Simplify Traefik 2 HTTP+HTTPS label creation #116
Comments
yajo
added
enhancement
The path matching is hard because for example a rule such as `/example` must match also `/example/*`, but it must not match `/example*`; and Traefik 1 has no *OR* rules. Well, there was some problem on the way these matches worked. This should fix #116. BTW I update MQT repo.
The path matching is hard because for example a rule such as `/example` must match also `/example/*`, but it must not match `/example*`; and Traefik 1 has no *OR* rules. Well, there was some problem on the way these matches worked. This should fix #116. BTW I update MQT repo.
|
@yajo I have investigated and it isn't too hard. Given a static traefik2 config of global:
sendAnonymousUsage: false
providers:
docker:
endpoint: "http://dockersocket:2375"
watch: true
exposedByDefault: false
network: traefik_shared
file:
filename: /etc/traefik/config.yml
watch: true
# Uncomment for DEBUG logs
# log:
# level: DEBUG
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
http:
tls: "true"
address: ":443"
api:
dashboard: true
certificatesResolvers:
le:
acme:
email: "${TRAEFIK_LE_EMAIL}"
storage: "acme.json"
# CA server to use.
# UnComment the line to use Let's Encrypt's staging server
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
tlsChallenge: {}
and dynamic config of tls:
certificates:
- certFile: "/etc/certs/_wildcard.docker.localhost.pem"
keyFile: "/etc/certs/_wildcard.docker.localhost-key.pem"
http:
middlewares:
buffering:
buffering:
retryExpression: IsNetworkError() && Attempts() < 5
compress:
compress: "true"
secure:
headers:
forceSTSHeader: "true"
sslRedirect: "true"
nocrawlers:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
doodba:
chain:
middlewares:
- buffering
- compress
- secure
localhost-only:
ipWhitelist:
sourceRange:
- "127.0.0.1/32"
- "10.11.0.0/16" # change to your docker subnet
prod-headers:
headers:
customresponseHeaders:
# In environment with versioned static files, switch commented
# Cache-Control: "private,max-age=31536000"
Cache-Control: "private,no-cache"
test-headers:
headers:
customresponseHeaders:
Cache-Control: "private,no-cache"and a proxy compose file of version: "3.8"
services:
proxy:
image: traefik:2.5
networks:
shared:
private:
public:
ports:
- "80:80"
- "443:443"
depends_on:
- dockersocket
restart: unless-stopped
privileged: true
tty: true
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./config.yml:/etc/traefik/config.yml:ro
- ./certs:/etc/certs:rw,Z
- acme:/etc/traefik/acme:rw,Z
#
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nB traefik-admin) | sed -e s/\\$/\\$\\$/g
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
labels:
- "traefik.enable=true"
- "traefik.docker.network=shared"
- "traefik.http.routers.api.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
- "traefik.http.middlewares.auth.basicauth.users=traefik-admin:$$2y$$05$$QlADBhbHhqXOOc0zk22f8OODruYQr.MyazlLRuazh1EScqhKMqKCy"
- "traefik.http.routers.api.tls.certResolver=le"
- "traefik.http.routers.api.entrypoints=https"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
dockersocket:
image: tecnativa/docker-socket-proxy
privileged: true
networks:
private:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
CONTAINERS: 1
NETWORKS: 1
SERVICES: 1
SWARM: 1
TASKS: 1
restart: unless-stopped
networks:
shared:
internal: true
driver_opts:
encrypted: 1
private:
internal: true
driver_opts:
encrypted: 1
public:
volumes:
acme:The following labels work great (taken from a test.override file). version: "3.8"
services:
odoo:
environment:
DOODBA_ENVIRONMENT: "${DOODBA_ENVIRONMENT-test}"
# To install demo data export DOODBA_WITHOUT_DEMO=false
WITHOUT_DEMO: "${DOODBA_WITHOUT_DEMO-all}"
SMTP_PORT: "1025"
restart: unless-stopped
networks:
traefik_shared:
default:
whitelist_shared:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_shared"
- "traefik.http.services.host-odoo-12-0-test-main.loadbalancer.server.port=8069"
- "traefik.http.services.host-odoo-12-0-test-longpolling.loadbalancer.server.port=8072"
- "traefik.http.routers.host-odoo-12-0-test-main.rule=Host(`host`)"
- "traefik.http.routers.host-odoo-12-0-test-main.tls.certResolver=le"
- "traefik.http.routers.host-odoo-12-0-test-main.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-main.service=host-odoo-12-0-test-main"
- "traefik.http.routers.host-odoo-12-0-test-main.middlewares=doodba@file,nocrawlers@file,test-headers@file"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.rule=Host(`host`) && PathPrefix(`/longpolling/`)"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.service=host-odoo-12-0-test-longpolling"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.middlewares=secure@file"
command:
- odoo
- --workers=2
- --max-cron-threads=1We've also found with converting to 3.8 and getting rid of the extends just using a compose override that we can use traefik in development as well. The real benefit here is with a self signed Root CA and Wildcard cert there is no more port mapping/exposition. wdb/pgweb/mailhog/odoo are all just endpoints on for example odoo14.docker.localhost and aside from using those certs instead of letsencrypt, an IP Whitelist middleware, dev and test are practically identical. |
|
gdgellatly Excelent contribution, i will start to try this, thank you so much, do you have a Course or Eboock to get more expert on this traefik configurations? |
|
@carlosecv not really. To be honest it is pretty easy and the traefik docs are really good. This is a very basic config snippet really just for doodba, I cut out the other stuff. It's basically the equivelant of the original scaffolding v1 config except I moved the middlewares into traefik's dynamic config, because I wanted to not repeat them for every instance, enabled the api dashboard to make troubleshooting easy and used a static config file rather than command line args. |
|
Hmm interesting, never heard of the |
According to traefik/traefik#7235 (comment) it should be much easier that what we have here. Gotta investigate that and fix it.
The text was updated successfully, but these errors were encountered: