-
Notifications
You must be signed in to change notification settings - Fork 17
/
docker-compose.prod.yml
144 lines (102 loc) · 5.99 KB
/
docker-compose.prod.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
services:
traefik:
image: traefik:latest
# Specifies the image to use for Traefik, using the latest version from the Docker Hub.
container_name: traefik
# Names the container 'traefik' for easier identification.
restart: unless-stopped
# Ensures the container restarts automatically unless it is explicitly stopped.
security_opt:
- no-new-privileges:true
# Enforces no privilege escalation for better security.
networks:
- docker_network
# Specifies that Traefik will be connected to the 'docker_network' network.
ports:
- 80:80
# Maps the container's port 80 (HTTP) to port 80 on the host machine.
- 443:443
# Maps the container's port 443 (HTTPS) to port 443 on the host machine.
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
# Sets the environment variable for the Cloudflare DNS API token, which is required for dynamic DNS and SSL management.
# If you choose to use an API Key instead of a Token, specify your email as well
# Optionally, you can use Cloudflare's API key and provide your email address for authentication.
# - CF_API_KEY=YOUR_API_KEY
# Optionally, you can use the Cloudflare API key instead of a token for authentication.
volumes:
- /etc/localtime:/etc/localtime:ro
# Mounts the host machine's time configuration into the container, ensuring the container's time is synced with the host's.
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mounts the Docker socket file to allow Traefik to interact with Docker and automatically detect running containers.
- /home/ubuntu/traefik/traefik.yml:/traefik.yml:ro
# Mounts the `traefik.yml` file from the host machine into the container, which contains Traefik's configuration.
- /home/ubuntu/traefik/acme.json:/acme.json
# Mounts the `acme.json` file (used for storing SSL certificates) into the container for certificate management.
labels:
- 'traefik.enable=true'
# Enables Traefik for this container, allowing it to manage traffic for the container.
- 'traefik.http.routers.traefik.entrypoints=http'
# Defines the HTTP entry point for the Traefik router.
- 'traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https'
# Redirects HTTP traffic to HTTPS using middleware for security.
- 'traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https'
# Adds a custom header to the forwarded request, indicating that the request uses HTTPS.
- 'traefik.http.routers.traefik.middlewares=traefik-https-redirect'
# Applies the HTTPS redirection middleware to the Traefik router.
- 'traefik.http.routers.traefik-secure.entrypoints=https'
# Defines the HTTPS entry point for the Traefik router.
- 'traefik.http.routers.traefik-secure.tls=true'
# Enables TLS (HTTPS) for secure communication.
- 'traefik.http.routers.traefik-secure.tls.certresolver=cloudflare'
# Uses Cloudflare as the certificate resolver to handle SSL certificate generation and management.
- 'traefik.http.routers.traefik-secure.tls.domains[0].main=scicommons.org'
# Specifies the main domain for which the SSL certificate will be generated (scicommons.org).
- 'traefik.http.routers.traefik-secure.service=api@internal'
# Uses the internal Traefik API service to monitor and manage the router.
scicommons:
container_name: scicommons
# Names the container 'scicommons' for easier identification.
image: ghcr.io/m2b3/scicommons-frontend:main
# Specifies the image to use for the SciCommons frontend from the GitHub Container Registry.
volumes:
- /etc/localtime:/etc/localtime:ro
# Mounts the host's time configuration to the container to sync the time.
- /var/run/docker.sock:/var/run/docker.sock:ro
# Mounts the Docker socket file to allow Traefik to interact with the container.
labels:
- 'traefik.enable=true'
# Enables Traefik for this container.
- 'traefik.http.routers.scicommons.entrypoints=http'
# Defines the HTTP entry point for the scicommons router.
- 'traefik.http.routers.scicommons.rule=Host(`scicommons.org`)'
# Defines the routing rule: only route traffic with the host `scicommons.org` to this container.
- 'traefik.http.middlewares.scicommons-https-redirect.redirectscheme.scheme=https'
# Redirects HTTP traffic to HTTPS for the SciCommons service.
- 'traefik.http.routers.scicommons.middlewares=scicommons-https-redirect'
# Applies the HTTPS redirection middleware to the SciCommons router.
- 'traefik.http.routers.scicommons-secure.entrypoints=https'
# Defines the HTTPS entry point for the SciCommons router.
- 'traefik.http.routers.scicommons-secure.rule=Host(`scicommons.org`)'
# Defines the routing rule for secure HTTPS requests to `scicommons.org`.
- 'traefik.http.routers.scicommons-secure.tls=true'
# Enables TLS (HTTPS) for the secure SciCommons route.
- 'traefik.http.routers.scicommons-secure.service=scicommons'
# Defines the service name as 'scicommons' for the secure router.
- 'traefik.http.services.scicommons.loadbalancer.server.port=3000'
# Specifies the port (3000) where the SciCommons frontend service is running within the container.
- 'traefik.docker.network=proxy'
# Specifies the Docker network 'proxy' for Traefik to route requests to this container.
restart: always
# Automatically restarts the container if it crashes or stops.
ports:
- 3000:3000
# Maps the host machine's port 3000 to the container's port 3000, where the SciCommons frontend service is running.
networks:
- docker_network
# Connects the container to the 'docker_network' network.
networks:
docker_network:
driver: bridge
# Creates a user-defined bridge network called 'docker_network' to allow communication between containers.