Docker: add a Traefik based docker-compose example

Example uses Traefik as reverse-proxy with SSL encryption. For demonstration purpose multiple entrypoints (toplevel/subdomain) are used.
userid0x0 · Apr 17, 2023 · 9c90312 · 9c90312
1 parent dfe9e69
commit 9c90312
Show file tree

Hide file tree

Showing 5 changed files with 161 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 data
-.DS_Store
+.vscode
+compose/traefik/certs
+compose/traefik/mkcert
 /*.svn
diff --git a/compose/traefik/README.md b/compose/traefik/README.md
@@ -0,0 +1,47 @@
+
+# Example
+Use Traefik as a reverse-proxy in conjunction with svn-docker. The example handles the following domains:
+- `https://localhost`
+- `http://insecure.localhost` Port 80
+- `https://secure.localhost` Port 443 with SSL
+- `http[s]://svn.localhost` automatic https redirection
+
+Note: You may require a local DNS / patch of `/etc/hosts` to get the subdomains working.
+## Create certificate
+This example uses [mkcert](https://github.com/FiloSottile/mkcert) to generate wildcard certificate for `*.localhost`.
+For private use you may use this approach to create a certificate for your local router environment e.g. `*.host.localdomain`
+```
+$ wget -O mkcert https://dl.filippo.io/mkcert/latest?for=linux/amd64
+$ chmod +x mkcert
+$ mkdir certs
+$ ./mkcert -cert-file certs/_wildcard.localhost.pem -key-file certs/_wildcard.localhost-key.pem "*.localhost" localhost 127.0.0.1 ::1
+```
+the output might look as follows
+```
+Created a new local CA
+Note: the local CA is not installed in the system trust store.
+Note: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store.
+Run "mkcert -install" for certificates to be trusted automatically
+
+Created a new certificate valid for the following names
+ - "*.localhost"
+   Warning: many browsers don't support second-level wildcards like "*.localhost"
+ - "localhost"
+ - "127.0.0.1"
+ - "::1"
+
+Reminder: X.509 wildcards only go one level deep, so this won't match a.b.localhost
+
+The certificate is at "certs/_wildcard.localhost.pem" and the key at "certs/_wildcard.localhost-key.pem"
+
+It will expire on ...
+```
+You may run `./mkcert -CAROOT` to see where the RootCA is stored e.g. to move it to other devices. For more information check the mkcert project page.
+
+The generated files are used by `providers/tls.yml`.
+
+## Startup
+```
+$ docker network create traefik_default
+$ docker compose up
+```
diff --git a/compose/traefik/docker-compose.yml b/compose/traefik/docker-compose.yml
@@ -0,0 +1,98 @@
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.9
+    container_name: reverse_proxy
+    restart: unless-stopped
+    command:
+      - '--global.sendAnonymousUsage=false'
+      # Providers:
+      # Docker (controlled by labels)
+      - '--providers.docker'
+      - '--providers.docker.exposedbydefault=false'
+      - '--providers.docker.network=traefik_default'
+      # File (watch folder `/providers`)
+      - '--providers.file'
+      - '--providers.file.directory=/providers'
+      - '--providers.file.watch=true'
+      # create entrypoints: epWeb + epWebsecure
+      - '--entrypoints.epWeb.address=:80'
+      - '--entrypoints.epWebsecure.address=:443'
+      - '--api.insecure=true'
+    ports:
+      - 80:80
+      - 443:443
+      - 8080:8080
+    volumes:
+      - ./providers/:/providers
+      - ./certs/:/certs
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    healthcheck:
+      test: ['CMD', 'traefik', 'healthcheck', '--ping']
+      interval: 10s
+      timeout: 10s
+      retries: 5
+    networks:
+      - traefik_default
+
+  whoami:
+    image: traefik/whoami:latest
+    container_name: whoami
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      # Routers are https only (tls=true)
+      # Routers 1: by path
+      - traefik.http.routers.rWhoamiPath.rule=Path(`/admin/whoami`)
+      - traefik.http.routers.rWhoamiPath.entrypoints=epWebsecure
+      - traefik.http.routers.rWhoamiPath.tls=true
+      - traefik.http.routers.rWhoamiPath.middlewares=mwWhoamiRemovePath
+      # Routers 2: by host
+      - traefik.http.routers.rWhoamiSubdomain.rule=Host(`whoami.localhost`)
+      - traefik.http.routers.rWhoamiSubdomain.entrypoints=epWebsecure
+      - traefik.http.routers.rWhoamiSubdomain.tls=true
+      # middlewares
+      ## remove-path: strip prefix /admin/whoami
+      - traefik.http.middlewares.mwWhoamiRemovePath.stripprefix.prefixes=/admin/whoami
+    networks:
+      - traefik_default
+
+  svn:
+    image: userid0x0/svn-docker:latest
+    container_name: subversion
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      # Router
+      # Router 1: by path - https only
+      - traefik.http.routers.rSvnPathHttps.rule=Host(`localhost`)&&PathPrefix(`/svn`,`/svnadmin`,`/repos-web`,`/websvn`)
+      - traefik.http.routers.rSvnPathHttps.entrypoints=epWebsecure
+      - traefik.http.routers.rSvnPathHttps.tls=true
+      # Router 2: https subdomain only
+      - traefik.http.routers.rSvnSubdomainSecure.rule=Host(`secure.localhost`)
+      - traefik.http.routers.rSvnSubdomainSecure.entrypoints=epWebsecure
+      - traefik.http.routers.rSvnSubdomainSecure.tls=true
+      # Router 3: http subdomain only
+      - traefik.http.routers.rSvnSubdomainInsecure.rule=Host(`insecure.localhost`)
+      - traefik.http.routers.rSvnSubdomainInsecure.entrypoints=epWeb
+      # Router 4: http/https subdomain
+      - traefik.http.routers.rSvnSubdomainRedirectHttp.rule=Host(`svn.localhost`)
+      - traefik.http.routers.rSvnSubdomainRedirectHttp.entrypoints=epWeb
+      - traefik.http.routers.rSvnSubdomainRedirectHttp.middlewares=mwHttpToHttps@file
+      - traefik.http.routers.rSvnSubdomainRedirectHttps.rule=Host(`svn.localhost`)
+      - traefik.http.routers.rSvnSubdomainRedirectHttps.entrypoints=epWebsecure
+      - traefik.http.routers.rSvnSubdomainRedirectHttps.tls=true
+    volumes:
+      - svn_data:/data
+    networks:
+      - traefik_default
+
+networks:
+  # traefik_default is the default name for a traefik network - specify this explicitly here
+  # external means it needs to exist before `docker compose up`
+  traefik_default:
+    external: true
+
+volumes:
+  svn_data:
diff --git a/compose/traefik/providers/middlewares.yml b/compose/traefik/providers/middlewares.yml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    mwHttpToHttps:
+      redirectScheme:
+        scheme: https
+        permanent: true
diff --git a/compose/traefik/providers/tls.yml b/compose/traefik/providers/tls.yml
@@ -0,0 +1,7 @@
+# default certificate
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/_wildcard.localhost.pem
+        keyFile: /certs/_wildcard.localhost-key.pem