gdgellatly
commented
2 years ago @Yajo I have investigated and it isn't too hard.
Given a static traefik2 config of
global:
sendAnonymousUsage: false
providers:
docker:
endpoint: "http://dockersocket:2375"
watch: true
exposedByDefault: false
network: traefik_shared
file:
filename: /etc/traefik/config.yml
watch: true
# Uncomment for DEBUG logs
# log:
# level: DEBUG
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
http:
tls: "true"
address: ":443"
api:
dashboard: true
certificatesResolvers:
le:
acme:
email: "${TRAEFIK_LE_EMAIL}"
storage: "acme.json"
# CA server to use.
# UnComment the line to use Let's Encrypt's staging server
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
tlsChallenge: {}
and dynamic config of
tls:
certificates:
- certFile: "/etc/certs/_wildcard.docker.localhost.pem"
keyFile: "/etc/certs/_wildcard.docker.localhost-key.pem"
http:
middlewares:
buffering:
buffering:
retryExpression: IsNetworkError() && Attempts() < 5
compress:
compress: "true"
secure:
headers:
forceSTSHeader: "true"
sslRedirect: "true"
nocrawlers:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
doodba:
chain:
middlewares:
- buffering
- compress
- secure
localhost-only:
ipWhitelist:
sourceRange:
- "127.0.0.1/32"
- "10.11.0.0/16" # change to your docker subnet
prod-headers:
headers:
customresponseHeaders:
# In environment with versioned static files, switch commented
# Cache-Control: "private,max-age=31536000"
Cache-Control: "private,no-cache"
test-headers:
headers:
customresponseHeaders:
Cache-Control: "private,no-cache"and a proxy compose file of
version: "3.8"
services:
proxy:
image: traefik:2.5
networks:
shared:
private:
public:
ports:
- "80:80"
- "443:443"
depends_on:
- dockersocket
restart: unless-stopped
privileged: true
tty: true
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./config.yml:/etc/traefik/config.yml:ro
- ./certs:/etc/certs:rw,Z
- acme:/etc/traefik/acme:rw,Z
#
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nB traefik-admin) | sed -e s/\\$/\\$\\$/g
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
labels:
- "traefik.enable=true"
- "traefik.docker.network=shared"
- "traefik.http.routers.api.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
- "traefik.http.middlewares.auth.basicauth.users=traefik-admin:$$2y$$05$$QlADBhbHhqXOOc0zk22f8OODruYQr.MyazlLRuazh1EScqhKMqKCy"
- "traefik.http.routers.api.tls.certResolver=le"
- "traefik.http.routers.api.entrypoints=https"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
dockersocket:
image: tecnativa/docker-socket-proxy
privileged: true
networks:
private:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
CONTAINERS: 1
NETWORKS: 1
SERVICES: 1
SWARM: 1
TASKS: 1
restart: unless-stopped
networks:
shared:
internal: true
driver_opts:
encrypted: 1
private:
internal: true
driver_opts:
encrypted: 1
public:
volumes:
acme:The following labels work great (taken from a test.override file).
version: "3.8"
services:
odoo:
environment:
DOODBA_ENVIRONMENT: "${DOODBA_ENVIRONMENT-test}"
# To install demo data export DOODBA_WITHOUT_DEMO=false
WITHOUT_DEMO: "${DOODBA_WITHOUT_DEMO-all}"
SMTP_PORT: "1025"
restart: unless-stopped
networks:
traefik_shared:
default:
whitelist_shared:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_shared"
- "traefik.http.services.host-odoo-12-0-test-main.loadbalancer.server.port=8069"
- "traefik.http.services.host-odoo-12-0-test-longpolling.loadbalancer.server.port=8072"
- "traefik.http.routers.host-odoo-12-0-test-main.rule=Host(`host`)"
- "traefik.http.routers.host-odoo-12-0-test-main.tls.certResolver=le"
- "traefik.http.routers.host-odoo-12-0-test-main.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-main.service=host-odoo-12-0-test-main"
- "traefik.http.routers.host-odoo-12-0-test-main.middlewares=doodba@file,nocrawlers@file,test-headers@file"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.rule=Host(`host`) && PathPrefix(`/longpolling/`)"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.service=host-odoo-12-0-test-longpolling"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.middlewares=secure@file"
command:
- odoo
- --workers=2
- --max-cron-threads=1We've also found with converting to 3.8 and getting rid of the extends just using a compose override that we can use traefik in development as well. The real benefit here is with a self signed Root CA and Wildcard cert there is no more port mapping/exposition. wdb/pgweb/mailhog/odoo are all just endpoints on for example odoo14.docker.localhost and aside from using those certs instead of letsencrypt, an IP Whitelist middleware, dev and test are practically identical.
carlosecv
yajo
According to https://github.com/traefik/traefik/issues/7235#issuecomment-690059948 it should be much easier that what we have here. Gotta investigate that and fix it.