modified: docker-compose.yml

modified:   traefik/dynamic.yml
	modified:   traefik/traefik.yml
This commit is contained in:
git
2026-04-14 11:35:05 +10:00
parent 9061a0c95c
commit eaa27462a1
3 changed files with 35 additions and 1 deletions
+9 -1
View File
@@ -19,6 +19,10 @@ services:
- ${PROJECT_ROOT}/traefik/letsencrypt:/letsencrypt
- ${PROJECT_ROOT}/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
- ${PROJECT_ROOT}/traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
- ${PROJECT_ROOT}/traefik/certs:/etc/traefik/certs:ro
healthcheck:
test: traefik healthcheck --ping
networks:
- proxy
@@ -45,7 +49,7 @@ services:
- traefik.http.routers.kuma.entrypoints=websecure
- traefik.http.routers.kuma.tls=true
- traefik.http.routers.kuma.tls.certresolver=le
- traefik.http.routers.kuma.tls.options=mtls-private-admin@file
# Service -> container port
- traefik.http.services.kuma.loadbalancer.server.port=3001
# - traefik.http.routers.kuma.middlewares=default-chain@file
@@ -177,3 +181,7 @@ services:
networks:
proxy:
name: proxy
driver: bridge
ipam:
config:
- subnet: 172.21.0.0/16
+9
View File
@@ -25,3 +25,12 @@ http:
middlewares:
- secHeaders
- crowdsec
tls:
options:
mtls-private-admin:
minVersion: VersionTLS12
sniStrict: true
clientAuth:
caFiles:
- /etc/traefik/certs/ca/clients-ca.crt
clientAuthType: RequireAndVerifyClientCert
+17
View File
@@ -13,6 +13,17 @@ accessLog:
entryPoints:
web:
address: ":80"
forwardedHeaders:
# Trust forwarding headers only from upstream proxies/LBs under our control.
# Network assumptions for this stack:
# - 127.0.0.1/32: local host-side reverse-proxy hops
# - 192.168.2.0/24: LAN edge proxies
# - 172.21.0.0/16: pinned Docker subnet for the traefik bridge network
insecure: false
trustedIPs:
- "127.0.0.1/32"
- "192.168.0.0/24"
- "172.21.0.0/16"
http:
redirections:
entryPoint:
@@ -21,6 +32,12 @@ entryPoints:
websecure:
address: ":443"
forwardedHeaders:
insecure: false
trustedIPs:
- "127.0.0.1/32"
- "192.168.0.0/24"
- "172.21.0.0/16"
http:
middlewares:
- default-chain@file