Vai al contenuto

Traefik

Reverse proxy principale. Gestisce routing HTTPS, certificati wildcard via Cloudflare DNS challenge, e file provider per label-proxy.

Gira su core (192.168.2.110).

Docker Compose

services:
  traefik:
    image: traefik:v3.1
    container_name: traefik
    restart: unless-stopped
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

      - --api.dashboard=true
      - --api.insecure=false

      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true

      - --certificatesresolvers.cloudflare.acme.email=${CF_EMAIL}
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53

      - --log.level=INFO
      - --accesslog=true

    ports:
      - "80:80"
      - "443:443"

    environment:
      - CF_API_EMAIL=${CF_EMAIL}
      - CF_ZONE_API_TOKEN=${CF_DNS_API_TOKEN}
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/matteo/docker/volumes/traefik/dynamic:/etc/traefik/dynamic:ro
      - /home/matteo/docker/volumes/traefik/letsencrypt:/letsencrypt

    extra_hosts:
      - "host:host-gateway"
      - "montecalvo:192.168.2.101"

    labels:
      - traefik.enable=true

      - traefik.http.routers.api.rule=Host(`${TRAEFIK_DOMAIN}`)
      - traefik.http.routers.api.entrypoints=websecure
      - traefik.http.routers.api.tls.certresolver=cloudflare
      - traefik.http.routers.api.service=api@internal

      - traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASS_HASH}
      - traefik.http.routers.api.middlewares=auth

      - lp.flame.enable=true
      - lp.flame.redirect=true
      - lp.flame.description=system
      - lp.flame.icon=layers
      - lp.nat.enable=true
      - lp.nat.entries=https,http
      - lp.nat.https.port=443
      - lp.nat.https.description=traefik
      - lp.nat.http.port=80

Da completare

Descrizione dettagliata della configurazione in fase di stesura.