first commit

traefik/data/plugins.yaml

@@ -0,0 +1,51 @@
+http:
+    middlewares:
+        fail2ban:
+            plugin:
+                fail2ban:
+                    logLevel: "INFO"
+                    blacklist:
+                        ip:
+                            - 192.168.0.0/24
+                    rules:
+                        bantime: 3h
+                        enabled: "true"
+                        findtime: 10m
+                        logencoding: UTF-8
+                        maxretry: "4"
+                        ports:
+                        - 0:3305
+                        - 3307:8000
+                    whitelist:
+                        ip:
+                            - ::1
+                            - 127.0.0.1
+                            - 49.177.39.82
+                            - 2001:8003:797c:a100:455f:513:d0f:767f
+        geoblock:
+            plugin:
+                GeoBlock:
+                  allowLocalRequests: true
+                  logLocalRequests: false
+                  logAllowedRequests: false
+                  logApiRequests: true
+                  api: "https://get.geojs.io/v1/ip/country/{ip}"
+                  apiTimeoutMs: 750                                 # optional
+                  cacheSize: 15
+                  forceMonthlyUpdate: true
+                  allowUnknownCountries: false
+                  unknownCountryApiResponse: "nil"
+                  countries:
+                  - AU
+        secHeaders:
+            headers:
+                browserXssFilter: true
+                contentTypeNosniff: true
+                frameDeny: true
+#                sslRedirect: true
+        #HSTS Configuration
+                stsIncludeSubdomains: true
+                stsPreload: true
+                stsSeconds: 15552000
+                forceSTSHeader: true
+                customFrameOptionsValue: "SAMEORIGIN"

traefik/docker-compose.yml

@@ -0,0 +1,93 @@
+version: '3'
+
+services:
+  reverse-proxy:
+    restart: always
+    # The official v2 Traefik docker image
+    image: traefik:latest
+    read_only: true
+    hostname: traefik.lan.ddnsgeek.com
+#    build:
+#      context: .
+#      dockerfile: traefik.Dockerfile
+    depends_on:
+      - error-pages
+    # Enables the web UI and tells Traefik to listen to docker
+    command: 
+      - "--log.level=INFO"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.email=wayne.bennett@live.com"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      - "--ping=true"
+      - "--api=true"
+      - "--api.dashboard=true"
+      - "--providers.file.filename=/plugins.yaml"
+    ports:
+      # The HTTP port
+      - "192.168.2.249:80:80"
+      - "192.168.2.249:443:443"
+      # The Web UI (enabled by --api.insecure=true)
+#      - "8080:8080"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./data/letsencrypt:/letsencrypt:rw
+      - ./data/plugins.yaml:/plugins.yaml:ro
+    deploy:
+#      resources:
+#        limits:
+#          cpus: '0.05'
+#          memory: 200m
+      restart_policy:
+        condition: on-failure
+        max_attempts: 5
+    healthcheck:
+      test: traefik healthcheck --ping 
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.lan.ddnsgeek.com`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=auth, error-pages-middleware"
+      - "traefik.http.middlewares.auth.basicauth.users=beatzaplenty:$$apr1$$rQ8iCgI4$$Y/u2AttE3tb1sIQwrIGU0."
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
+      - "traefik.http.routers.traefik.tls=true"
+      - "io.portainer.accesscontrol.public"
+
+  error-pages:
+    image: tarampampam/error-pages:latest # Using the latest tag is highly discouraged. Please, use tags in X.Y.Z format
+    read_only: true
+    environment:
+      TEMPLATE_NAME: app-down # set the error pages template
+    hostname: error-pages
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      # use as "fallback" for any NON-registered services (with priority below normal)
+      - "traefik.http.routers.error-pages-router.rule=HostRegexp(`{host:.+}`)"
+      # should say that all of your services work on https
+      - "traefik.http.routers.error-pages-router.entrypoints=web"
+      - "traefik.http.routers.error-pages-router.middlewares=error-pages-middleware"
+      # "errors" middleware settings
+      - "traefik.http.middlewares.error-pages-middleware.errors.status=400-599"
+      - "traefik.http.middlewares.error-pages-middleware.errors.service=error-pages-service"
+      - "traefik.http.middlewares.error-pages-middleware.errors.query=/{status}.html"
+      # define service properties
+      - "traefik.http.services.error-pages-service.loadbalancer.server.port=8080"
+      - "io.portainer.accesscontrol.public"
+    deploy:
+#      resources:
+#        limits:
+#          cpus: '0.05'
+#          memory: 100m
+      restart_policy:
+        condition: on-failure
+        max_attempts: 5
+

traefik/traefik.Dockerfile

@@ -0,0 +1,12 @@
+FROM traefik:latest
+
+# Create unprivileged user.
+RUN adduser -h /nonexistent -s /sbin/nologin -DH -g Traefik traefik
+
+# Initialize directories and permissions.
+RUN mkdir -p /data
+RUN chown -R traefik:traefik /data
+
+# Run as unprivileged user.
+USER traefik:traefik
+