From f9974dbdb30ba058c61a65c45bdaa141462ff225 Mon Sep 17 00:00:00 2001
From: Lorenzo Carbonell <lorenzo.carbonell.cerezo@gmail.com>
Date: Wed, 4 Oct 2023 07:19:03 +0200
Subject: [PATCH] :zap: mprove traefik

---
 traefik/README.md          | 35 ++++++++++++++++---
 traefik/config/acme.json   |  0
 traefik/config/dynamic.yml | 26 ++++++++++++++
 traefik/config/traefik.yml | 71 ++++++++++++++++++++++++++++++++++++++
 traefik/config/users.txt   |  0
 traefik/docker-compose.yml | 26 ++++++++------
 traefik/sample.env         |  2 +-
 traefik/sample.traefik.yml | 35 -------------------
 traefik/sample.users.txt   |  1 -
 9 files changed, 144 insertions(+), 52 deletions(-)
 create mode 100644 traefik/config/acme.json
 create mode 100644 traefik/config/dynamic.yml
 create mode 100644 traefik/config/traefik.yml
 create mode 100644 traefik/config/users.txt
 delete mode 100644 traefik/sample.traefik.yml
 delete mode 100644 traefik/sample.users.txt

diff --git a/traefik/README.md b/traefik/README.md
index bbf0f57..9a5cbc0 100644
--- a/traefik/README.md
+++ b/traefik/README.md
@@ -1,13 +1,40 @@
 # Installation
 
+Prerequisites,
+
+```bash
+sudo apt install apache2-utils
+```
+
 ```
 git clone https://github.com/atareao/self-hosted.git
 cd self-hosted/traefik
+```
+
+Change `FQDN` for your server in `.env`,
+
+```bash
 cp sample.env .env
-cp sample.traefik.yml traefik.yml
-touch acme.json
-chmod 600 acme.json
-htpasswd -nb usuario contraseña >> users.txt
+```
+
+
+Generate credentials for your user,
+
+```bash
+htpasswd -nb usuario contraseña >> config/users.txt
+```
+
+
+Change the email for letsencrypt,
+
+```bash
+sed -i "s/tu@correo.es/<tu-correo>/g" config/traefik.yml
+```
+
+
+
+
+```bash
 docker network create proxy
 docker-compose up -d
 docker-compose logs -f
diff --git a/traefik/config/acme.json b/traefik/config/acme.json
new file mode 100644
index 0000000..e69de29
diff --git a/traefik/config/dynamic.yml b/traefik/config/dynamic.yml
new file mode 100644
index 0000000..32c50d2
--- /dev/null
+++ b/traefik/config/dynamic.yml
@@ -0,0 +1,26 @@
+http:
+  middlewares:
+    myauth:
+      basicAuth:
+        users:
+          - "user:XXXXXXXXXXXXXXXXXXXXXX"
+#    torblock:
+#      plugin:
+#        torblock:
+#          enabled: true
+#    mygeoblock:
+#      plugin:
+#        GeoBlock:
+#          allowLocalRequests: true
+#          logLocalRequests: false
+#          logAllowedRequests: false
+#          logApiRequests: false
+#          api: "https://get.geojs.io/v1/ip/country/{ip}"
+#          apiTimeoutMs: 500
+#          cacheSize: 25
+#          forceMonthlyUpdate: true
+#          allowUnknownCountries: false
+#          unknownCountryApiResponse: "nil"
+#          countries:
+#            - ES
+#            - US
diff --git a/traefik/config/traefik.yml b/traefik/config/traefik.yml
new file mode 100644
index 0000000..51c0ac6
--- /dev/null
+++ b/traefik/config/traefik.yml
@@ -0,0 +1,71 @@
+api:
+  dashboard: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certresolver: letsencrypt
+      # middlewares:
+      #  - mygeoblock@file
+      #  - torblock@file
+
+serversTransport:
+  maxIdleConnsPerHost: 1
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: true
+    network: proxy
+  file:
+    filename: /dynamic.yml
+
+log:
+  level: INFO
+  filePath: "/var/log/traefik/traefik.log"
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  bufferingSize: 100
+  fields:
+    defaultMode: keep
+    names:
+      ClientUsername: keep
+    headers:
+      defaultMode: keep
+      names:
+        Content-Type: keep
+        X-Forwarded-For: keep
+  filters:
+    statusCodes:
+      - "300-302"
+      - "400-409"
+    retryAttempts: true
+    minDuration: "10ms"
+
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: tu@correo.es
+      storage: acme.json
+      httpChallenge:
+        entryPoint: web
+
+#experimental:
+#  plugins:
+#    GeoBlock:
+#      moduleName: "github.com/PascalMinder/geoblock"
+#      version: "v0.2.5"
+#    torblock:
+#      moduleName: "github.com/jpxd/torblock"
+#      version: "v0.1.1"
diff --git a/traefik/config/users.txt b/traefik/config/users.txt
new file mode 100644
index 0000000..e69de29
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
index f5fc661..d5a4d69 100644
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@@ -1,9 +1,10 @@
-version: '3'
+version: "3.7"
 
 services:
   traefik:
-    image: traefik:v2.7.1
+    image: traefik:v2.10
     container_name: traefik
+    init: true
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
@@ -12,22 +13,25 @@ services:
     ports:
       - 80:80
       - 443:443
+    environment:
+      - TZ=Europe/Madrid
     volumes:
-      - /etc/localtime:/etc/localtime:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik.yml:/traefik.yml:ro
-      - ./users.txt:/users.txt:ro
-      - ./acme.json:/acme.json
+      - ./config/traefik.yml:/traefik.yml:ro
+      - ./config/dynamic.yml:/dynamic.yml:ro
+      - ./config/users.txt:/users.txt:ro
+      - ./config/acme.json:/acme.json
+      - logs:/var/log/traefik
     labels:
       - traefik.enable=true
-      - traefik.http.middlewares.basicauth.basicauth.usersfile=/users.txt
+      - traefik.http.services.traefik.loadbalancer.server.port=80
       - traefik.http.routers.traefik-secure.entrypoints=websecure
-      - traefik.http.routers.traefik-secure.rule=Host(`${HOSTNAME}`)
-      - traefik.http.routers.traefik-secure.middlewares=basicauth
-      - traefik.http.routers.traefik-secure.tls=true
-      - traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt
+      - traefik.http.routers.traefik-secure.rule=Host(`${FQDN}`)
+      - traefik.http.routers.traefik-secure.middlewares=myauth@file
       - traefik.http.routers.traefik-secure.service=api@internal
 
+volumes:
+  logs: {}
 
 networks:
   proxy:
diff --git a/traefik/sample.env b/traefik/sample.env
index 66ce801..a6ac54c 100644
--- a/traefik/sample.env
+++ b/traefik/sample.env
@@ -1 +1 @@
-HOSTNAME=traefik.tuservidor.es
+FQDN=traefik.tuservidor.es
diff --git a/traefik/sample.traefik.yml b/traefik/sample.traefik.yml
deleted file mode 100644
index 63ba544..0000000
--- a/traefik/sample.traefik.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-api:
-  dashboard: true
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          permanent: true
-  websecure:
-    address: ":443"
-  git:
-    address: ":2222"
-
-serversTransport:
-  maxIdleConnsPerHost: 1
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-    network: proxy
-
-log:
-  level: INFO
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      email: tucorreo@electronico.es
-      storage: acme.json
-      httpChallenge:
-        entryPoint: web
diff --git a/traefik/sample.users.txt b/traefik/sample.users.txt
deleted file mode 100644
index c4f4744..0000000
--- a/traefik/sample.users.txt
+++ /dev/null
@@ -1 +0,0 @@
-admin:$apr1$vDMyFYgA$PAoUx5F1Y5ZLdCGWLx62y/