DockerStackTraefik/docker-compose.yaml at main · csaeum/DockerStackTraefik · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# docker-compose.yaml - Traefik - START
services:
  traefik:
    image: traefik:v3.6  # Pinned version statt latest
    container_name: ${COMPOSE_PROJECT_NAME}
    command:
      - "--certificatesresolvers.letsEncrypt.acme.email=${LETSENCRYPT_EMAIL}"
    environment:
      - TZ=${TIMEZONE}
    labels:
      - traefik.enable=true

      # ========================================
      # Middlewares (Env-Variable gesteuert)
      # ========================================
      # Dashboard Authentication
      - traefik.http.middlewares.dashboard-auth-env.basicauth.users=${DASHBOARD_USER}:${DASHBOARD_PASSWORD_HASH}
      - traefik.http.middlewares.dashboard-auth-env.basicauth.realm=Traefik Dashboard

      # Rate Limiting (aus .env steuerbar)
      - traefik.http.middlewares.rate-limit-env.ratelimit.average=${RATE_LIMIT_AVERAGE}
      - traefik.http.middlewares.rate-limit-env.ratelimit.burst=${RATE_LIMIT_BURST}
      - traefik.http.middlewares.rate-limit-env.ratelimit.period=${RATE_LIMIT_PERIOD}

      # In-Flight Limiting (aus .env steuerbar)
      - traefik.http.middlewares.in-flight-limit-env.inflightreq.amount=${IN_FLIGHT_LIMIT}

      # ========================================
      # Dashboard Router (HTTP -> HTTPS Redirect)
      # ========================================
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard-http.rule=${HOSTRULE}
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard-http.entrypoints=web-http
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard-http.middlewares=redirect-to-https@file

      # ========================================
      # Dashboard Router (HTTPS)
      # ========================================
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.rule=${HOSTRULE} && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.entrypoints=websecure-https
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.service=api@internal
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.tls.certresolver=letsEncrypt
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.tls.options=modern@file
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-dashboard.middlewares=dashboard-auth-env,rate-limit-env

      # ========================================
      # Prometheus Metrics Router (HTTPS)
      # ========================================
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.rule=${HOSTRULE} && Path(`/metrics`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.entrypoints=websecure-https
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.service=prometheus@internal
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.tls.certresolver=letsEncrypt
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.tls.options=modern@file
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}-metrics.middlewares=dashboard-auth-env
    networks:
      - ${PROXY_NETWORK}
      - default
      # Hinweis: Wenn Mailcow verwendet wird, muss das traefik_proxy_network
      # auch von Mailcow genutzt werden, damit der mailcow-acme-challenge Router funktioniert
    ports:
      - mode: host
        published: 80
        target: 80
      - mode: host
        published: 443
        target: 443
        protocol: tcp  # HTTPS (HTTP/2 etc.) auf Port 443 (TCP)
      - mode: host
        published: 443
        target: 443
        protocol: udp  # Zusätzlich HTTP/3 auf Port 443 (UDP/QUIC)
    restart: unless-stopped
    volumes:
      - ./configs/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - ./configs/traefik-dynamic.yaml:/etc/traefik/traefik-dynamic.yaml:ro
      - ./logs:/var/log:rw
      - letsencrypt-data:/letsencrypt:rw
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

networks:
  default:
    driver: bridge
  traefik_proxy_network:
    external: true
    name: ${PROXY_NETWORK}

volumes:
  letsencrypt-data:
    driver: local
    driver_opts:
      device: ${PWD}/volumes
      o: bind
      type: none
# docker-compose.yaml - Traefik - ENDE