Deflector5098 / compose.yml

services: traefik: image: traefik:v3.5.4 container_name: traefik init: true restart: unless-stopped security_opt: - no-new-privileges:true networks: proxy: {} # ipv4_address: 172.29.0.33 monitoring: {} ports: - 80:80 - 443:443 - 2222:2222 - 2022:2022 - 64738:64738 - 64738:64738/udp #- 25:25 #- 465:465 #- 993:993 #- 22067:22067 environment: - TZ=Europe/Madrid - CF_API_EMAIL=${CF_API_EMAIL} - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} volumes: - /etc/localtime:/etc/localtime:ro - ./traefik.yml:/traefik.yml:ro - ./conf:/conf:ro - geoblock:/plugins-local/src/github.com/PascalMinder/geoblock/ - /var/run/docker.sock:/var/run/docker.sock:ro - traefik_logs:/var/log/traefik - acme:/etc/certs healthcheck: test: [ "CMD", "traefik", "healthcheck", "--ping" ] start_period: 10s timeout: 5s retries: 3 labels: - traefik.enable=true - traefik.http.services.traefik.loadbalancer.server.port=80 - traefik.http.routers.traefik.entrypoints=https - traefik.http.routers.traefik.rule=Host(`traefik.tuservidor.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) - traefik.http.routers.traefik.service=api@internal - traefik.http.routers.traefik.middlewares=oidc-auth@file #- traefik.http.routers.traefik.middlewares=error-pages-middleware@docker #- traefik.http.routers.traefik.middlewares=oidc-auth@file,error-pages-middleware@docker - traefik.http.routers.traefik-callback.entrypoints=https - traefik.http.routers.traefik-callback.rule=HostRegexp(`.+`) && (PathPrefix(`/oidc/callback`) || PathPrefix(`/logout`)) - traefik.http.routers.traefik-callback.middlewares=oidc-auth@file - traefik.http.routers.traefik-callback.service=noop@internal - traefik.http.routers.traefik-internal.entrypoints=https - traefik.http.routers.traefik-internal.rule=Host(`traefik`) - traefik.http.routers.traefik-internal.service=api@internal - traefik.http.routers.traefik-ping-web.entrypoints=ping - traefik.http.routers.traefik-ping-web.rule=PathPrefix(`/ping`) - traefik.http.routers.traefik-ping-web.service=ping@internal - com.centurylinklabs.watchtower.monitor-only="true" error-pages: image: tarampampam/error-pages:3 container_name: error-pages init: true restart: unless-stopped environment: TEMPLATE_NAME: hacker-terminal depends_on: - traefik labels: traefik.enable: true # use as "fallback" for any NON-registered services (with priority below normal) traefik.http.routers.error-pages-router.rule: HostRegexp(`.+`) traefik.http.routers.error-pages-router.priority: 10 # should say that all of your services work on https traefik.http.routers.error-pages-router.entrypoints: https traefik.http.routers.error-pages-router.middlewares: error-pages-middleware # "errors" middleware settings traefik.http.middlewares.error-pages-middleware.errors.status: 400-599 traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html # define service properties traefik.http.services.error-pages-service.loadbalancer.server.port: 8080 networks: - proxy certdumper: image: ghcr.io/kereis/traefik-certs-dumper:latest container_name: traefik-certs-dumper restart: unless-stopped init: true environment: OVERRIDE_UID: 10000 OVERRIDE_GID: 10000 volumes: - /etc/localtime:/etc/localtime:ro - acme:/traefik:ro - certs:/output:rw logbackend: image: ghcr.io/hhftechnology/traefik-log-dashboard-backend:latest container_name: logbackend restart: unless-stopped init: true networks: - internal volumes: - traefik_logs:/logs:ro # Mount the Traefik logs directory environment: - NODE_ENV=production - TRAEFIK_LOG_FILE=/logs/access.log # Path inside the container - PORT=3001 logfrontend: image: ghcr.io/hhftechnology/traefik-log-dashboard-frontend:latest container_name: logfrontend restart: unless-stopped environment: - BACKEND_SERVICE=logbackend - BACKEND_PORT=3001 depends_on: - logbackend networks: - proxy - internal labels: traefik.enable: true traefik.http.routers.logfrontend.rule: Host(`logs.tuservidor.es`) traefik.http.routers.logfrontend.entrypoints: https traefik.http.services.logfrontend.loadbalancer.server.port: 80 traefik.http.routers.logfrontend.middlewares: oidc-auth@file volumes: geoblock: {} le: {} acme: external: true certs: external: true traefik_logs: external: true networks: internal: proxy: external: true monitoring: external: true

http: middlewares: crowdsec-bouncer: forwardauth: address: http://bouncer-traefik:8080/api/v1/forwardAuth trustForwardHeader: true shuul-auth: forwardAuth: address: http://shuul:3000/api/v1/shuul default: chain: middlewares: - default-security-headers - gzip gzip: compress: {} default-security-headers: headers: browserXssFilter: true # X-XSS-Protection=1; mode=block contentTypeNosniff: true # X-Content-Type-Options=nosniff forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP #frameDeny: true # X-Frame-Options=deny referrerPolicy: "strict-origin-when-cross-origin" sslRedirect: true # Allow only https requests stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header stsPreload: true # Add preload flag appended to the Strict-Transport-Security header stsSeconds: 63072000 secure-headers: headers: # Connection: "keep-alive, Upgrade" # X-Forwarded-Proto: "https, http, ws, wss" # Upgrade: "WebSocket" STSSeconds: "31536000" STSIncludeSubdomains: "true" STSPreload: "true" customRequestHeaders: Connection: "keep-alive, Upgrade" X-Forwarded-Host: "" X-Forwarded-Proto: "https, http, ws, wss" customResponseHeaders: Connection: "keep-alive, Upgrade" X-Forwarded-Host: "" X-Forwarded-Proto: "https, http, ws, wss" Upgrade: "WebSocket" frameDeny: true contentTypeNosniff: true browserXssFilter: true #referrerPolicy: "same-origin" my-geoblock: plugin: geoblock: silentStartUp: false allowLocalRequests: true logLocalRequests: false logAllowedRequests: false logApiRequests: true api: "https://get.geojs.io/v1/ip/country/{ip}" apiTimeoutMs: 750 # optional cacheSize: 15 forceMonthlyUpdate: true allowUnknownCountries: false unknownCountryApiResponse: "nil" blackListMode: false countries: - ES my-torblock: plugin: torblock: enabled: true my-traefik-real-ip: plugin: traefik-real-ip: excludednets: - "1.1.1.1/24" oidc-auth: plugin: traefik-oidc-auth: Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Provider: ClientId: XXXXXXXx-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX ClientSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX Url: https://pocketid.tuservidor.es/ TokenValidation: IdToken Scopes: - openid - profile - email my-sablier: plugin: sablier: group: default dynamic: displayName: Servidor Linux refreshFrequency: 5s showDetails: "true" theme: hacker-terminal sablierUrl: http://sablier:10000 sessionDuration: 1m htransformation: plugin: htransformation: Rules: - Rule: Name: 'X-Client-Port Set' Header: 'X-Client-Port' Value: '^X-Forwarded-Port' HeaderPrefix: "^" Type: 'Set' my-fail2ban: plugin: fail2ban: loglevel: "INFO" denylist: ip: - 192.168.0.0/24 rules: urlregexps: - regexp: "/whoami" mode: allow - regexp: "/do-not-access" mode: block - regexp: "/no" mode: block - regexp: "/yes" mode: allow bantime: "3h" findtime: "10m" maxretry: 4 enabled: true statuscode: "400,401,403-499" allowlist: ip: - ::1 - 127.0.0.1

api: dashboard: true debug: true ping: {} metrics: prometheus: addEntryPointsLabels: true addRoutersLabels: true addServicesLabels: true buckets: - 0.1 - 0.3 - 1.2 - 5.0 entryPoints: http: address: ":80" http: redirections: entryPoint: to: https scheme: https permanent: true https: address: ":443" http: tls: certResolver: myresolver # domains: # - main: "tuservidor.es" # sans: # - "*.tuservidor.es" middlewares: - default@file - my-torblock@file - shuul-auth@file #- my-geoblock@file #- my-fail2ban@file #- error-pages@file #- my-fail2ban@file #- crowdsec-bouncer@file ping: address: ":8082" git: address: ":2222" sftpgo: address: ":2022" mumble_tcp: address: ":64738" mumble_udp: address: ":64738/udp" #relay: # address: ":22067" #smtp: # address: ":25" # proxyProtocol: # trustedIPs: # - 172.29.0.8 # - 172.29.0.41 #smtps: # address: ":465" # proxyProtocol: # trustedIPs: # - 172.29.0.8 # - 172.29.0.41 #imaps: # address: ":993" # proxyProtocol: # trustedIPs: # - 172.29.0.8 # - 172.29.0.41 serversTransports: proxyProtocolTransport: insecureSkipVerify: false proxyProtocol: version: 3 providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.tuservidor.es`)" network: proxy file: directory: /conf watch: true log: level: INFO format: json accessLog: format: json fields: defaultMode: keep names: ClientUsername: keep headers: defaultMode: keep names: Content-Type: keep X-Forwarded-For: keep filters: statusCodes: - "300-302" - "400-409" retryAttempts: true minDuration: "10ms" certificatesResolvers: myresolver: acme: keyType: EC256 email: pepe@tuservidor.es storage: /etc/certs/acme.json httpChallenge: entryPoint: http cloudflare: acme: keyType: EC256 email: lorenzo.carbonell.cerezo@gmailcom caServer: https://acme-v02.api.letsencrypt.org/directory # production (default) #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging storage: /etc/certs/cloudflare.json dnsChallenge: provider: cloudflare delayBeforeCheck: 10 #Optional to wait x second before checking with the DNS Server tls: options: default: minVersion: VersionTLS12 experimental: plugins: geoblock: moduleName: "github.com/PascalMinder/geoblock" version: "v0.3.2" fail2ban: moduleName: "github.com/tomMoulard/fail2ban" version: "v0.8.3" torblock: moduleName: "github.com/jpxd/torblock" version: "v0.1.1" traefik-real-ip: moduleName: "github.com/soulbalz/traefik-real-ip" version: "v1.0.3" sablier: moduleName: "github.com/sablierapp/sablier" version: "v1.8.5" traefik-oidc-auth: moduleName: "github.com/sevensolutions/traefik-oidc-auth" version: "v0.11.0" htransformation: moduleName: "github.com/tomMoulard/htransformation" version: "v0.3.3"