docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.9
    restart: always
    volumes:
      - /srv/traefik/config/:/etc/traefik:z
      - /srv/traefik/acme.json:/acme.json:z
      - /var/run/docker.sock:/var/run/docker.sock:z,ro
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    command:
      # entrypoints redirect to https on http and default certResolver is letsencrypt prod
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.transport.respondingTimeouts.readTimeout=42"
      - "--entryPoints.http.transport.respondingTimeouts.writeTimeout=42"
      - "--entryPoints.http.transport.respondingTimeouts.idleTimeout=10"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.http.http.redirections.entryPoint.permanent=true"
      - "--entryPoints.https.address=:443"
      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=42"
      - "--entryPoints.https.transport.respondingTimeouts.writeTimeout=0"
      - "--entryPoints.https.transport.respondingTimeouts.idleTimeout=180"
      # global static config
      - "--global.checkNewVersion=false"
      - "--global.sendAnonymousUsage=false"
      - "--pilot.dashboard=false"
      # traefik log to stdout
      - "--log.level=ERROR"
      - "--log.format=json"
      # enable prometheus metrics
      - "--metrics.prometheus=true"
      - "--metrics.prometheus.manualrouting=true"
      - "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
      - "--metrics.prometheus.addEntryPointsLabels=true"
      - "--metrics.prometheus.addrouterslabels=true"
      - "--metrics.prometheus.addServicesLabels=true"
      # disabled traefik api
      #- "--api.dashboard=true"
      # docker provider
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=proxy"
      # dynamic yaml file provider
      - "--providers.file.filename=/etc/traefik/traefik-dynamic.yml"
      - "--providers.file.watch=true"
      # cert dns acme cloudflare
      #- "--certificatesResolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesResolvers.le.acme.email=admin@paulgo.io"
      - "--certificatesResolvers.le.acme.storage=/acme.json"
      - "--certificatesResolvers.le.acme.keyType=EC384"
      - "--certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare"
      - "--certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0"
    labels:
      - traefik.enable=true
      # all wildcards domain certs for the instance
      - traefik.http.routers.traefik.tls.domains[0].main=paulgo.io
      - traefik.http.routers.traefik.tls.domains[0].sans=*.paulgo.io
      - traefik.http.routers.traefik.tls.domains[1].main=paulgo.net
      - traefik.http.routers.traefik.tls.domains[1].sans=*.paulgo.net
      - traefik.http.routers.traefik.tls.domains[2].main=paulgo.dev
      - traefik.http.routers.traefik.tls.domains[2].sans=*.paulgo.dev
      - traefik.http.routers.traefik.tls.domains[3].main=staging.paulgo.io
      - traefik.http.routers.traefik.tls.domains[3].sans=*.staging.paulgo.io
      # block hostname with internal-secure chain and noop service
      - traefik.http.routers.traefik.rule=Host(`${HOSTNAME}`)&&Method(`GET`,`HEAD`)
      - traefik.http.routers.traefik.entrypoints=https
      - traefik.http.routers.traefik.tls.certresolver=le
      - traefik.http.routers.traefik.service=noop@internal
      - traefik.http.routers.traefik.middlewares=internal-secure
      # manual router for node exporter metrics
      - traefik.http.routers.node.rule=Host(`${HOSTNAME}`)&&Path(`/node/metrics`)&&Method(`GET`,`HEAD`)
      - traefik.http.routers.node.entrypoints=https
      - traefik.http.routers.node.tls=true
      - traefik.http.routers.node.service=node-service@file
      - traefik.http.routers.node.middlewares=internal-secure,auth-metrics,metrics-path
      - traefik.http.middlewares.metrics-path.replacepath.path=/metrics
      # manual router for traefik prometheus metrics
      - traefik.http.routers.prometheus.rule=Host(`${HOSTNAME}`)&&Path(`/traefik/metrics`)&&Method(`GET`,`HEAD`)
      - traefik.http.routers.prometheus.entrypoints=https
      - traefik.http.routers.prometheus.tls=true
      - traefik.http.routers.prometheus.service=prometheus@internal
      - traefik.http.routers.prometheus.middlewares=internal-secure,auth-metrics,metrics-path
      # default middleware chains for external and internal
      - traefik.http.middlewares.internal-secure.chain.middlewares=secure-headers,rate-limit,gzip-compress
      - traefik.http.middlewares.external-secure.chain.middlewares=secure-headers,gzip-compress
      # internal middlewares basic auth, ipwhitelist and ratelimiting
      - traefik.http.middlewares.auth-metrics.basicauth.users=${PROMETHEUS_AUTH}
      - traefik.http.middlewares.rate-limit.ratelimit.average=100
      - traefik.http.middlewares.rate-limit.ratelimit.burst=50
      # secure headers basic params, hsts 2 years all domains, remove x-powered-by
      - traefik.http.middlewares.secure-headers.headers.customFrameOptionsValue=SAMEORIGIN
      - traefik.http.middlewares.secure-headers.headers.browserXssFilter=true
      - traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true
      - traefik.http.middlewares.secure-headers.headers.referrerPolicy=no-referrer
      - traefik.http.middlewares.secure-headers.headers.stsPreload=true
      - traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.secure-headers.headers.stsSeconds=63113904
      - traefik.http.middlewares.secure-headers.headers.forceSTSHeader=true
      - traefik.http.middlewares.secure-headers.headers.customResponseHeaders.X-Powered-By=
      # default add gzip compression
      - traefik.http.middlewares.gzip-compress.compress=true
    environment:
      - CF_API_EMAIL={EMAIL}
      - CF_API_KEY={KEY1}

  node:
    image: quay.io/prometheus/node-exporter:latest
    restart: always
    command:
      - "--path.rootfs=/host"
    volumes:
      - /:/host:ro,rslave,z
    pid: host
    network_mode: host
    # labels defined in traefik dynamic config

networks:
  proxy:
    external: true