-
Notifications
You must be signed in to change notification settings - Fork 1
/
docker-compose.yml
executable file
·115 lines (110 loc) · 5.31 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
version: '3.8'
services:
traefik:
image: traefik:v2.9
container_name: traefik
command:
- --global.checkNewVersion=true # check for updates
- --global.sendAnonymousUsage=false # do not send anonymous statistics
- --providers.docker=true # enable docker provider
- --providers.docker.network=proxy # define default network to monitor for docker provider
- --providers.docker.exposedbydefault=false # do not expose docker hosts per default
- --providers.docker.swarmModeRefreshSeconds=15s # defeine swarm mode fresh seconds
- --providers.providersThrottleDuration=2s # define throttle duration
- --providers.file.watch=true # monitor file provider for changes
- --providers.file.filename=/etc/traefik/fileConfig.yml # location of the dynamic configuration
- --entrypoints.http.address=:80 # entrypoint for unencrypted http
- --entrypoints.http.http.redirections.entryPoint.to=https # automatic redirect from http to https
- --entrypoints.http.http.redirections.entryPoint.scheme=https # automatic redirect from http to https
- --entrypoints.https.address=:443 # entrypoint for encrypted https
- --entrypoints.https.http.middlewares=security-headers@file,rate-limit@file # define default middlewares for all proxy entries
- --api.dashboard=true # enable traefik api dashboard
- --api.insecure=true # expose traefik api dashboard on TCP/8080 without need for router
####################################################
# !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
- --entrypoints.https.http.tls.certresolver=myresolver # define default cert resolver
- [email protected] # define your email address
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http
- --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json # define acme path for certificate information
####################################################
- --log.level=INFO # enable log level
- --accesslog=true # enable access logs
- --accesslog.filepath=/logs/traefik.log # define access log path
- --accesslog.format=json # set access log format to json instead clm
- --accesslog.bufferingsize=0 # set access log buffer size to 0
- --accesslog.filters.statuscodes=400-599 # only log http errors in logs; alternatively set 200-599 to include successful http requests
- --accesslog.fields.headers.defaultmode=drop # drop all headers
- --serversTransport.insecureSkipVerify=true # set insecureSkipVerify to true to allow self-signed certificates
labels:
- traefik.enable=true # enable traefik
- traefik.http.routers.api.rule=Host(`traefik.fictive.local`) # replace with your domain name
- traefik.http.routers.api.service=api@internal # enable traefik api dashboard
- traefik.http.routers.api.middlewares=local-ipwhitelist@file # restrict dashboard access to private class subnets only
ports:
- 80:80 # http
- 443:443 # https
networks:
- proxy # define traefik docker network
environment:
- TZ=Europe/Berlin # define timezone
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
- ./traefik:/etc/traefik/ # bind mount volume for persistent traefik data
- ./traefik/logs:/logs # bind mount volume for persistent traefik logs
restart: always # always restart traefik
extra_hosts:
- host.docker.internal:172.17.0.1 # define internal ip; helps traefik to resolve containers running in host network mode
juice-shop:
image: bkimminich/juice-shop:latest
container_name: juice-shop
expose:
- 3000
networks:
- proxy
depends_on:
- traefik
- authelia
labels:
- traefik.enable=true
- traefik.http.routers.juiceshop.rule=Host(`juice.fictive.local`) # replace with your domain name
- traefik.http.services.juiceshop.loadbalancer.server.port=3000
- traefik.docker.network=proxy
- traefik.http.routers.juiceshop.middlewares=authelia@docker
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- ./authelia/config:/config
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.authelia.rule=Host(`auth.fictive.local`) # replace with your domain name
- traefik.http.routers.authelia.entrypoints=https
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.fictive.local # replace with your domain name
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
expose:
- 9091
restart: unless-stopped
depends_on:
- traefik
- redis
environment:
- TZ=Europe/Berlin
redis:
image: redis:alpine
container_name: authelia-redis
command: redis-server --requirepass SuperSecureRedisAuthPassword # also reflect this in the authelia config file
volumes:
- ./authelia/redis:/data
networks:
- proxy
expose:
- 6379
restart: unless-stopped
environment:
- TZ=Europe/Berlin
networks:
proxy:
external: true