79 lines
2.5 KiB
Markdown
79 lines
2.5 KiB
Markdown
# GB Traefik Setup
|
|
|
|
This repository contains the configuration files and setup instructions for deploying [Traefik](https://traefik.io/), a modern reverse proxy and load balancer.
|
|
|
|
Configuration files is customized for Gbanyan personal usage.
|
|
|
|
## Prerequisites
|
|
|
|
- Docker installed on your system
|
|
- Docker Compose (if using `docker-compose.yml`)
|
|
|
|
## Getting Started
|
|
|
|
1. Clone this repository:
|
|
```bash
|
|
git clone https://gitea.gbanyan.net/gbanyan/GB-Traefik.git
|
|
cd GB-Traefik
|
|
```
|
|
|
|
2. Update the `traefik.yml` and `docker-compose.yml` files as needed for your environment.
|
|
|
|
3. Start Traefik:
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
|
|
4. Access the Traefik dashboard (if enabled) at `http://<your-domain-or-ip>:8080`.
|
|
|
|
## Configuration
|
|
|
|
- **.env**: Cloudflare E-mail and API Token for SSL DNS Challenge
|
|
- **Traefik Configuration**: Modify `traefik.yml`, `dynamic.yml` to customize Traefik's behavior.
|
|
- **Docker Compose**: Use `docker-compose.yml` to define services and networks.
|
|
|
|
|
|
## Detail:
|
|
|
|
My traefik is split into internal and external entrypoint.
|
|
|
|
Internal entrypoint is for private and secure service without exposing.
|
|
|
|
Each entrypoint is bind to different ip address for isolation.
|
|
|
|
Then, other docker service is attached to different entrypoin guided by label in docker compose
|
|
|
|
```yaml
|
|
label:
|
|
- "traefik.http.routers.service-name.entrypoints=websecure"
|
|
```
|
|
|
|
Besides the entrypoint setup, I add cloudflare proxy, crowdsec-bouncer, compression with brotli middlrewares method in traefik.yml and dynamic.yml
|
|
|
|
Adding middlewares is also guided by labels:
|
|
|
|
```yaml
|
|
label:
|
|
- "traefik.http.routers.service-name.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
|
|
```
|
|
|
|
The order of middlewares is meaningful.
|
|
|
|
Traefik has ability to auto apply SSL certs.
|
|
Just offer the required DNS API authentication (Like cloudflare).
|
|
|
|
Please refer the traefik documentation.
|
|
|
|
The following is an example of a docker service I hosted in its docker-compose.yaml:
|
|
|
|
```yaml
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ghost.entrypoints=websecure"
|
|
- "traefik.http.routers.ghost.rule=Host(`blog.gbanyan.net`)"
|
|
- "traefik.http.services.ghost.loadbalancer.server.port=2368"
|
|
- "traefik.http.routers.ghost.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.ghost.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
- "traefik.docker.network=traefik_default"
|
|
``` |