Open yajo opened 4 years ago
@Yajo I have investigated and it isn't too hard.
Given a static traefik2 config of
global:
sendAnonymousUsage: false
providers:
docker:
endpoint: "http://dockersocket:2375"
watch: true
exposedByDefault: false
network: traefik_shared
file:
filename: /etc/traefik/config.yml
watch: true
# Uncomment for DEBUG logs
# log:
# level: DEBUG
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
http:
tls: "true"
address: ":443"
api:
dashboard: true
certificatesResolvers:
le:
acme:
email: "${TRAEFIK_LE_EMAIL}"
storage: "acme.json"
# CA server to use.
# UnComment the line to use Let's Encrypt's staging server
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
tlsChallenge: {}
and dynamic config of
tls:
certificates:
- certFile: "/etc/certs/_wildcard.docker.localhost.pem"
keyFile: "/etc/certs/_wildcard.docker.localhost-key.pem"
http:
middlewares:
buffering:
buffering:
retryExpression: IsNetworkError() && Attempts() < 5
compress:
compress: "true"
secure:
headers:
forceSTSHeader: "true"
sslRedirect: "true"
nocrawlers:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, nofollow"
doodba:
chain:
middlewares:
- buffering
- compress
- secure
localhost-only:
ipWhitelist:
sourceRange:
- "127.0.0.1/32"
- "10.11.0.0/16" # change to your docker subnet
prod-headers:
headers:
customresponseHeaders:
# In environment with versioned static files, switch commented
# Cache-Control: "private,max-age=31536000"
Cache-Control: "private,no-cache"
test-headers:
headers:
customresponseHeaders:
Cache-Control: "private,no-cache"
and a proxy compose file of
version: "3.8"
services:
proxy:
image: traefik:2.5
networks:
shared:
private:
public:
ports:
- "80:80"
- "443:443"
depends_on:
- dockersocket
restart: unless-stopped
privileged: true
tty: true
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./config.yml:/etc/traefik/config.yml:ro
- ./certs:/etc/certs:rw,Z
- acme:/etc/traefik/acme:rw,Z
#
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nB traefik-admin) | sed -e s/\\$/\\$\\$/g
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
labels:
- "traefik.enable=true"
- "traefik.docker.network=shared"
- "traefik.http.routers.api.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
- "traefik.http.middlewares.auth.basicauth.users=traefik-admin:$$2y$$05$$QlADBhbHhqXOOc0zk22f8OODruYQr.MyazlLRuazh1EScqhKMqKCy"
- "traefik.http.routers.api.tls.certResolver=le"
- "traefik.http.routers.api.entrypoints=https"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
dockersocket:
image: tecnativa/docker-socket-proxy
privileged: true
networks:
private:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
CONTAINERS: 1
NETWORKS: 1
SERVICES: 1
SWARM: 1
TASKS: 1
restart: unless-stopped
networks:
shared:
internal: true
driver_opts:
encrypted: 1
private:
internal: true
driver_opts:
encrypted: 1
public:
volumes:
acme:
The following labels work great (taken from a test.override file).
version: "3.8"
services:
odoo:
environment:
DOODBA_ENVIRONMENT: "${DOODBA_ENVIRONMENT-test}"
# To install demo data export DOODBA_WITHOUT_DEMO=false
WITHOUT_DEMO: "${DOODBA_WITHOUT_DEMO-all}"
SMTP_PORT: "1025"
restart: unless-stopped
networks:
traefik_shared:
default:
whitelist_shared:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_shared"
- "traefik.http.services.host-odoo-12-0-test-main.loadbalancer.server.port=8069"
- "traefik.http.services.host-odoo-12-0-test-longpolling.loadbalancer.server.port=8072"
- "traefik.http.routers.host-odoo-12-0-test-main.rule=Host(`host`)"
- "traefik.http.routers.host-odoo-12-0-test-main.tls.certResolver=le"
- "traefik.http.routers.host-odoo-12-0-test-main.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-main.service=host-odoo-12-0-test-main"
- "traefik.http.routers.host-odoo-12-0-test-main.middlewares=doodba@file,nocrawlers@file,test-headers@file"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.rule=Host(`host`) && PathPrefix(`/longpolling/`)"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.entrypoints=https"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.service=host-odoo-12-0-test-longpolling"
- "traefik.http.routers.host-odoo-12-0-test-longpolling.middlewares=secure@file"
command:
- odoo
- --workers=2
- --max-cron-threads=1
We've also found with converting to 3.8 and getting rid of the extends just using a compose override that we can use traefik in development as well. The real benefit here is with a self signed Root CA and Wildcard cert there is no more port mapping/exposition. wdb/pgweb/mailhog/odoo are all just endpoints on for example odoo14.docker.localhost and aside from using those certs instead of letsencrypt, an IP Whitelist middleware, dev and test are practically identical.
gdgellatly Excelent contribution, i will start to try this, thank you so much, do you have a Course or Eboock to get more expert on this traefik configurations?
@carlosecv not really. To be honest it is pretty easy and the traefik docs are really good. This is a very basic config snippet really just for doodba, I cut out the other stuff. It's basically the equivelant of the original scaffolding v1 config except I moved the middlewares into traefik's dynamic config, because I wanted to not repeat them for every instance, enabled the api dashboard to make troubleshooting easy and used a static config file rather than command line args.
Hmm interesting, never heard of the chain
middleware.
According to https://github.com/traefik/traefik/issues/7235#issuecomment-690059948 it should be much easier that what we have here. Gotta investigate that and fix it.