Skip to content

Containerised Træfik deployment. Please submit Pull Requests to the GitLab repository. Mirror of

License

Notifications You must be signed in to change notification settings

b-data/docker-deployment-traefik

Repository files navigation

Træfik

minimal-readme compliant Project Status: Active – The project has reached a stable, usable state and is being actively developed. Donate using Liberapay

This project serves as a template to run Træfik v3.2 in a docker container using docker compose.

The goal is to set up a TLS termination proxy for all Docker containers providing web services on a single host.

Features:

  • Automatic creation/renewal of Let's Encrypt certificates (HTTP challenge).
  • Provision of the following basic Middlewares:
    • RedirectScheme: Redirect from HTTP to HTTPS
    • RateLimit: Limit to a fair amount of requests
      • average: 100 requests per second
      • burst: 50 requests (per second)
    • Headers: HTTP Strict Transport Security with long duration
  • Provision of three configurations (modern, intermediate [default], old) for TLS.
    → See Mozilla SSL Configuration Generator for more information.
  • Use of an .env file for variable substitution in the Compose file.

About træfik:

Table of Contents

Prerequisites

For the HTTP challenge you require:

  • A publicly accessible host allowing connections on port 80 & 443.
  • A DNS record for the domain you want to expose pointing to this host.

Install

To install docker and docker compose, follow the instructions for your platform:

Usage

  1. Create an external docker network named "webproxy":

    docker network create webproxy
    
  2. Change file mode of config/acme:

    chmod go+w config/acme
    
  3. Make a copy of all sample. files:

    for file in sample.*; do cp "$file" "${file#sample.}"; done;
    
  4. Update environment variables TF_ACME_EMAIL and TF_CERTRESOLVER_NAME1 in '.env':

    • Replace postmaster@mydomain.com with a valid email address of yours.
    • Replace mydomain-com with a suitable name to identify this certificate resolvers configuration.
      → Dots (.) in the name are not allowed!
  5. Start the container in detached mode:

    docker compose up -d
    

docker compose commands must be run in the root directory of the project, i.e. where 'docker-compose.yml' is located!

Test

  1. Uncomment lines 43 to 55 in 'docker-compose.yml' to enable service "whoami" and configure as follows:

    • Replace whoami.mydomain.com with the intended domain from Prerequisites.
    • Replace mydomain-com with the value set for TF_CERTRESOLVER_NAME1 in '.env'.
  2. Start the container in detached mode:

    docker compose up -d
    
  3. Wait a bit and visit http://whoami.mydomain.com to confirm everything went fine.

Debugging

Use docker logs to see the output of the container:

docker logs webproxy-traefik-1

Contributing

PRs accepted. Please submit to the GitLab repository.

This project follows the Contributor Covenant Code of Conduct.

Support

Community support: Open a new discussion here.

Commercial support: Contact b-data by email.

License

Copyright © 2019 b-data GmbH

Distributed under the terms of the MIT License.