro
+      - ./config/users.txt:/users.txt:ro
+      - ./config/acme.json:/acme.json
+      - logs:/var/log/traefik
    labels:
      - traefik.enable=true
-      - traefik.http.middlewares.basicauth.basicauth.usersfile=/users.txt
+      - traefik.http.services.traefik.loadbalancer.server.port=80
      - traefik.http.routers.traefik-secure.entrypoints=websecure
-      - traefik.http.routers.traefik-secure.rule=Host(`${HOSTNAME}`)
-      - traefik.http.routers.traefik-secure.middlewares=basicauth
-      - traefik.http.routers.traefik-secure.tls=true
-      - traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt
+      - traefik.http.routers.traefik-secure.rule=Host(`${FQDN}`)
+      - traefik.http.routers.traefik-secure.middlewares=myauth@file
      - traefik.http.routers.traefik-secure.service=api@internal

+volumes:
+  logs: {}

 networks:
  proxy:
--- a/traefik/sample.env
+++ b/traefik/sample.env
@ -1 +1 @@
-HOSTNAME=traefik.tuservidor.es
+FQDN=traefik.tuservidor.es
--- a/traefik/sample.traefik.yml
+++ b/traefik/sample.traefik.yml
@ -1,35 +0,0 @@
-api:
-  dashboard: true
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          permanent: true
-  websecure:
-    address: ":443"
-  git:
-    address: ":2222"
-
-serversTransport:
-  maxIdleConnsPerHost: 1
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-    network: proxy
-
-log:
-  level: INFO
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      email: tucorreo@electronico.es
-      storage: acme.json
-      httpChallenge:
-        entryPoint: web
--- a/traefik/sample.users.txt
+++ b/traefik/sample.users.txt
@ -1 +0,0 @@
-admin:$apr1$vDMyFYgA$PAoUx5F1Y5ZLdCGWLx62y/