From 0f1ad28426d693d87befde35c61fcd9be5485fc7 Mon Sep 17 00:00:00 2001
From: Aetherinox <aetherinox@proton.me>
Date: Sun, 1 Dec 2024 04:21:42 -0700
Subject: [PATCH] docs: add traefik instructions for dynamic and static config

---
 README.md | 115 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 111 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 4a9669cc..ae0a5de5 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,11 @@ Makes use of the generous work over at [https://github.com/dtankdempse/thetvapp-
 - [Install](#install)
   - [Docker Compose](#docker-compose)
   - [Traefik](#traefik)
+    - [Dynamic.yml](#dynamicyml)
+    - [Static.yml](#staticyml)
+      - [certificatesResolvers](#certificatesresolvers)
+      - [entryPoints (Normal)](#entrypoints-normal)
+      - [entryPoints (Cloudflare)](#entrypoints-cloudflare)
 - [Env Variables \& Volumes](#env-variables--volumes)
   - [Environment Variables](#environment-variables)
   - [Volumes](#volumes)
@@ -121,7 +126,10 @@ services:
 ### Traefik
 You can put this container behind Traefik if you want to use a reverse proxy and let Traefik handle the SSL certificate.
 
-Open the Traefik dynamic file and add the following:
+<br />
+
+#### Dynamic.yml
+Open the Traefik dynamic file which is usually named `dynamic.yml`. We need to add a new `middleware`, `router`, and `service` to our Traefik dynamic file so that it knows about our new TheTVApp container and where it is.
 
 ```yml
 http:
@@ -159,6 +167,15 @@ http:
                     - url: "https://thetvapp:443"
 ```
 
+<br />
+
+#### Static.yml
+These entries will go in your Traefik `static.yml` file. Any changes made to this file requires that you reset Traefik afterward.
+
+<br />
+
+##### certificatesResolvers
+
 Open your Traefik `static.yml` file and add your `certResolver` from above. We are going to use Cloudflare in this exmaple, you can use whatever from the list at:
 - https://doc.traefik.io/traefik/https/acme/#providers
 
@@ -183,17 +200,17 @@ certificatesResolvers:
 
 <br />
 
-Once you pick the DNS / SSL provider you want to use, you need to see if that provider has any special environment variables that must be set. The [Providers Page](https://doc.traefik.io/traefik/https/acme/#providers) lists all providers and also what env variables need set for each one.
+Once you pick the DNS / SSL provider you want to use from the code above, you need to see if that provider has any special environment variables that must be set. The [Providers Page](https://doc.traefik.io/traefik/https/acme/#providers) lists all providers and also what env variables need set for each one.
 
 <br />
 
-In our example using Cloudflare, we must set:
+In our example, since we are using Cloudflare for `dnsChallenge` -> `provider`, we must set:
 - `CF_API_EMAIL`
 - `CF_API_KEY`
 
 <br />
 
-In docker, create a `.env` environment file in the same folder where your thetvapp `docker-compose.yml` file is located, and add the following:
+Create a `.env` environment file in the same folder where your Traefik `docker-compose.yml` file is located, and add the following:
 
 ```yml
 CF_API_EMAIL=yourcloudflare@email.com
@@ -202,6 +219,96 @@ CF_API_KEY=Your-Cloudflare-API-Key
 
 <br />
 
+Save the `.env` file and exit.
+
+<br />
+
+##### entryPoints (Normal)
+Finally, inside the Traefik `static.yml`, we need to make sure we have our `entryPoints` configured. Add the following to the Traefik `static.yml` file only if you **DON'T** have entry points set yet:
+
+```yml
+entryPoints:
+    http:
+        address: :80
+        http:
+            redirections:
+                entryPoint:
+                    to: https
+                    scheme: https
+
+    https:
+        address: :443
+        http3: {}
+        http:
+            tls:
+                options: default
+                certResolver: cloudflare
+                domains:
+                    - main: domain.com
+                      sans:
+                          - '*.domain.com'
+```
+
+<br />
+
+##### entryPoints (Cloudflare)
+If your website is behind Cloudflare's proxy service, you need to modify your `entryPoints` above so that you can automatically allow Cloudflare's IP addresses through. This means your entry points will look a bit different.
+
+<br />
+
+In the example below, we will add `forwardedHeaders` -> `trustedIPs` and add all of Cloudflare's IPs to the list which are available here:
+- https://www.cloudflare.com/ips/
+
+```yml
+    http:
+        address: :80
+        forwardedHeaders:
+            trustedIPs: &trustedIps
+                - 103.21.244.0/22
+                - 103.22.200.0/22
+                - 103.31.4.0/22
+                - 104.16.0.0/13
+                - 104.24.0.0/14
+                - 108.162.192.0/18
+                - 131.0.72.0/22
+                - 141.101.64.0/18
+                - 162.158.0.0/15
+                - 172.64.0.0/13
+                - 173.245.48.0/20
+                - 188.114.96.0/20
+                - 190.93.240.0/20
+                - 197.234.240.0/22
+                - 198.41.128.0/17
+                - 2400:cb00::/32
+                - 2606:4700::/32
+                - 2803:f800::/32
+                - 2405:b500::/32
+                - 2405:8100::/32
+                - 2a06:98c0::/29
+                - 2c0f:f248::/32
+        http:
+            redirections:
+                entryPoint:
+                    to: https
+                    scheme: https
+
+    https:
+        address: :443
+        http3: {}
+        forwardedHeaders:
+            trustedIPs: *trustedIps
+        http:
+            tls:
+                options: default
+                certResolver: cloudflare
+                domains:
+                    - main: domain.com
+                      sans:
+                          - '*.domain.com'
+```
+
+<br />
+
 Save the files and then give Traefik and your TheTvApp containers a restart.
 
 <br />