# GB Traefik Setup

This repository contains the configuration files and setup instructions for deploying [Traefik](https://traefik.io/), a modern reverse proxy and load balancer.

Configuration files is customized for Gbanyan personal usage. 

## Prerequisites

- Docker installed on your system
- Docker Compose (if using `docker-compose.yml`)

## Getting Started

1. Clone this repository:
    ```bash
    git clone https://gitea.gbanyan.net/gbanyan/GB-Traefik.git
    cd GB-Traefik
    ```

2. Update the `traefik.yml` and `docker-compose.yml` files as needed for your environment.

3. Start Traefik:
    ```bash
    docker compose up -d
    ```

4. Access the Traefik dashboard (if enabled) at `http://<your-domain-or-ip>:8080`.

## Configuration

- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
- **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
- **Docker Compose**: Use `docker-compose.yml` to define services and networks.


## Detail: 

My traefik is split into internal and external entrypoint. 

Internal entrypoint is for private and secure service without exposing. 

Each entrypoint is binded to different ip address for isolation. 

Then, other docker service is attached to different entrypoint guided by label in docker compose

```yaml
label: 
    - "traefik.http.routers.service-name.entrypoints=websecure"
```

Besides the entrypoint setup, I add cloudflare proxy (for exposing real ip to access.log for crowdsec to read), crowdsec-firewall-bouncer, compression with brotli middlrewares method in traefik.yml and dynamic.yml

Adding middlewares is also guided by labels: 

```yaml
label: 
    - "traefik.http.routers.service-name.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
```

The order of middlewares is meaningful. 

Traefik has ability to apply SSL certs automatically. 
Just offer the required DNS API authentication (Like cloudflare). 

Please refer the traefik documentation. 

The following is an example of a docker service I hosted in its docker-compose.yaml: 

```yaml
labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ghost.entrypoints=websecure"
      - "traefik.http.routers.ghost.rule=Host(`blog.gbanyan.net`)"
      - "traefik.http.services.ghost.loadbalancer.server.port=2368"
      - "traefik.http.routers.ghost.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ghost.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.docker.network=traefik_default"
```

I mount the access.log for crowdsec firewall to read. 

PS: Because I access my traefik dashboard through my local network. I commented out the authetication method for dashboard.