Traefik

Traefik

The Cloud Native Application Proxy

The Cloud Native Application Proxy

🏠 Home: https://traefik.io/
📜 Source: https://github.com/traefik/traefik
Comparison with nginx: https://blog.lrvt.de/nginx-proxy-manager-versus-traefik/
Customizing error pages in Traefik: https://www.imandrea.me/blog/traefik-custom-404/

name: traefik
services:
  traefik:
    image: traefik:v3.4.1
    container_name: traefik
    restart: unless-stopped
    environment:
      TZ: ${TIMEZONE}
      MYDOMAIN: ${MYDOMAIN}
      MAIN_NODE_IP: ${MAIN_NODE_IP}
      CLOUDFLARE_DNS_API_TOKEN: ${CLOUDFLARE_DNS_API_TOKEN}
      # Generate key within the crowdsec container: cscli bouncers add traefik-bouncer
      CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_BOUNCER_API_KEY}
      # Used in static configuration (traefik.yml)
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_0_MAIN: "${MYDOMAIN}"
      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_0_SANS: "*.${MYDOMAIN}"
      TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: "${ADMIN_EMAIL}"
    volumes:
      # kics-scan ignore-line
      - /var/run/docker.sock:/var/run/docker.sock:ro # So that Traefik can listen to the Docker events # TODO To improve the security use a docker socket proxy
      - ./traefik:/etc/traefik/
      - ${DOCKER_VOLUMES}/traefik/logs:/logs
      - ${DOCKER_VOLUMES}/traefik/letsencrypt:/letsencrypt
    ports:
      - 80:80 # HTTP
      - 443:443/tcp # HTTPS
      - 443:443/udp # HTTP/3 - QUIC
    networks:
      - proxy
    extra_hosts:
      - host.docker.internal:host-gateway
    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.${MYDOMAIN}`) # Define the subdomain for the traefik dashboard
      traefik.http.routers.api.service: api@internal # Enable Traefik API
      traefik.http.routers.api.middlewares: localaccess@file
      homepage.group: Infra
      homepage.name: Traefik
      homepage.icon: traefik.png
      homepage.href: https://traefik.${MYDOMAIN}/
      homepage.description: The Cloud Native Application Proxy
      homepage.widget.type: traefik
      homepage.widget.url: https://traefik.${MYDOMAIN}/

  # Access Logs: https://doc.traefik.io/traefik/observability/access-logs/
  logrotate:
    build:
      dockerfile_inline: |
        FROM alpine:3.21
        RUN apk add --no-cache logrotate
        COPY traefik/logrotate.conf /etc/logrotate.conf
        RUN chmod 644 /etc/logrotate.conf
        RUN chown root:root /etc/logrotate.conf
        CMD ["sh", "-c", "logrotate -f /etc/logrotate.conf && sleep 86400"]        
    container_name: logrotate
    restart: unless-stopped
    volumes:
      - ${DOCKER_VOLUMES}/traefik/logs:/logs

networks:
  proxy:
    external: true