3.5 KiB
Web Service Proxy (Traefik)
A simple, efficient web server that can handle SSL/TLS setup via Let's Encrypt for all of your services. Traefik uses labels on containers for configuration needs and helps with more dynamic setup of services.
Inspiration / Sources
Docker (AND OTHER!) Integration(s)
Traefik supports docker "out of the box" as well as a number of other similar setups (Docker swarm, k8s). This should help with remixes for users with clusters of small arm boards.
Adjust firewall to allow web services on internal network(s)
firewall-cmd --permanent --zone=internal --add-service http --add-service https
firewall-cmd --permanent --zone=trusted --add-service http --add-service https
firewall-cmd --reload
Adjust firewall to allow web services on external network(s)
You can skip this if you won't be using web services from the internet.
firewall-cmd --permanent --zone=public --add-service http --add-service https
firewall-cmd --reload
Install / Update / Run Script
Setup a generic script that'll auto update Traefik and launch it. You should only run this script at first launch and/or when you're looking for updates.
mkdir -p /var/traefik/acme
touch /var/traefik/acme/acme.json
chmod 600 /var/traefik/acme/acme.json
cat > /root/traefik.sh << EOF
#!/bin/bash
ARCH=\`arch\`
if [ \$ARCH == "aarch64" ]
then
ARCH="arm64v8"
else
ARCH="arm32v7"
fi
docker pull registry.lollipopcloud.solutions/\$ARCH/traefik:latest
docker stop traefik
docker rm traefik
##########
change -e ACME_DNS_PROVIDER to match one from https://docs.traefik.io/configuration/acme/#provider if using DNS ACME challenges
add -e options for each variable for your chosen dns provider
don’t include CF_API vars in portainer template
need to create /var/traefik/acme/acme.json with 600 perms ahead of container run
change --logLevel=DEBUG via -e? if so: set to ERROR by default
label docs for templates: https://docs.traefik.io/configuration/backends/docker/#labels-overriding-default-behavior
##########
docker run -it \\
-e TZ=UTC \\
-e DEBUG=1 \\
-e ACME_EMAIL="user@domain.tld" \\
-e ACME_DNS_PROVIDER="--acme.dnschallenge.provider=cloudflare" \\
-e CF_API_EMAIL="user@domain.tld" \\
-e CF_API_KEY=big_string \\
-v /var/traefik:/etc/traefik \\
-v /var/run/docker.sock:/var/run/docker.sock \\
registry.lollipopcloud.solutions/\$ARCH/traefik:latest \\
--api --docker --logLevel=DEBUG --defaultentrypoints=http,https --entrypoints="Name:http address::80 Redirect.EntryPoint:https" --entrypoints="Name:https address::443 TLS" --acme=true --acme.acmelogging=true --acme.storage=/etc/traefik/acme/acme.json --acme.tlsconfig=true --acme.entrypoint=https --acme.httpchallenge.entrypoint=http --acme.email=$ACME_EMAIL --acme.onhostrule=true --acme.httpchallenge=true $ACME_DNS_PROVIDER
EOF
chmod a+x /root/traefik.sh
Run Traefik
Simply execute /root/traefik.sh
to update/run.
Configuration (Optional)
See https://docs.traefik.io/ for additional details. You shouldn't need any additional configuration. Most of traefik is configured via the command line using the above approach.
Traefik is very powerful and flexible though. If you're looking for more advanced options the documentation is a great start. Be warned: it's very technical and dense.