diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..11ddde7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,5 @@ +FROM traefik:camembert +ADD traefik.toml . +EXPOSE 80 +EXPOSE 8080 +EXPOSE 443 diff --git a/LICENSE b/LICENSE index a06a5bd..2808ada 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1 @@ -MIT License - -Copyright (c) 2016 docker-compose-examples - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +Public Domain (CC0) \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..2a8d983 --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +## Motivation + +Docker-compose setup for starting [Træfik](https://traefik.io/) as reverse-proxy, loadbalancer and SSL server with lets-encrypt certificates. + +## Usage + +Put the files of this gist into a directory called `reverse-proxy` and run `docker-compose -d up` to startup the service. +After that, you can "up" `docker-compose.yml`-files like: + +```yaml +version: '2' + +services: + microbot: + image: dontrebootme/microbot + labels: + - "traefik.enable=true" + - "traefik.backend=microbot" + - "traefik.frontend.rule=Host:microbot.example.com" + - "traefik.docker.network=reverseproxy_default" + networks: + - "reverseproxy_default" + restart: always +networks: + reverseproxy_default: + external: + name: reverseproxy_default +``` +and they will be served through the Træfik proxy. + +* Træfik will forward requests to `https://microbot.example.com` to the backend. +* Træfik will order SSL certificates through [letsencrypt.org](https://letsencrypt.org/) +* Træfik will balance the requests between multiple backends with the same name, which means + additional instance created by `docker-compose scale microbot=3` will automatically be used when + available. +* Requests to `http://microbot.example.com` will be redirected to **https** + +# Some details + +* The label `traefik.frontend.rule=Host:microbot.example.com` is used by Træfik to determine which container to use for which domain. +* The option `exposedbydefault = false` tells Træfik to only include containers with the label `traefik.enable=true`. +* Since the gist-files are inside the directory `reverse-proxy`, docker-compose will create a network `reverseproxy_default` for the container. The part + +```yaml + networks: + - "reverseproxy_default" +``` + +and + +```yaml +networks: + reverseproxy_default: + external: + name: reverseproxy_default +``` +of the microbot-file make sure that microbot is in the same network as Træfik. + +If microbot were present in two networks, the label `traefik.docker.network=reverseproxy_default` will tell Træfik which IP to use to connect to the service. + +# LICENSING + +All files are mostly derived from each sofware's documentation. +Treat this example as public domain (CC0). It took a while to get it +running, but the amount of work was not high enough to put it under any license. + diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..9501b3d --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2' + +services: + traefik: + build: . + # command: --logLevel=DEBUG + ports: + - "80:80" + - "443:443" + - "127.0.0.1:8080:8080" + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + networks: + - default + cap_drop: + - all + cap_add: + - net_bind_service# diff --git a/traefik.toml b/traefik.toml new file mode 100644 index 0000000..0d58932 --- /dev/null +++ b/traefik.toml @@ -0,0 +1,37 @@ +# defaultEntryPoints must be at the top because it should not be in any table below +defaultEntryPoints = ["http", "https"] + +[web] +# Port for the status page +address = ":8080" + +# Entrypoints, http and https +[entryPoints] + +# http should be redirected to https +[entryPoints.http] +address = ":80" +[entryPoints.http.redirect] +entryPoint = "https" + +# https is the default +[entryPoints.https] +address = ":443" + +[entryPoints.https.tls] + +# Enable ACME (Let's Encrypt): automatic SSL +[acme] +# caServer = "https://acme-staging.api.letsencrypt.org/directory" +email = "letsencrypt@example.com" +storage = "acme.json" # or "traefik/acme/account" if using KV store +entryPoint = "https" +onDemand = false +OnHostRule = true + + +[docker] +endpoint = "unix:///var/run/docker.sock" +domain = "example.com" +watch = true +exposedbydefault = false \ No newline at end of file