Deflector5098 revised this gist 1 week ago. Go to revision
No changes
Deflector5098 revised this gist 1 week ago. Go to revision
No changes
Deflector5098 revised this gist 1 week ago. Go to revision
3 files changed, 440 insertions
compose.yml(file created)
| @@ -0,0 +1,147 @@ | |||
| 1 | + | services: | |
| 2 | + | traefik: | |
| 3 | + | image: traefik:v3.5.4 | |
| 4 | + | container_name: traefik | |
| 5 | + | init: true | |
| 6 | + | restart: unless-stopped | |
| 7 | + | security_opt: | |
| 8 | + | - no-new-privileges:true | |
| 9 | + | networks: | |
| 10 | + | proxy: {} | |
| 11 | + | # ipv4_address: 172.29.0.33 | |
| 12 | + | monitoring: {} | |
| 13 | + | ports: | |
| 14 | + | - 80:80 | |
| 15 | + | - 443:443 | |
| 16 | + | - 2222:2222 | |
| 17 | + | - 2022:2022 | |
| 18 | + | - 64738:64738 | |
| 19 | + | - 64738:64738/udp | |
| 20 | + | #- 25:25 | |
| 21 | + | #- 465:465 | |
| 22 | + | #- 993:993 | |
| 23 | + | #- 22067:22067 | |
| 24 | + | environment: | |
| 25 | + | - TZ=Europe/Madrid | |
| 26 | + | - CF_API_EMAIL=${CF_API_EMAIL} | |
| 27 | + | - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} | |
| 28 | + | volumes: | |
| 29 | + | - /etc/localtime:/etc/localtime:ro | |
| 30 | + | - ./traefik.yml:/traefik.yml:ro | |
| 31 | + | - ./conf:/conf:ro | |
| 32 | + | - geoblock:/plugins-local/src/github.com/PascalMinder/geoblock/ | |
| 33 | + | - /var/run/docker.sock:/var/run/docker.sock:ro | |
| 34 | + | - traefik_logs:/var/log/traefik | |
| 35 | + | - acme:/etc/certs | |
| 36 | + | healthcheck: | |
| 37 | + | test: [ "CMD", "traefik", "healthcheck", "--ping" ] | |
| 38 | + | start_period: 10s | |
| 39 | + | timeout: 5s | |
| 40 | + | retries: 3 | |
| 41 | + | labels: | |
| 42 | + | - traefik.enable=true | |
| 43 | + | - traefik.http.services.traefik.loadbalancer.server.port=80 | |
| 44 | + | - traefik.http.routers.traefik.entrypoints=https | |
| 45 | + | - traefik.http.routers.traefik.rule=Host(`traefik.tuservidor.es`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) | |
| 46 | + | - traefik.http.routers.traefik.service=api@internal | |
| 47 | + | - traefik.http.routers.traefik.middlewares=oidc-auth@file | |
| 48 | + | #- traefik.http.routers.traefik.middlewares=error-pages-middleware@docker | |
| 49 | + | #- traefik.http.routers.traefik.middlewares=oidc-auth@file,error-pages-middleware@docker | |
| 50 | + | - traefik.http.routers.traefik-callback.entrypoints=https | |
| 51 | + | - traefik.http.routers.traefik-callback.rule=HostRegexp(`.+`) && (PathPrefix(`/oidc/callback`) || PathPrefix(`/logout`)) | |
| 52 | + | - traefik.http.routers.traefik-callback.middlewares=oidc-auth@file | |
| 53 | + | - traefik.http.routers.traefik-callback.service=noop@internal | |
| 54 | + | - traefik.http.routers.traefik-internal.entrypoints=https | |
| 55 | + | - traefik.http.routers.traefik-internal.rule=Host(`traefik`) | |
| 56 | + | - traefik.http.routers.traefik-internal.service=api@internal | |
| 57 | + | - traefik.http.routers.traefik-ping-web.entrypoints=ping | |
| 58 | + | - traefik.http.routers.traefik-ping-web.rule=PathPrefix(`/ping`) | |
| 59 | + | - traefik.http.routers.traefik-ping-web.service=ping@internal | |
| 60 | + | - com.centurylinklabs.watchtower.monitor-only="true" | |
| 61 | + | ||
| 62 | + | error-pages: | |
| 63 | + | image: tarampampam/error-pages:3 | |
| 64 | + | container_name: error-pages | |
| 65 | + | init: true | |
| 66 | + | restart: unless-stopped | |
| 67 | + | environment: | |
| 68 | + | TEMPLATE_NAME: hacker-terminal | |
| 69 | + | depends_on: | |
| 70 | + | - traefik | |
| 71 | + | labels: | |
| 72 | + | traefik.enable: true | |
| 73 | + | # use as "fallback" for any NON-registered services (with priority below normal) | |
| 74 | + | traefik.http.routers.error-pages-router.rule: HostRegexp(`.+`) | |
| 75 | + | traefik.http.routers.error-pages-router.priority: 10 | |
| 76 | + | # should say that all of your services work on https | |
| 77 | + | traefik.http.routers.error-pages-router.entrypoints: https | |
| 78 | + | traefik.http.routers.error-pages-router.middlewares: error-pages-middleware | |
| 79 | + | # "errors" middleware settings | |
| 80 | + | traefik.http.middlewares.error-pages-middleware.errors.status: 400-599 | |
| 81 | + | traefik.http.middlewares.error-pages-middleware.errors.service: error-pages-service | |
| 82 | + | traefik.http.middlewares.error-pages-middleware.errors.query: /{status}.html | |
| 83 | + | # define service properties | |
| 84 | + | traefik.http.services.error-pages-service.loadbalancer.server.port: 8080 | |
| 85 | + | networks: | |
| 86 | + | - proxy | |
| 87 | + | certdumper: | |
| 88 | + | image: ghcr.io/kereis/traefik-certs-dumper:latest | |
| 89 | + | container_name: traefik-certs-dumper | |
| 90 | + | restart: unless-stopped | |
| 91 | + | init: true | |
| 92 | + | environment: | |
| 93 | + | OVERRIDE_UID: 10000 | |
| 94 | + | OVERRIDE_GID: 10000 | |
| 95 | + | volumes: | |
| 96 | + | - /etc/localtime:/etc/localtime:ro | |
| 97 | + | - acme:/traefik:ro | |
| 98 | + | - certs:/output:rw | |
| 99 | + | logbackend: | |
| 100 | + | image: ghcr.io/hhftechnology/traefik-log-dashboard-backend:latest | |
| 101 | + | container_name: logbackend | |
| 102 | + | restart: unless-stopped | |
| 103 | + | init: true | |
| 104 | + | networks: | |
| 105 | + | - internal | |
| 106 | + | volumes: | |
| 107 | + | - traefik_logs:/logs:ro # Mount the Traefik logs directory | |
| 108 | + | environment: | |
| 109 | + | - NODE_ENV=production | |
| 110 | + | - TRAEFIK_LOG_FILE=/logs/access.log # Path inside the container | |
| 111 | + | - PORT=3001 | |
| 112 | + | ||
| 113 | + | logfrontend: | |
| 114 | + | image: ghcr.io/hhftechnology/traefik-log-dashboard-frontend:latest | |
| 115 | + | container_name: logfrontend | |
| 116 | + | restart: unless-stopped | |
| 117 | + | environment: | |
| 118 | + | - BACKEND_SERVICE=logbackend | |
| 119 | + | - BACKEND_PORT=3001 | |
| 120 | + | depends_on: | |
| 121 | + | - logbackend | |
| 122 | + | networks: | |
| 123 | + | - proxy | |
| 124 | + | - internal | |
| 125 | + | labels: | |
| 126 | + | traefik.enable: true | |
| 127 | + | traefik.http.routers.logfrontend.rule: Host(`logs.tuservidor.es`) | |
| 128 | + | traefik.http.routers.logfrontend.entrypoints: https | |
| 129 | + | traefik.http.services.logfrontend.loadbalancer.server.port: 80 | |
| 130 | + | traefik.http.routers.logfrontend.middlewares: oidc-auth@file | |
| 131 | + | ||
| 132 | + | volumes: | |
| 133 | + | geoblock: {} | |
| 134 | + | le: {} | |
| 135 | + | acme: | |
| 136 | + | external: true | |
| 137 | + | certs: | |
| 138 | + | external: true | |
| 139 | + | traefik_logs: | |
| 140 | + | external: true | |
| 141 | + | ||
| 142 | + | networks: | |
| 143 | + | internal: | |
| 144 | + | proxy: | |
| 145 | + | external: true | |
| 146 | + | monitoring: | |
| 147 | + | external: true | |
dynamic.yaml(file created)
| @@ -0,0 +1,134 @@ | |||
| 1 | + | http: | |
| 2 | + | middlewares: | |
| 3 | + | crowdsec-bouncer: | |
| 4 | + | forwardauth: | |
| 5 | + | address: http://bouncer-traefik:8080/api/v1/forwardAuth | |
| 6 | + | trustForwardHeader: true | |
| 7 | + | shuul-auth: | |
| 8 | + | forwardAuth: | |
| 9 | + | address: http://shuul:3000/api/v1/shuul | |
| 10 | + | default: | |
| 11 | + | chain: | |
| 12 | + | middlewares: | |
| 13 | + | - default-security-headers | |
| 14 | + | - gzip | |
| 15 | + | gzip: | |
| 16 | + | compress: {} | |
| 17 | + | default-security-headers: | |
| 18 | + | headers: | |
| 19 | + | browserXssFilter: true # X-XSS-Protection=1; mode=block | |
| 20 | + | contentTypeNosniff: true # X-Content-Type-Options=nosniff | |
| 21 | + | forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP | |
| 22 | + | #frameDeny: true # X-Frame-Options=deny | |
| 23 | + | referrerPolicy: "strict-origin-when-cross-origin" | |
| 24 | + | sslRedirect: true # Allow only https requests | |
| 25 | + | stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header | |
| 26 | + | stsPreload: true # Add preload flag appended to the Strict-Transport-Security header | |
| 27 | + | stsSeconds: 63072000 | |
| 28 | + | secure-headers: | |
| 29 | + | headers: | |
| 30 | + | # Connection: "keep-alive, Upgrade" | |
| 31 | + | # X-Forwarded-Proto: "https, http, ws, wss" | |
| 32 | + | # Upgrade: "WebSocket" | |
| 33 | + | STSSeconds: "31536000" | |
| 34 | + | STSIncludeSubdomains: "true" | |
| 35 | + | STSPreload: "true" | |
| 36 | + | customRequestHeaders: | |
| 37 | + | Connection: "keep-alive, Upgrade" | |
| 38 | + | X-Forwarded-Host: "" | |
| 39 | + | X-Forwarded-Proto: "https, http, ws, wss" | |
| 40 | + | customResponseHeaders: | |
| 41 | + | Connection: "keep-alive, Upgrade" | |
| 42 | + | X-Forwarded-Host: "" | |
| 43 | + | X-Forwarded-Proto: "https, http, ws, wss" | |
| 44 | + | Upgrade: "WebSocket" | |
| 45 | + | frameDeny: true | |
| 46 | + | contentTypeNosniff: true | |
| 47 | + | browserXssFilter: true | |
| 48 | + | #referrerPolicy: "same-origin" | |
| 49 | + | my-geoblock: | |
| 50 | + | plugin: | |
| 51 | + | geoblock: | |
| 52 | + | silentStartUp: false | |
| 53 | + | allowLocalRequests: true | |
| 54 | + | logLocalRequests: false | |
| 55 | + | logAllowedRequests: false | |
| 56 | + | logApiRequests: true | |
| 57 | + | api: "https://get.geojs.io/v1/ip/country/{ip}" | |
| 58 | + | apiTimeoutMs: 750 # optional | |
| 59 | + | cacheSize: 15 | |
| 60 | + | forceMonthlyUpdate: true | |
| 61 | + | allowUnknownCountries: false | |
| 62 | + | unknownCountryApiResponse: "nil" | |
| 63 | + | blackListMode: false | |
| 64 | + | countries: | |
| 65 | + | - ES | |
| 66 | + | my-torblock: | |
| 67 | + | plugin: | |
| 68 | + | torblock: | |
| 69 | + | enabled: true | |
| 70 | + | my-traefik-real-ip: | |
| 71 | + | plugin: | |
| 72 | + | traefik-real-ip: | |
| 73 | + | excludednets: | |
| 74 | + | - "1.1.1.1/24" | |
| 75 | + | oidc-auth: | |
| 76 | + | plugin: | |
| 77 | + | traefik-oidc-auth: | |
| 78 | + | Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
| 79 | + | Provider: | |
| 80 | + | ClientId: XXXXXXXx-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX | |
| 81 | + | ClientSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
| 82 | + | Url: https://pocketid.tuservidor.es/ | |
| 83 | + | TokenValidation: IdToken | |
| 84 | + | Scopes: | |
| 85 | + | - openid | |
| 86 | + | - profile | |
| 87 | + | ||
| 88 | + | my-sablier: | |
| 89 | + | plugin: | |
| 90 | + | sablier: | |
| 91 | + | group: default | |
| 92 | + | dynamic: | |
| 93 | + | displayName: Servidor Linux | |
| 94 | + | refreshFrequency: 5s | |
| 95 | + | showDetails: "true" | |
| 96 | + | theme: hacker-terminal | |
| 97 | + | sablierUrl: http://sablier:10000 | |
| 98 | + | sessionDuration: 1m | |
| 99 | + | htransformation: | |
| 100 | + | plugin: | |
| 101 | + | htransformation: | |
| 102 | + | Rules: | |
| 103 | + | - Rule: | |
| 104 | + | Name: 'X-Client-Port Set' | |
| 105 | + | Header: 'X-Client-Port' | |
| 106 | + | Value: '^X-Forwarded-Port' | |
| 107 | + | HeaderPrefix: "^" | |
| 108 | + | Type: 'Set' | |
| 109 | + | my-fail2ban: | |
| 110 | + | plugin: | |
| 111 | + | fail2ban: | |
| 112 | + | loglevel: "INFO" | |
| 113 | + | denylist: | |
| 114 | + | ip: | |
| 115 | + | - 192.168.0.0/24 | |
| 116 | + | rules: | |
| 117 | + | urlregexps: | |
| 118 | + | - regexp: "/whoami" | |
| 119 | + | mode: allow | |
| 120 | + | - regexp: "/do-not-access" | |
| 121 | + | mode: block | |
| 122 | + | - regexp: "/no" | |
| 123 | + | mode: block | |
| 124 | + | - regexp: "/yes" | |
| 125 | + | mode: allow | |
| 126 | + | bantime: "3h" | |
| 127 | + | findtime: "10m" | |
| 128 | + | maxretry: 4 | |
| 129 | + | enabled: true | |
| 130 | + | statuscode: "400,401,403-499" | |
| 131 | + | allowlist: | |
| 132 | + | ip: | |
| 133 | + | - ::1 | |
| 134 | + | - 127.0.0.1 | |
traefik.yml(file created)
| @@ -0,0 +1,159 @@ | |||
| 1 | + | api: | |
| 2 | + | dashboard: true | |
| 3 | + | debug: true | |
| 4 | + | ping: {} | |
| 5 | + | metrics: | |
| 6 | + | prometheus: | |
| 7 | + | addEntryPointsLabels: true | |
| 8 | + | addRoutersLabels: true | |
| 9 | + | addServicesLabels: true | |
| 10 | + | buckets: | |
| 11 | + | - 0.1 | |
| 12 | + | - 0.3 | |
| 13 | + | - 1.2 | |
| 14 | + | - 5.0 | |
| 15 | + | ||
| 16 | + | entryPoints: | |
| 17 | + | http: | |
| 18 | + | address: ":80" | |
| 19 | + | http: | |
| 20 | + | redirections: | |
| 21 | + | entryPoint: | |
| 22 | + | to: https | |
| 23 | + | scheme: https | |
| 24 | + | permanent: true | |
| 25 | + | https: | |
| 26 | + | address: ":443" | |
| 27 | + | http: | |
| 28 | + | tls: | |
| 29 | + | certResolver: myresolver | |
| 30 | + | # domains: | |
| 31 | + | # - main: "tuservidor.es" | |
| 32 | + | # sans: | |
| 33 | + | # - "*.tuservidor.es" | |
| 34 | + | middlewares: | |
| 35 | + | - default@file | |
| 36 | + | - my-torblock@file | |
| 37 | + | - shuul-auth@file | |
| 38 | + | #- my-geoblock@file | |
| 39 | + | #- my-fail2ban@file | |
| 40 | + | #- error-pages@file | |
| 41 | + | #- my-fail2ban@file | |
| 42 | + | #- crowdsec-bouncer@file | |
| 43 | + | ping: | |
| 44 | + | address: ":8082" | |
| 45 | + | git: | |
| 46 | + | address: ":2222" | |
| 47 | + | sftpgo: | |
| 48 | + | address: ":2022" | |
| 49 | + | mumble_tcp: | |
| 50 | + | address: ":64738" | |
| 51 | + | mumble_udp: | |
| 52 | + | address: ":64738/udp" | |
| 53 | + | #relay: | |
| 54 | + | # address: ":22067" | |
| 55 | + | #smtp: | |
| 56 | + | # address: ":25" | |
| 57 | + | # proxyProtocol: | |
| 58 | + | # trustedIPs: | |
| 59 | + | # - 172.29.0.8 | |
| 60 | + | # - 172.29.0.41 | |
| 61 | + | #smtps: | |
| 62 | + | # address: ":465" | |
| 63 | + | # proxyProtocol: | |
| 64 | + | # trustedIPs: | |
| 65 | + | # - 172.29.0.8 | |
| 66 | + | # - 172.29.0.41 | |
| 67 | + | #imaps: | |
| 68 | + | # address: ":993" | |
| 69 | + | # proxyProtocol: | |
| 70 | + | # trustedIPs: | |
| 71 | + | # - 172.29.0.8 | |
| 72 | + | # - 172.29.0.41 | |
| 73 | + | ||
| 74 | + | ||
| 75 | + | serversTransports: | |
| 76 | + | proxyProtocolTransport: | |
| 77 | + | insecureSkipVerify: false | |
| 78 | + | proxyProtocol: | |
| 79 | + | version: 3 | |
| 80 | + | ||
| 81 | + | providers: | |
| 82 | + | docker: | |
| 83 | + | endpoint: "unix:///var/run/docker.sock" | |
| 84 | + | exposedByDefault: false | |
| 85 | + | defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.tuservidor.es`)" | |
| 86 | + | network: proxy | |
| 87 | + | file: | |
| 88 | + | directory: /conf | |
| 89 | + | watch: true | |
| 90 | + | ||
| 91 | + | log: | |
| 92 | + | level: INFO | |
| 93 | + | format: json | |
| 94 | + | accessLog: | |
| 95 | + | format: json | |
| 96 | + | fields: | |
| 97 | + | defaultMode: keep | |
| 98 | + | names: | |
| 99 | + | ClientUsername: keep | |
| 100 | + | headers: | |
| 101 | + | defaultMode: keep | |
| 102 | + | names: | |
| 103 | + | Content-Type: keep | |
| 104 | + | X-Forwarded-For: keep | |
| 105 | + | filters: | |
| 106 | + | statusCodes: | |
| 107 | + | - "300-302" | |
| 108 | + | - "400-409" | |
| 109 | + | retryAttempts: true | |
| 110 | + | minDuration: "10ms" | |
| 111 | + | ||
| 112 | + | ||
| 113 | + | certificatesResolvers: | |
| 114 | + | myresolver: | |
| 115 | + | acme: | |
| 116 | + | keyType: EC256 | |
| 117 | + | email: pepe@tuservidor.es | |
| 118 | + | storage: /etc/certs/acme.json | |
| 119 | + | httpChallenge: | |
| 120 | + | entryPoint: http | |
| 121 | + | cloudflare: | |
| 122 | + | acme: | |
| 123 | + | keyType: EC256 | |
| 124 | + | email: lorenzo.carbonell.cerezo@gmailcom | |
| 125 | + | caServer: https://acme-v02.api.letsencrypt.org/directory # production (default) | |
| 126 | + | #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging | |
| 127 | + | storage: /etc/certs/cloudflare.json | |
| 128 | + | dnsChallenge: | |
| 129 | + | provider: cloudflare | |
| 130 | + | delayBeforeCheck: 10 #Optional to wait x second before checking with the DNS Server | |
| 131 | + | ||
| 132 | + | tls: | |
| 133 | + | options: | |
| 134 | + | default: | |
| 135 | + | minVersion: VersionTLS12 | |
| 136 | + | ||
| 137 | + | experimental: | |
| 138 | + | plugins: | |
| 139 | + | geoblock: | |
| 140 | + | moduleName: "github.com/PascalMinder/geoblock" | |
| 141 | + | version: "v0.3.2" | |
| 142 | + | fail2ban: | |
| 143 | + | moduleName: "github.com/tomMoulard/fail2ban" | |
| 144 | + | version: "v0.8.3" | |
| 145 | + | torblock: | |
| 146 | + | moduleName: "github.com/jpxd/torblock" | |
| 147 | + | version: "v0.1.1" | |
| 148 | + | traefik-real-ip: | |
| 149 | + | moduleName: "github.com/soulbalz/traefik-real-ip" | |
| 150 | + | version: "v1.0.3" | |
| 151 | + | sablier: | |
| 152 | + | moduleName: "github.com/sablierapp/sablier" | |
| 153 | + | version: "v1.8.5" | |
| 154 | + | traefik-oidc-auth: | |
| 155 | + | moduleName: "github.com/sevensolutions/traefik-oidc-auth" | |
| 156 | + | version: "v0.11.0" | |
| 157 | + | htransformation: | |
| 158 | + | moduleName: "github.com/tomMoulard/htransformation" | |
| 159 | + | version: "v0.3.3" | |
Newer
Older