diff --git a/examples/traefik/dynamic.yml b/examples/traefik/dynamic.yml new file mode 100644 index 00000000..2c4f939c --- /dev/null +++ b/examples/traefik/dynamic.yml @@ -0,0 +1,357 @@ +# # +# @module Traefik +# @type Traefik dynamic file +# @desc applying changes does not require you to restart traefik when editing this file +# # + +# # +# TCP +# # + +tcp: + routers: + + # # + # TCP › Services + # # + + services: + + # # + # TCP › Middleware + # # + + middlewares: + tcp-MaxAllowedConn: + inFlightConn: + amount: 10 + +# # +# http › Middleware +# # + +http: + middlewares: + + # # + # http › Middlewares › Plugin › API Token + # + # This Traefik middleware allows you to secure certain routes behind a request header API token. Users who have not successfully + # authenticated will be greeted with a 403 Forbidden Error. Also displays information about each connection including IP address + # and URL that the user is trying to access. + # + # To access the sites protected behind this plugin, install the plugin within Firefox: + # https://addons.mozilla.org/en-US/firefox/addon/modify-header-value/ + # + # Add a new header targeting your domain + # Header Name X-AUTH-TOKEN + # Header Value XXX + # + # @url https://plugins.traefik.io/plugins/66f6ac697dd5a6c3095befd3/api-key-and-token-middleware + # https://github.com/Aetherinox/traefik-api-token-middleware + # # + + api: + plugin: + traefik-api-token-middleware: + authenticationHeader: true + authenticationheaderName: X-AUTH-TOKEN + bearerHeader: true + bearerHeaderName: Authorization + removeHeadersOnSuccess: true + removeTokenNameOnFailure: true + tokens: + - TokenName + whitelistIPs: + - "127.0.0.1" + agentAllow: + - 'Google' + + # # + # http › Middlewares › Plugin › API + # + # Displays information in console about a connecting client + # # + + whois: + plugin: + traefik-whois-middleware: + debugLogs: true + + # # + # http › Middlewares › Authentik + # # + + authentik: + forwardauth: + address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + + # # + # http › Middlewares › Redirect www + # + # http://www.my-site.org => https://my-site.org + # - "traefik.http.routers.my-site.middlewares=redirect-www@file" + # # + + redirect-www: + redirectRegex: + regex: "^https?://www\\.(.+)" + replacement: "https://${1}" + permanent: true + + # # + # http › Middlewares › Https-Forward + # + # usage: + # - traefik.http.routers.vscode-http.middlewares=default-headers@file + # # + + https-forward: + headers: + customRequestHeaders: + X-Forwarded-Proto: https + + # # + # http › Middlewares › Redirect http to https + # # + + https-redirect: + redirectScheme: + scheme: "https" + permanent: true + + # # + # http › Middlewares › Error page handling + # + # all error pages from 400 - 599 will redirect to catchall + # # + + error-page: + errors: + status: + - "400-599" + service: catchall@file + query: "/index.html" + + # # + # http › Middleware › Redirect invalid subdomains to 404 + # # + + router-error: + redirectRegex: + regex: ".*" + replacement: https://domain.lan/404.html + permanent: false + + # # + # http › Routers + # # + + routers: + + catchall: + entryPoints: http,https + rule: HostRegexp(`^.+.domain.lan$`) + service: catchall@file + tls: + certResolver: cloudflare + priority: 1 + middlewares: + - router-error + + # # + # @container Traefik + # @url https://hub.docker.com/_/traefik + # https://github.com/traefik/traefik + # https://doc.traefik.io/traefik/providers/docker/ + # @api https://traefik.domain.com/api/http/routers + # + # Requires chmod 600: + # - /ssl/cloudflare/acme.json + # - /ssl/letsencrypt/acme.json + # + # # + + traefik: + service: api@internal + rule: "Host(`traefik.domain.lan`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))" + entryPoints: + - "traefik" + middlewares: + - redirect-www@file + tls: + certResolver: cloudflare + domains: + - main: "domain.lan" + sans: + - "*.domain.lan" + + traefik-http: + service: "traefik" + rule: "Host(`traefik.localhost`) || Host(`traefik.domain.lan`)" + entryPoints: + - http + middlewares: + - https-redirect@file + + traefik-https: + service: "traefik" + rule: "Host(`traefik.localhost`) || Host(`traefik.domain.lan`)" + entryPoints: + - https + middlewares: + - redirect-www@file + tls: + certResolver: cloudflare + domains: + - main: "domain.lan" + sans: + - "*.domain.lan" + + # # + # @container Plex + # @desc All-in-one multimedia server which allows you to host your own streaming service for videos + # music, and photo collections, for any device. + # @url: https://github.com/plexinc/pms-docker + # https://github.com/linuxserver/docker-plex + # https://github.com/linuxserver/docker-documentation + # https://docs.linuxserver.io/images/docker-plex/ + # # + + plex-http: + service: "plex" + rule: "Host(`plex.localhost`) || Host(`plex.domain.lan`)" + entryPoints: + - http + middlewares: + - https-redirect@file + + plex-https: + service: "plex" + rule: "Host(`plex.localhost`) || Host(`plex.domain.lan`)" + entryPoints: + - https + middlewares: + - redirect-www@file + tls: + certResolver: cloudflare + domains: + - main: "domain.lan" + sans: + - "*.domain.lan" + + # # + # @container Jellyfin + # @desc Jellyfin is a Free Software Media System that puts you in control of managing and streaming your media. + # It is an alternative to the proprietary Emby and Plex, to provide media from a dedicated server to + # end-user devices via multiple apps. Jellyfin is descended from Emby's 3.5.2 release and ported to the + # .NET Core framework to enable full cross-platform support. There are no strings attached, no premium + # licenses or features, and no hidden agendas: just a team who want to build something better and work + # together to achieve it. We welcome anyone who is interested in joining us in our quest! + # + # @url: https://github.com/jellyfin/jellyfin + # https://hub.docker.com/r/jellyfin/jellyfin + # + # https://github.com/linuxserver/docker-jellyfin + # https://hub.docker.com/r/linuxserver/jellyfin + # + # https://jellyfin.org/ + # https://jellyfin.org/docs/ + # # + + jellyfin-http: + service: "jellyfin" + rule: "Host(`jelly.localhost`) || Host(`jelly.domain.lan`)" + entryPoints: + - http + middlewares: + - https-redirect@file + + jellyfin-https: + service: "jellyfin" + rule: "Host(`jelly.localhost`) || Host(`jelly.domain.lan`)" + entryPoints: + - https + middlewares: + - redirect-www@file + tls: + certResolver: cloudflare + domains: + - main: "domain.lan" + sans: + - "*.domain.lan" + + # # + # @container TVApp2 + # @desc utomatic M3U playlist and XML guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client. + # @url https://github.com/TheBinaryNinja/tvapp2 + # + # remove / comment out the authentik line if you do not plan to use authentik: + # - authentik@file + # # + + tvapp2-http: + service: "tvapp2" + rule: "Host(`tvapp2.localhost`) || Host(`tvapp2.domain.lan`)" + entryPoints: + - http + middlewares: + - https-redirect@file + + tvapp2-https: + service: "tvapp2" + rule: "Host(`tvapp2.localhost`) || Host(`tvapp2.domain.lan`)" + entryPoints: + - https + middlewares: + - redirect-www@file + - authentik@file + tls: + certResolver: cloudflare + domains: + - main: "domain.lan" + sans: + - "*.domain.lan" + + # # + # http › Services + # # + + services: + catchall: + loadBalancer: + servers: + - url: "https://nginx:443" + + traefik: + loadBalancer: + servers: + - url: "http://traefik:8080" + + jellyfin: + loadBalancer: + servers: + - url: "http://jellyfin:8096" + + plex: + loadBalancer: + servers: + - url: "http://plex:32400" + + tvapp2: + loadBalancer: + servers: + - url: "http://tvapp2:4124" diff --git a/examples/traefik/traefik.yml b/examples/traefik/traefik.yml new file mode 100644 index 00000000..bfcddbb9 --- /dev/null +++ b/examples/traefik/traefik.yml @@ -0,0 +1,211 @@ +# # +# @module: Traefik +# @type: Traefik static file +# @desc: traefik must be restarted with any values of this file are changed. +# # + +# # +# Global +# # + +global: + checkNewVersion: false + sendAnonymousUsage: false + +# # +# Logs +# +# filePath must match volume mounted in docker-compose.yml +# # + +log: + level: DEBUG + format: "common" + +# # +# Access Logs +# +# filePath must match volume mounted in docker-compose.yml +# # + +accessLog: + filePath: "/var/log/traefik/access.log" + +# # +# Api +# # + +api: + dashboard: true + insecure: true + debug: true + +# # +# Ping +# # + +ping: + entryPoint: "ping" + +# # +# Entry Points +# # + +entryPoints: + + # # + # Port > Ping + # # + + ping: + address: :8082 + + # # + # Port > Traefik Dashboard + # # + + traefik: + address: :8080 + + # # + # Port > HTTP + # + # *trustedIps : List of Cloudflare Trusted IP's above for HTTPS requests + # # + + http: + address: :80 + forwardedHeaders: + trustedIPs: &trustedIps + # Cloudlare Public IP List > Start > for HTTP requests, remove this if you don't use it; https://cloudflare.com/de-de/ips/ + - 103.21.244.0/22 + - 103.22.200.0/22 + - 103.31.4.0/22 + - 104.16.0.0/13 + - 104.24.0.0/14 + - 108.162.192.0/18 + - 131.0.72.0/22 + - 141.101.64.0/18 + - 162.158.0.0/15 + - 172.64.0.0/13 + - 173.245.48.0/20 + - 188.114.96.0/20 + - 190.93.240.0/20 + - 197.234.240.0/22 + - 198.41.128.0/17 + - 2400:cb00::/32 + - 2606:4700::/32 + - 2803:f800::/32 + - 2405:b500::/32 + - 2405:8100::/32 + - 2a06:98c0::/29 + - 2c0f:f248::/32 + http: + redirections: + entryPoint: + to: https + scheme: https + + # # + # Port > HTTPS + # + # *trustedIps : List of Cloudflare Trusted IP's above for HTTPS requests + # http->tls : Generate wildcard domain certificate + # # + + https: + address: :443 + http3: {} + forwardedHeaders: + trustedIPs: *trustedIps + +# # +# Server Transport +# # + +serversTransport: + insecureSkipVerify: true + +# # +# Providers +# +# file: +# filename: must match volume mounted in docker-compose.yml +# +# docker: +# exposedByDefault = true +# all docker-compose.yml files will automatically create a new traefik provider. +# +# this means if you are using file provider in dynamic file, each container +# will show up twice. x1 @docker and x1 @file +# +# if exposedByDefault = false, you must manually add `trafik.enable=true` to each container in the docker-compose.yml +# # + +providers: + docker: + endpoint: "unix:///var/run/docker.sock" + exposedByDefault: false + network: traefik + watch: true + file: + filename: "/etc/traefik/dynamic.yml" + watch: true + +# # +# Metrics +# # + +metrics: + prometheus: + addServicesLabels: true + buckets: + - 0.1 + - 0.3 + - 1.2 + - 5.0 + +# # +# Plugins +# # + +experimental: + plugins: + traefik-api-token-middleware: + moduleName: "github.com/Aetherinox/traefik-api-token-middleware" + version: "v0.1.2" + traefik-whois-middleware: + moduleName: "github.com/Aetherinox/traefik-whois-middleware" + version: "v0.1.0" + traefik-get-real-ip: + moduleName: "github.com/Paxxs/traefik-get-real-ip" + version: "v1.0.3" + +# # +# Certificate Resolvers +# +# httpChallenge port 80 +# the challenge consist to expose a token on an HTTP endpoint. +# +# tlsChallenge port 443 +# the challenge consist to expose a temporary certificates on an HTTPS endpoint. +# +# dnsChallenge the challenge consist to expose a TXT record on a DNS. +# DNS challenge is the only challenge that allows to get a wildcard certificate (ex: *.example.com) but it's the slowest. +# +# storage this is the path within the container, NOT the host path. +# # + +certificatesResolvers: + cloudflare: + acme: + email: user@email.com + storage: /cloudflare/acme.json + keyType: EC256 + preferredChain: 'ISRG Root X1' + dnsChallenge: + provider: cloudflare + delayBeforeCheck: 5 + resolvers: + - "1.1.1.1:53" + - "1.0.0.1:53"