gbanyan/GB-Traefik
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
GB-Traefik/README.md
Gbanyan f88169f1b2 Readme typo fix
2025-04-16 16:08:16 +08:00

2.6 KiB
Raw Blame History

GB Traefik Setup

This repository contains the configuration files and setup instructions for deploying Traefik, a modern reverse proxy and load balancer.

Configuration files is customized for Gbanyan personal usage.

Prerequisites

  • Docker installed on your system
  • Docker Compose (if using docker-compose.yml)

Getting Started

  1. Clone this repository:

    git clone https://gitea.gbanyan.net/gbanyan/GB-Traefik.git
cd GB-Traefik

  2. Update the traefik.yml and docker-compose.yml files as needed for your environment.

  3. Start Traefik:

    docker compose up -d

  4. Access the Traefik dashboard (if enabled) at http://<your-domain-or-ip>:8080.

Configuration

  • .env: Cloudflare E-mail and API Token for SSL DNS Challenge
  • Traefik Configuration: Modify traefik.yml, dynamic.yml to customize Traefik's behavior.
  • Docker Compose: Use docker-compose.yml to define services and networks.

Detail:

My traefik is split into internal and external entrypoint.

Internal entrypoint is for private and secure service without exposing.

Each entrypoint is binded to different ip address for isolation.

Then, other docker service is attached to different entrypoint guided by label in docker compose

label: 
    - "traefik.http.routers.service-name.entrypoints=websecure"

Besides the entrypoint setup, I add cloudflare proxy (for exposing real ip to access.log for crowdsec to read), crowdsec-firewall-bouncer, compression with brotli middlrewares method in traefik.yml and dynamic.yml

Adding middlewares is also guided by labels:

label: 
    - "traefik.http.routers.service-name.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"

The order of middlewares is meaningful.

Traefik has ability to apply SSL certs automatically. Just offer the required DNS API authentication (Like cloudflare).

Please refer the traefik documentation.

The following is an example of a docker service I hosted in its docker-compose.yaml:

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ghost.entrypoints=websecure"
      - "traefik.http.routers.ghost.rule=Host(`blog.gbanyan.net`)"
      - "traefik.http.services.ghost.loadbalancer.server.port=2368"
      - "traefik.http.routers.ghost.tls.certresolver=letsencrypt"
      - "traefik.http.routers.ghost.middlewares=cloudflarewarp@file,crowdsec@file,compress-middleware@file"
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.docker.network=traefik_default"

I mount the access.log for crowdsec firewall to read.