-
-
Notifications
You must be signed in to change notification settings - Fork 293
/
Copy pathtraefik.yml
143 lines (131 loc) · 4.32 KB
/
traefik.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Traefik global configuration
global:
checkNewVersion: true
sendAnonymousUsage: false
# Enable traefik ui dashboard
api:
dashboard: true
insecure: true
# Log level INFO|DEBUG|ERROR
log:
level: INFO
# crowdsec bouncer
#experimental:
# plugins:
# bouncer:
# moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
# version: v1.4.2
#metrics:
# influxDB2:
# address: http://influxdb2:8086
# token: my-secure-token-secret
# org: influx-org
# bucket: influx-bucket
# addEntryPointsLabels: true
# addRoutersLabels: true
# addServicesLabels: true
# pushInterval: 60s
# Configuring Multiple Filters
accessLog:
filePath: "/logs/traefik.log"
format: json
filters:
statusCodes:
- "200-299" # log successful http requests
- "400-599" # log failed http requests
#retryAttempts: true
#minDuration: "10ms"
# collect logs as in-memory buffer before writing into log file
bufferingSize: 0
fields:
headers:
defaultMode: drop # drop all headers per default
names:
User-Agent: keep # log user agent strings
# The setting below is to allow insecure backend connections.
serverTransport:
insecureSkipVerify: true
# Traefik entrypoints (network ports) configuration
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 104.16.0.0/13
- 104.24.0.0/14
- 108.162.192.0/18
- 131.0.72.0/22
- 141.101.64.0/18
- 162.158.0.0/15
- 172.64.0.0/13
- 173.245.48.0/20
- 188.114.96.0/20
- 190.93.240.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# end of Cloudlare public IP list
http:
redirections:
entryPoint:
to: https
scheme: https
# HTTPS endpoint, with domain wildcard
https:
address: :443
forwardedHeaders:
# reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
# enable HTTP3 QUIC via UDP/443
#http3:
# advertisedPort: '443'
http:
tls:
# Generate a wildcard domain certificate
certResolver: myresolver
domains:
- main: example.com # change this to your proxy domain
sans:
- '*.example.com' # change this to your proxy domain
middlewares:
- security-headers@file # reference to a dynamic middleware for setting http security headers per default
- rate-limit@file # reference to a dynamic middleware for enabling rate limiting per default
#- crowdsec@file # reference to a dynamic middleware for enabling crowdsec bouncer
providers:
providersThrottleDuration: 2s
# File provider for connecting things that are outside of docker / defining middleware
file:
filename: /etc/traefik/fileConfig.yml
watch: true
# Docker provider for connecting all apps that are inside of the docker network
docker:
watch: true
network: proxy # add Your Docker Network Name Here
endpoint: "tcp://socket-proxy:2375" # use socket-proxy for secure access to docker api
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)" # change 'example.com' to your proxy domain
exposedByDefault: false
# Use letsencrypt to generate ssl certificates
certificatesResolvers:
myresolver:
acme:
storage: /etc/traefik/acme.json
#httpChallenge: # acme http challenge; requires port 80 and proper dns entries
# entryPoint: http # specify the entry point for the HTTP challenge (adjust if needed)
dnsChallenge: # acme dns challenge; requires api token of dns provider
provider: cloudflare
# Used to make sure the dns challenge is propagated to the right dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"