backup, other

2025-12-19 18:48:21 +00:00 · 2020-12-14 00:41:34 +00:00
parent 5368aa005a
commit 51627aa442
9 changed files with 371 additions and 106 deletions
--- a/apps/reverse-proxy-sso/traefik.md
+++ b/apps/reverse-proxy-sso/traefik.md
@@ -3,17 +3,21 @@ This is one of the best reverse-proxy solutions for self-hosting.
 Very easy to run & maintain (once you pass the setup).<br>

 Traefik can detect docker services and use docker labels to automatically create routes.
-However, I prefer to keep my docker-compose files clean and explicitly set routers & services myself, so this solution does that exactly.<br>
+However, I prefer to keep my docker-compose files clean and explicitly set routers & services myself, so this solution does exactly that.<br>

 Traefik can also be set-up to automatically provide Let's Encrypt certs for your services.
 However, there are some services that need cert files (AdGuard Home, Mailcow), and because I want to have a single wildcard certificate for my whole domain (and all subdomains) I prefer to generate it manually (i.e. scripts in cron) and just reference it whenever it's required - so this setup reflects that.

 ## General overview
-Traefik has 2 types of config: static (requires restart of the container) and dynamic (refreshes live).
-Dynamic config can be provided as a folder, where all `yml` files are parsed and configuration from them is applied to the running server.
-You can create multiple files and split the dynamic config to your preference. I prefer to keep the 2 main layers (routers & services) separate, as it's easy for me to structure the files and it's clear to see what services are defined and the ports that they use. The down-side is that adding/removing a service requires editing 2 files.<br>
-Another approach would be to use 1 yaml file per service (with route & service definition). It would be clearer from the Filesystem (ls -al) to see what services are configured, but e.g. checking all ports would require viewing all config files.<br>
-For that reason it's also good to keep a note somewhere with a table of service-port mapping.
+Traefik has 2 types of config:
+- static - requires restart of the container
+- dynamic - refreshes live.
+
+Dynamic config can be provided as a folder, where all `toml`/`yml` files are parsed and configuration from them is applied to the running server.<br>
+
+You can create multiple files and split the dynamic config to your preference. I prefer to keep 1 main file (for tls/cert settings and global middlewares), and then add 1 config file per service (with route & service definition).<br>
+
+It's also good to keep a note with a table of service-port mapping (to quickly see which ports are used by which service).

 <br>

@@ -70,114 +74,111 @@ providers:

 ## Dynamic config

-### config/middlewares.yml
-```yml
-http:
-  middlewares:
-    authelia:
-      forwardAuth:
-        address: http://<SERVER IP>:9091/api/verify?rd=https://login.example.com/
-        trustForwardHeader: true
+### config/_main.toml
+```toml
+[[tls.certificates]]
+certFile = "/certs-com/fullchain.cer"
+keyFile = "/certs-com/example.com.key"
+stores = [ "default" ]

-    redirect-to-https:
-      redirectScheme:
-        scheme: https
-        permanent: true
+[[tls.certificates]]
+certFile = "/certs-org/fullchain.cer"
+keyFile = "/certs-org/example.org.key"
+stores = [ "default" ]

-    security-headers:
-      headers:
-        referrerPolicy: "same-origin"
-        contentTypeNosniff: true
-        frameDeny: false
-        forceSTSHeader: true
-        stsIncludeSubdomains: true
-        stsPreload: true
-        stsSeconds: 15552000
+[tls.stores.default.defaultCertificate]
+certFile = "/certs-com/fullchain.cer"
+keyFile = "/certs-com/example.com.key"

-    nextcloud-redirectregex:
-      redirectRegex:
-        permanent: true
-        regex: 'https://(.*)/.well-known/(card|cal)dav'
-        replacement: 'https://${1}/remote.php/dav/'
+[http.middlewares.redirect-to-https.redirectScheme]
+scheme = "https"
+permanent = true

-    some-redirect:
-      redirectRegex:
-        regex: "https://subdomain1.example.com/"
-        replacement: "https://subdomain2.example.com?query=123"
-        permanent: true
+[http.middlewares.security-headers.headers]
+referrerPolicy = "same-origin"
+contentTypeNosniff = true
+frameDeny = false
+forceSTSHeader = true
+stsIncludeSubdomains = true
+stsPreload = true
+stsSeconds = 15_552_000

-```
+[[http.services.noop.loadBalancer.servers]]
+url = "http://192.168.0.1:666"  # this is a fake url

-### config/tls.yml
-```yml
-tls:
-  certificates:
-    - certFile: /example1-com/fullchain.cer
-      keyFile: /example1-com/example1.com.key
-      stores:
-        - default
-    - certFile: /example2-com/fullchain.cer
-      keyFile: /example2-com/example2.com.key
-      stores:
-        - default
-
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /example1-com/fullchain.cer
-        keyFile: /example1-com/example1.com.key
-```
-
-### config/routers.yml
-```yml
-http:
-  routers:
-    authelia:
-      rule: "Host(`login.example.com`)"
-      service: authelia
-      tls: {}
-      middlewares:
-        - security-headers
-
-    nextcloud:
-      rule: "Host(`cloud.example.com`)"
-      service: nextcloud
-      tls: {}
-      middlewares:
-        - security-headers
-        - nextcloud-redirectregex
-
-    sonarr:
-      rule: "Host(`sonarr.example.com`)"
-      service: sonarr
-      tls: {}
-      middlewares:
-        - security-headers
-        - authelia
+[http.routers.http-catchall]
+rule = "HostRegexp(`{host:(www\\.)?.+}`)"
+entryPoints = [ "http" ]
+middlewares = [ "redirect-to-https" ]
+service = "noop"
 ```


-### config/services.yml
-```yml
-http:
-  services:
+### config/service-authelia.toml
+```toml
+[http.middlewares.authelia.forwardAuth]
+address = "http://<SERVER IP>:9091/api/verify?rd=https://login.example.com/"
+trustForwardHeader = true

-    authelia:
-      loadBalancer:
-        servers:
-          - url: "http://<SERVER IP>:9091"
+[[http.services.authelia.loadBalancer.servers]]
+url = "http://<SERVER IP>:9091"

-    nextcloud:
-      loadBalancer:
-        servers:
-          - url: "http://<SERVER IP>:3100"
-
-    sonarr:
-      loadBalancer:
-        servers:
-          - url: "http://<SERVER IP>:8989/"
+[http.routers.authelia]
+rule ="Host(`login.example.com`)"
+service = "authelia"
+tls = { }
+middlewares = [ "security-headers" ]
 ```

+### config/service-nextcloud.toml
+```toml
+[http.middlewares.nextcloud-redirectregex.redirectRegex]
+permanent = true
+regex = "https://(.*)/.well-known/(card|cal)dav"
+replacement = "https://${1}/remote.php/dav/"
+
+[[http.services.nextcloud.loadBalancer.servers]]
+url = "http://<SERVER IP:3000"
+
+[http.routers.nextcloud]
+rule = "Host(`cloud.example.com`)"
+service = "nextcloud"
+tls = { }
+middlewares = [ "security-headers", "nextcloud-redirectregex" ]
+```
+
+### config/service-sonarr.toml
+```toml
+[[http.services.sonarr.loadBalancer.servers]]
+url = "http://<SERVER IP>:8989/"
+
+[http.routers.sonarr]
+rule = "Host(`sonarr.example.com`)"
+service = "sonarr"
+tls = { }
+middlewares = [ "security-headers", "authelia" ]
+```
+
+### config/service-traefik.toml
+```toml
+[[http.services.traefik.loadBalancer.servers]]
+url = "http://<SERVER IP>:3080"
+
+[http.routers.traefik]
+rule = "Host(`traefik.example.com`) && PathPrefix(`/dashboard`)"
+service = "traefik"
+tls = { }
+middlewares = [ "security-headers", "authelia" ]
+
+[http.routers.traefik_api]
+rule = "Host(`traefik.example.com`)"
+service = "api@internal"
+tls = { }
+middlewares = [ "security-headers", "authelia" ]
+```
+
+
+
 ## Useful links
 - [Traefik 2 + Docker — a Simple Step by Step Guide](https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5#37d9)
 - [Traefik 2 + Docker — an Advanced Guide](https://medium.com/@containeroo/traefik-2-0-docker-an-advanced-guide-d098b9e9be96)