Merge pull request #2613 from m-elewa/develop

Update Traefik image to v2.2
2020-06-06 16:59:16 +08:00 · 2020-06-06 16:59:16 +08:00 · 9df698e011
parent 5b0d264b6c b5419c352d
commit 9df698e011
7 changed files with 62 additions and 56 deletions
--- a/DOCUMENTATION/content/documentation/index.md
+++ b/DOCUMENTATION/content/documentation/index.md
@ -1425,30 +1425,13 @@ GRAYLOG_SHA256_PASSWORD=b1cb6e31e172577918c9e7806c572b5ed8477d3f57aa737bee4b5b1d
 <a name="Use-Traefik"></a>
 ## Use Traefik

-To use Traefik you need to do some changes in `traefik/trafik.toml` and `docker-compose.yml`.
+To use Traefik you need to do some changes in `.env` and `docker-compose.yml`.

-1 - Open `traefik.toml` and change the `e-mail` property in `acme` section.
+1 - Open `.env` and change `ACME_DOMAIN` to your domain and `ACME_EMAIL` to your email.

-2 - Change your domain in `acme.domains`. For example: `main = "example.org"`
+2 - You need to change the `docker-compose.yml` file to match the Traefik needs. If you want to use Traefik, you must not expose the ports of each container to the internet, but specify some labels.

-2.1 - If you have subdomains, you must add them to `sans` property in `acme.domains` section.
-
-```bash
-[[acme.domais]]
-  main = "example.org"
-  sans = ["monitor.example.org", "pma.example.org"]
-```
-
-3 - If you need to add basic authentication (https://docs.traefik.io/configuration/entrypoints/#basic-authentication), you just need to add the following text after `[entryPoints.https.tls]`:
-
-```bash
-[entryPoints.https.auth.basic]
-  users = ["user:password"]
-```
-
-4 - You need to change the `docker-compose.yml` file to match the Traefik needs. If you want to use Traefik, you must not expose the ports of each container to the internet, but specify some labels.
-
-4.1 For example, let's try with NGINX. You must have:
+2.1 For example, let's try with NGINX. You must have:

 ```bash
 nginx:
@ -1468,9 +1451,25 @@ nginx:
    - frontend
    - backend
  labels:
-    - traefik.backend=nginx
-    - traefik.frontend.rule=Host:example.org
-    - traefik.port=80
+    - "traefik.enable=true"
+    - "traefik.http.services.nginx.loadbalancer.server.port=80"
+    # https router
+    - "traefik.http.routers.https.rule=Host(`${ACME_DOMAIN}`, `www.${ACME_DOMAIN}`)"
+    - "traefik.http.routers.https.entrypoints=https"
+    - "traefik.http.routers.https.middlewares=www-redirectregex"
+    - "traefik.http.routers.https.service=nginx"
+    - "traefik.http.routers.https.tls.certresolver=letsencrypt"
+    # http router
+    - "traefik.http.routers.http.rule=Host(`${ACME_DOMAIN}`, `www.${ACME_DOMAIN}`)"
+    - "traefik.http.routers.http.entrypoints=http"
+    - "traefik.http.routers.http.middlewares=http-redirectscheme"
+    - "traefik.http.routers.http.service=nginx"
+    # middlewares
+    - "traefik.http.middlewares.www-redirectregex.redirectregex.permanent=true"
+    - "traefik.http.middlewares.www-redirectregex.redirectregex.regex=^https://www.(.*)"
+    - "traefik.http.middlewares.www-redirectregex.redirectregex.replacement=https://$$1"
+    - "traefik.http.middlewares.http-redirectscheme.redirectscheme.permanent=true"
+    - "traefik.http.middlewares.http-redirectscheme.redirectscheme.scheme=https"
 ```

 instead of
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1618,19 +1618,38 @@ services:
    traefik:
      build:
        context: ./traefik
-      command: --docker
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
+        - ./traefik/data:/data
+      command:
+        - "--api"
+        - "--providers.docker.exposedbydefault=false"
+        - "--accesslog.filepath=/data/access.log"
+        # entrypoints
+        - "--entrypoints.http.address=:${TRAEFIK_HOST_HTTP_PORT}"
+        - "--entrypoints.http.http.redirections.entrypoint.to=https"
+        - "--entrypoints.https.address=:${TRAEFIK_HOST_HTTPS_PORT}"
+        - "--entrypoints.traefik.address=:${TRAEFIK_DASHBOARD_PORT}"
+        # certificatesresolvers
+        - "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
+        - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"
+        - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http"
      ports:
-        - "${TRAEFIK_HOST_HTTP_PORT}:80"
-        - "${TRAEFIK_HOST_HTTPS_PORT}:443"
+        - "${TRAEFIK_HOST_HTTP_PORT}:${TRAEFIK_HOST_HTTP_PORT}"
+        - "${TRAEFIK_HOST_HTTPS_PORT}:${TRAEFIK_HOST_HTTPS_PORT}"
+        - "${TRAEFIK_DASHBOARD_PORT}:${TRAEFIK_DASHBOARD_PORT}"
      networks:
        - frontend
        - backend
      labels:
-        - traefik.backend=traefik
-        - traefik.frontend.rule=Host:monitor.localhost
-        - traefik.port=8080
+        - "traefik.enable=true"
+        - "traefik.http.routers.traefik.rule=Host(`${ACME_DOMAIN}`)"
+        - "traefik.http.routers.traefik.entrypoints=traefik"
+        - "traefik.http.routers.traefik.service=api@internal"
+        - "traefik.http.routers.traefik.middlewares=access-auth"
+        - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+        - "traefik.http.middlewares.access-auth.basicauth.realm=Login Required"
+        - "traefik.http.middlewares.access-auth.basicauth.users=${TRAEFIK_DASHBOARD_USER}"

 ### MOSQUITTO Broker #########################################
    mosquitto:
--- a/5
+++ b/5
@ -762,6 +762,11 @@ MAILU_WEBDAV=radicale

 TRAEFIK_HOST_HTTP_PORT=80
 TRAEFIK_HOST_HTTPS_PORT=443
+TRAEFIK_DASHBOARD_PORT=8888
+# basic authentication for traefik dashboard username: admin password:admin
+TRAEFIK_DASHBOARD_USER=admin:$2y$10$lXaL3lj6raFic6rFqr2.lOBoCudAIhB6zyoqObNg290UFppiUzTTi
+ACME_DOMAIN=example.org
+ACME_EMAIL=email@example.org


 ### MOSQUITTO #################################################
--- a/traefik/Dockerfile
+++ b/traefik/Dockerfile
@ -1,7 +1,11 @@
-FROM traefik:1.7.5-alpine
+FROM traefik:v2.2

 LABEL maintainer="Luis Coutinho <luis@luiscoutinho.pt>"

-COPY traefik.toml acme.json /
+WORKDIR /data

-RUN chmod 600 /acme.json
+RUN touch acme.json
+
+RUN chmod 600 acme.json
+
+VOLUME /data
--- a/traefik/acme.json
+++ b/traefik/acme.json
--- a/traefik/data/.gitignore
+++ b/traefik/data/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/traefik/traefik.toml
+++ b/traefik/traefik.toml
@ -1,23 +0,0 @@
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-      entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-
-[web]
-address = ":8080"
-[acme]
-email = "email@example.org"
-storage = "acme.json"
-entryPoint = "https"
-onHostRule = true
-  [acme.httpChallenge]
-    entryPoint = "http"
-
-[[acme.domais]]
-  main = "localhost"