{{tag>Brouillon Proxy Docker}}
= Traefik - un reverse proxy pour Docker
Voir aussi :
* https://www.grottedubarbu.fr/kubernetes-portainer-traefik/
* https://www.grottedubarbu.fr/securiser-socket-docker/
''traefik.yml''
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
serversTransport:
insecureSkipVerify: true
# rootCAs:
# - certs/inter-chain.pem
providers:
file:
filename: dynamic_conf.yml
watch: true
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
log:
#level: DEBUG
level: INFO
api:
dashboard: true
#debug: true
#insecure: true
''dynamic_conf.yml''
tls:
certificates:
- certFile: certs/registry.docker.local.crt
keyFile: certs/registry.docker.local.key
- certFile: certs/wildcard.docker.local.crt
keyFile: certs/wildcard.docker.local.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: certs/wildcard.docker.local.crt
keyFile: certs/wildcard.docker.local.key
options:
default:
minVersion: VersionTLS12
sniStrict: true
''docker-compose.yml''
version: '3.7'
services:
traefik:
image: traefik
#restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.yml:/traefik.yml:ro
- $PWD/dynamic_conf.yml:/dynamic_conf.yml:ro
- $PWD/certs:/certs:ro
# environment:
# PUID: ${PUID}
# PGID: ${PGID}
# TZ: ${TZ}
labels:
- traefik.enable=true
- traefik.http.routers.dashboard.entrypoints=web
- traefik.http.routers.dashboard.rule=Host(`traefik.docker.local`)
#- traefik.http.services.s-dashboard.loadbalancer.server.port=8080
- traefik.port=8080
- traefik.http.routers.s-dashboard.entrypoints=websecure
- traefik.http.routers.s-dashboard.rule=Host(`traefik.docker.local`)
- traefik.http.routers.s-dashboard.service=api@internal
- traefik.http.routers.s-dashboard.middlewares=auth@docker
# mkpasswd -m md5 |sed -e 's/\$/$$/g'
- traefik.http.middlewares.auth.basicauth.users=jean:$$1$$qvbVKuOn$$qKZpjcMQuMFWNgC9vtycL1
- traefik.http.routers.s-dashboard.tls=true
- traefik.http.routers.dashboard.middlewares=https-redirect@docker
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# hello:
# image: osones/helloworld
# labels:
# - traefik.enable=true
# - traefik.http.routers.hw.entrypoints=web
# - traefik.http.routers.hw.rule=Host(`hw.docker.local`)
# - traefik.http.routers.s-hw.entrypoints=websecure
# - traefik.http.routers.s-hw.rule=Host(`hw.docker.local`)
# - traefik.http.routers.s-hw.tls=true
# - traefik.http.routers.hw.middlewares=https-redirect@docker
# - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
# - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
# #- "traefik.port=80"
# #- "traefik.backend=hello"
redis:
image: redis
#restart: unless-stopped
restart: always
registry:
image: registry:2
depends_on:
- redis
environment:
environment:
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
- REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR=redis
- REGISTRY_REDIS_ADDR=redis:6379
volumes:
- $PWD/data:/data
labels:
- traefik.enable=true
- traefik.port=5000
- traefik.http.routers.s-registry.rule=Host(`registry.docker.local`)
- traefik.http.routers.s-registry.entrypoints=websecure
- traefik.http.routers.s-registry.tls=true
registry-ui:
image: konradkleine/docker-registry-frontend:v2
#restart: unless-stopped
depends_on:
- registry
environment:
ENV_DOCKER_REGISTRY_HOST: 'registry'
ENV_DOCKER_REGISTRY_PORT: 5000
#ENV_DOCKER_REGISTRY_USE_SSL: 1
ENV_DEFAULT_REPOSITORIES_PER_PAGE: 50
labels:
- traefik.enable=true
- traefik.port=80
- traefik.http.routers.s-registry-ui.rule=Host(`registry-ui.docker.local`)
- traefik.http.routers.s-registry-ui.entrypoints=websecure
- traefik.http.routers.s-registry-ui.tls=true
- traefik.http.routers.s-registry-ui.middlewares=auth@docker
- traefik.http.middlewares.auth.basicauth.users=jean:$$1$$qvbVKuOn$$qKZpjcMQuMFWNgC9vtycL1
Exemple de génération de certificats. Notez que Traefik est capable d'utiliser **Let's Encrypt**
mkdir certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/wildcard.docker.local.key -x509 -days 365 -out certs/wildcard.docker.local.crt
docker-compose up -d