[traefik] simpify traefik config

Author: bensonfx

Diff for: traefik/conf/bensonfx.yml

@@ -1,9 +1,35 @@
+http:
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: false
+        port: 5443
+    content-compress:
+      compress: {}
+
+  services:
+    # tricks https://github.com/containous/traefik/issues/4863#issuecomment-491093096
+    dummy:
+      loadBalancer:
+        servers:
+          - url: "" # or url: "localhost"
+
+  routers:
+    https-redirect:
+      entryPoints:
+        - http
+      rule: "HostRegexp(`{any:.*}`)"
+      service: "dummy"
+      middlewares:
+        - "https-redirect"
+
 tls:
-  certificates:
-    - certFile: /data/ssl/example.com.crt
-      keyFile: /data/ssl/example.com.key
-      stores:
-        - default
+  # certificates:
+  #   - certFile: /data/ssl/example.com.crt
+  #     keyFile: /data/ssl/example.com.key
+  #     stores:
+  #       - default
   options:
     default:
       minVersion: VersionTLS12
@@ -24,3 +50,4 @@ tls:
         - TLS_RSA_WITH_AES_256_GCM_SHA384
         - TLS_RSA_WITH_AES_128_CBC_SHA
         - TLS_RSA_WITH_AES_256_CBC_SHA
+

Diff for: traefik/conf/tls.yml renamed to traefik/conf/default.yml

@@ -0,0 +1,29 @@
+http:
+  services:
+    dsphoto:
+      loadBalancer:
+        servers:
+          - url: "http://photo.example.com"
+      nas:
+        loadBalancer:
+          servers:
+            - url: "http://nas.example.com:5000"
+  routers:
+    dsphoto:
+      entryPoints:
+        - https
+      service: dsphoto
+      rule: "Host(`photo.example.com`)"
+      tls: {}
+    nas:
+      entryPoints:
+        - https
+      service: nas
+      rule: "Host(`www.example.com`)"
+      tls:
+        certResolver: le
+        domains:
+          - main: "*.example.com"
+            sans:
+              - "example.com"
+              - "*.example.com"

Diff for: traefik/conf/nas.yml

@@ -3,29 +3,77 @@ services:
   traefik:
     container_name: traefik-v2
     image: traefik:v2.3
-    command: traefik --configFile /etc/traefik.yml
     restart: unless-stopped
     healthcheck:
       test: ["CMD-SHELL", "wget -q --spider localhost:8080/ping || exit 1"]
-    command: traefik --configFile /etc/traefik.yml
+    command:
+      - "--global.sendanonymoususage=false"
+      - "--global.checknewversion=false"
+      - "--api.dashboard=true"
+      # - "--api.debug=true"
+      - "--ping=true"
+      - "--entrypoints.http.address=:80"
+      - "--entrypoints.https.address=:443"
+      - "--entryPoints.web.forwardedHeaders.trustedIPs=172.18.0.0/24,192.168.31.0/24"
+      - "--log.level=WARN"
+      - "--log.filePath=/logs/traefik.log"
+      - "--log.format=json"
+      - "--accesslog.filepath=/logs/access.log"
+      - "--accesslog.format=json"
+      - "--providers.docker=true"
+      - "--providers.docker.watch=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.useBindPortIP=false"
+      - "--providers.docker.network=traefik"
+      - "--providers.docker.swarmMode=false"
+      - "--providers.file=true"
+      - "--providers.file.directory=/etc/traefik/conf"
+      - "--providers.file.debugloggeneratedtemplate=true"
+      - "[email protected]"
+      - "--certificatesresolvers.le.acme.storage=/data/ssl/acme.json"
+      - "--certificatesresolvers.le.acme.keytype=EC256"
+      - "--certificatesresolvers.le.acme.dnschallenge=true"
+      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
+      - "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=15"
+      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
     environment:
       TZ: "Asia/Shanghai"
       CF_API_EMAIL: ${CF_API_EMAIL}
       CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
       CF_ZONE_API_TOKEN: ${CF_ZONE_API_TOKEN}
     volumes:
       - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik.yml:/etc/traefik.yml:ro
       - ./conf:/etc/traefik/conf:ro
       - ./ssl:/data/ssl
       - ./logs:/logs
     ports:
-    - "80:80"
-    - "443:443"
+      - "80:80"
+      - "443:443"
     labels:
-    - "traefik.docker.network=traefik"
-    - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.traefik.service=api@internal"
+      # 默认请求转发 https 端口
+      - "traefik.http.routers.traefik-dash-default.middlewares=https-redirect@file"
+      - "traefik.http.routers.traefik-dash-default.entrypoints=http"
+      - "traefik.http.routers.traefik-dash-default.rule=Host(`admin.example.com`)"
+      - "traefik.http.routers.traefik-dash.service=dashboard@internal"
+      # 处理网页
+      - "traefik.http.middlewares.basic-auth.basicauth.users=$AUTH_USER_LIST"
+      - "traefik.http.routers.traefik-dash-web.middlewares=basic-auth"
+      - "traefik.http.routers.traefik-dash-web.entrypoints=https"
+      - "traefik.http.routers.traefik-dash-web.rule=Host(`admin.example.com`) && PathPrefix(`/`)"
+      - "traefik.http.routers.traefik-dash-web.tls=true"
+      - "traefik.http.routers.traefik-dash-web.service=dashboard@internal"
+      # 处理接口
+      - "traefik.http.routers.traefik-dash-api.entrypoints=https"
+      - "traefik.http.routers.traefik-dash-api.rule=Host(`admin.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.traefik-dash-api.tls=true"
+      - "traefik.http.routers.traefik-dash-api.service=api@internal"
     networks:
     - "traefik"
   # ldap: