cleanup repo

2025-11-23 08:54:27 +01:00 · 2023-02-23 22:33:13 +01:00
parent 4e9a51c207
commit 153ba415ba
182 changed files with 84 additions and 84 deletions
--- a/examples/traefik/README.md
+++ b/examples/traefik/README.md
@@ -0,0 +1,6 @@
+# References
+
+- https://github.com/traefik/traefik
+- https://blog.lrvt.de/nginx-proxy-manager-versus-traefik/
+- https://blog.lrvt.de/configuring-fail2ban-with-traefik/
+- https://github.com/l4rm4nd/F2BFilters
--- a/examples/traefik/docker-compose.yml
+++ b/examples/traefik/docker-compose.yml
@@ -0,0 +1,31 @@
+version: '3'
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:2.9
+    ports:
+      - 80:80 # HTTP
+      - 443:443 # HTTPS
+      - 8080:8080 # MGMT WEB UI
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
+      - /mnt/docker-volumes/traefik:/etc/traefik/
+      - /mnt/docker-volumes/traefik/logs:/logs
+    networks:
+      - proxy
+    environment:
+      - TZ=Europe/Berlin
+      - CF_DNS_API_TOKEN=MyCloudflareApiToken # change this
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.api.rule=Host(`traefik.example.com`) # Define the subdomain for the traefik dashboard.
+      - traefik.http.routers.api.service=api@internal # Enable Traefik API.
+      - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only
+      #- traefik.http.middlewares.basic-auth-global.basicauth.users=admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0 # protect the traefik dashboard by basic auth (pw=password)
+    restart: always
+    extra_hosts:
+      - host.docker.internal:172.17.0.1
+
+networks:
+  proxy:
+    external: true
--- a/examples/traefik/fileConfig.yml
+++ b/examples/traefik/fileConfig.yml
@@ -0,0 +1,105 @@
+http:
+
+  ## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
+  #routers:
+  #  homeassistant:
+  #    entryPoints:
+  #      - https
+  #      - http
+  #    rule: 'Host(`ha.example.com`)'
+  #    service: homeassistant
+  #    middlewares:
+  #      - "local-ipwhitelist@file"
+
+  #  pve:
+  #    entryPoints:
+  #      - https
+  #      - http
+  #    rule: 'Host(`pve.example.com`)'
+  #    service: pve
+  #    middlewares:
+  #      - "local-ipwhitelist@file"
+
+  ## SERVICES EXAMPLE ##
+  #services:
+  #  homeassistant:
+  #    loadBalancer:
+  #      serversTransport: insecureTransport
+  #      servers:
+  #        - url: http://192.168.1.10:8123
+
+  #  pve:
+  #    loadBalancer:
+  #      serversTransport: insecureTransport
+  #      servers:
+  #        - url: https://192.168.1.20:8006
+
+  # allow self-signed certificates for proxied web services
+  serversTransports:
+    insecureTransport:
+      insecureSkipVerify: true
+
+  ## MIDDLEWARES ##
+  middlewares:
+    # Only Allow Local networks
+    local-ipwhitelist:
+      ipWhiteList:
+        sourceRange: 
+          - 127.0.0.1/32 # localhost
+          - 10.0.0.0/8 # private class A
+          - 172.16.0.0/12 # private class B
+          - 192.168.0.0/16 # private class C
+
+    # Security headers
+    security-headers:
+      headers:
+        customResponseHeaders: # field names are case-insensitive
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          Server: "" # prevent version disclosure
+          X-Powered-By: "" # prevent version disclosure
+          X-Forwarded-Proto: "https"
+          #Permissions-Policy: "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), gyroscope=(self), microphone=(self)"
+          #Cross-Origin-Embedder-Policy: "unsafe-none"
+          #Cross-Origin-Opener-Policy: "same-origin"
+          #Cross-Origin-Resource-Policy: "same-site"
+        sslProxyHeaders:
+          X-Forwarded-Proto: "https"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        contentTypeNosniff: true # X-Content-Type-Options
+        customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
+        browserXssFilter: false # X-XSS-Protection; deprecated
+        referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
+        forceSTSHeader: true # HTTP-Strict-Transport-Security (HSTS)
+        stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS)
+        stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS)
+        stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
+        #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP)
+        
+    # rate limiting
+    rate-limit:
+      rateLimit:
+        average: 100
+        period: 1
+        burst: 100
+
+    # basic auth popup
+    basic-auth:
+      basicAuth:
+        # https://hostingcanada.org/htpasswd-generator/
+        users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password
+
+# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
--- a/examples/traefik/logrotate_example.txt
+++ b/examples/traefik/logrotate_example.txt
@@ -0,0 +1,14 @@
+# place this example code at /etc/logrotate.d/traefik on your docker host server
+# please adjust the custom file path below, where your traefik logs are stored
+# please adjust the below traefik container name to send the USR1 signal for log rotation
+
+compress
+/mnt/docker-volumes/traefik/logs/*.log {
+  size 20M
+  daily
+  rotate 14
+  missingok
+  notifempty postrotate
+  docker kill --signal="USR1" traefik # adjust this line to your traefik container name
+  endscript
+}
--- a/examples/traefik/traefik.yml
+++ b/examples/traefik/traefik.yml
@@ -0,0 +1,120 @@
+# Traefik global configuration
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+# Enable traefik ui dashboard
+api:
+  dashboard: true
+  insecure: true
+
+# Log level INFO|DEBUG|ERROR
+log:
+  level: INFO
+
+# Configuring Multiple Filters
+accessLog:
+  filePath: "/logs/traefik.log"
+  format: json
+  filters:
+    statusCodes:
+    #  - "200" # log successful http requests
+      - "400-599" # log failed http requests
+    #retryAttempts: true
+    #minDuration: "10ms"
+  # collect logs as in-memory buffer before writing into log file
+  bufferingSize: 0
+  fields:
+    headers:
+      defaultMode: drop # drop all headers per default
+      names:
+          User-Agent: keep # log user agent strings
+
+# The setting below is to allow insecure backend connections.  
+serverTransport:
+  insecureSkipVerify: true
+
+# Traefik entrypoints (network ports) configuration
+entryPoints:
+  # Not used in apps, but redirect everything from HTTP to HTTPS
+  http:
+    address: :80
+    forwardedHeaders:
+      trustedIPs: &trustedIps
+        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
+        - 103.21.244.0/22
+        - 103.22.200.0/22
+        - 103.31.4.0/22
+        - 104.16.0.0/13
+        - 104.24.0.0/14
+        - 108.162.192.0/18
+        - 131.0.72.0/22
+        - 141.101.64.0/18
+        - 162.158.0.0/15
+        - 172.64.0.0/13
+        - 173.245.48.0/20
+        - 188.114.96.0/20
+        - 190.93.240.0/20
+        - 197.234.240.0/22
+        - 198.41.128.0/17
+        - 2400:cb00::/32
+        - 2606:4700::/32
+        - 2803:f800::/32
+        - 2405:b500::/32
+        - 2405:8100::/32
+        - 2a06:98c0::/29
+        - 2c0f:f248::/32
+        # End of Cloudlare public IP list
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+
+  # HTTPS endpoint, with domain wildcard
+  https:
+    address: :443
+    forwardedHeaders:
+      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
+      trustedIPs: *trustedIps
+    http:
+      tls:
+        # Generate a wildcard domain certificate
+        certResolver: letsencrypt
+        domains:
+          - main: example.com # change this to your proxy domain
+            sans:
+              - '*.example.com' # change this to your proxy domain
+      middlewares:
+        - security-headers@file # reference to a dynamic middleware for setting http security headers per default
+        - rate-limit@file # reference to a dynamic middleware for enabling rate limiting per default
+
+providers:
+  providersThrottleDuration: 2s
+
+  # File provider for connecting things that are outside of docker / defining middleware
+  file:
+    filename: /etc/traefik/fileConfig.yml
+    watch: true
+
+  # Docker provider for connecting all apps that are inside of the docker network
+  docker:
+    watch: true
+    network: proxy # Add Your Docker Network Name Here
+    # Default host rule to containername.domain.example
+    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)" # change 'example.com' to your proxy domain
+    swarmModeRefreshSeconds: 15s
+    exposedByDefault: false
+
+# Use letsencrypt to generate ssl certificates
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: <CF-EMAIL-ADDRESS>  # change to your provider account email address. The API token is defined in the docker-compose.yml as environment variable
+      storage: /etc/traefik/acme.json
+      dnsChallenge:
+        provider: cloudflare
+        # Used to make sure the dns challenge is propagated to the rights dns servers
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"