Hello,
I set up a simple website container and got it somehow working....
docker-compose.yml - simplewebsite
version: '3.8'
services:
simplewebsite:
image: nginx:alpine
container_name: simple-website
#ports:
# - "8080:80"
volumes:
- ./website:/usr/share/nginx/html:ro
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.simplewebsite.rule=Host(`ws.local.hgraesslin.de`) || Host(`ws.hgraesslin.de`)"
- "traefik.http.routers.simplewebsite.entrypoints=https"
- "traefik.http.routers.simplewebsite.tls=true"
- "traefik.http.services.simplewebsite.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
networks:
proxy:
external: true
docker-compose.yml - traefik
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
env_file:
- .env # store other secrets e.g., dashboard password
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- IONOS_API_KEY=public.private
command:
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--api.insecure=true"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/admin/docker/traefik/traefik.yaml:/traefik.yaml:ro
- /home/admin/docker/traefik/certs/acme.json:/acme.json
- /home/admin/docker/traefik/config.yaml:/config.yaml:ro
networks:
proxy:
external: true
traefik.yaml
---
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
spice:
address: ":3128"
spice-tls:
address: ":61000"
ping:
address: ":8082"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "/config.yaml"
watch: true
certificatesResolvers:
ionos:
acme:
email: hansjoerg.graesslin@gmail.com
storage: acme.json
dnsChallenge:
provider: ionos
delayBeforeCheck: 0
resolvers:
- "ns1092.ui-dns.de"
- "ns1092.ui-dns.com"
- "ns1092.ui-dns.org"
- "ns1092.ui-dns.biz"
ping:
entryPoint: "ping"
log:
level: "DEBUG"
filePath: "/var/log/traefik/traefik.json"
format: json
accessLog:
filePath: "/var/log/traefik/access.json"
format: json
config.yaml
---
http:
middlewares:
default-headers:
headers:
frameDeny: true
browserXssFilter: true
default-security-headers:
headers:
customBrowserXSSValue: 0
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: false
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 63072000
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
serversTransports:
insecure-skip-verify:
insecureSkipVerify: true
For my understanding, traefik uses letsencrypt to make an dns challenge to ionos, and so can issue valid certificates.
- Is my assumption correct
- Is m configuration correct
- What do I need to do to make also traefik itself secure, i treid with labesl
Thx in Advance