Differences

This shows you the differences between two versions of the page.

--- docker_notes:docker-reverse-proxy [2024-06-04 Tue wk23 13:06] – [Generate and Install Godaddy DNS Challenge Data] baumkp
+++ docker_notes:docker-reverse-proxy [2025-01-07 Tue wk02 09:00] (current) – [Cloudsec] baumkp
@@ Line 1: / Line 1: @@
 {{tag>linux docker traefik "reverse proxy" proxy openssl ssl certificate portainer cloudsec}}
-======Reverse Proxy Server======
+======Reverse Proxy Server - Traefik======
-I seem to have gotten the Traefik reverse proxy working according to Techno Tim [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] ([[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl|github reference_files for traefik-portainer-ssl]])
+I seem to have gotten the Traefik reverse proxy working according to Techno Tim [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] ([[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl|github reference_files for traefik-portainer-ssl]]).  Also see [[https://www.youtube.com/watch?v=IBlZgrwc1T8&t=990s|Jim's Garage Your Traefik Isn't Secure]] ([[https://github.com/JamesTurland/JimsGarage/tree/main/Traefik-Secure|JimsGarage/Traefik-Secure/]]
 Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence.
@@ Line 64: / Line 64: @@
 =====Traefik Routes Config=====
+====Using labels in docker config files====
+[[https://doc.traefik.io/traefik/routing/providers/docker/|Traefik & Docker]]
+===Typical labels in Docker Compose===
+<code yml>labels:
+      # Enable Traefik for this service
+      - "traefik.enable=true"
+      # Tell Traefik to specifically use the network "proxy", specifically declared
+      - "traefik.docker.network=proxy"
+      # Make Traefik use this domain in HTTP
+      - "traefik.http.routers.container_name.entrypoints=http"
+      - "traefik.http.routers.container_name.rule=Host(`linkwarden.local.kptree.net`)"
+      - "traefik.http.middlewares.container_name-https-redirect.redirectscheme.scheme=https"
+      # Middleware to redirect HTTP to HTTPS
+      - "traefik.http.routers.container_name.middlewares=linkwarden-https-redirect"
+      # Make Traefik use this domain in HTTPS
+      - "traefik.http.routers.container_name-secure.entrypoints=https"
+      - "traefik.http.routers.container_name-secure.rule=Host(`linkwarden.local.kptree.net`)"
+      - "traefik.http.routers.container_name-secure.tls=true"
+      # Specify the specific resolver to use
+      #- "traefik.http.routers.container_name-secure.tls.certresolver=hurricane"
+      - "traefik.http.routers.container_name-secure.service=linkwarden"
+      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
+      # Define the port inside of the Docker service to use
+      - "traefik.http.services.container_name.loadbalancer.server.port=3000" # make sure the loadbalancer is the last line!! </code>
+When the docker compose ''loadbalancer.server.port'' label is used an external port does not needed to be defined as Traefik can directly access the defined ''docker.network''.  This simplifies the need to share host ports!
+  *Traefik:
+     *[[https://community.traefik.io/t/understanding-difference-between-labels-in-a-container-vs-defining-in-the-config-yml/16246|Understanding difference between labels in a container vs defining in the config.yml]]
+     *[[https://doc.traefik.io/traefik/providers/docker/|Traefik & Docker]]
+     *[[https://docs.docker.com/engine/manage-resources/labels/|Docker object labels]]
+     *[[https://doc.traefik.io/traefik/v3.2/reference/dynamic-configuration/docker/|Docker Configuration Reference]]
+     *[[https://doc.traefik.io/traefik/middlewares/http/headers/|Headers]]
+     *[[https://doc.traefik.io/traefik/middlewares/overview/|Middlewares]]
+     *[[https://doc.traefik.io/traefik/middlewares/http/redirectscheme/|RedirectScheme]]
+     *[[https://community.traefik.io/t/how-to-configure-traefik-2-with-tls-traefik-2-tls-101/3928|How to configure Traefik 2 with TLS - Traefik 2 & TLS 101]]
+  *[[https://requestly.com/blog/what-are-x-forwarded-headers-and-why-it-is-used/|What are X-forwarded Headers, and why it is used?]]
+  *[[https://www.geeksforgeeks.org/http-headers-x-forwarded-proto/|HTTP headers | X-Forwarded-Proto]]
+====Using config.yml====
 <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data
 nvim config.yml</code>
@@ Line 79: / Line 121: @@
 │   └── traefik.log       | This is the main traefik log file (permanent, but does not show up on the Docker error log)
 └── docker-compose.yml</code>
+  *Traefik:
+    *[[https://doc.traefik.io/traefik/v3.2/reference/dynamic-configuration/file/|File Configuration Reference]]
 =====whitelisting=====
 The Traefik middleware ipWhitelist only allows the define ip address(es) to be forwarded.  All other address will have 403 forbidden returned.
@@ Line 124: / Line 169: @@
     * Nginxproxymanager.com [[https://nginxproxymanager.com/advanced-config/#best-practice-use-a-docker-network|Best Practice: Use a Docker network]]
-====ssl certificates====
+====ssl certificates / openssl====
   *''openssl x509 -in (path to certificate and certificate filename) -text -noout''
   *''openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates''
@@ Line 185: / Line 230: @@
-<- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next ->
+<- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:security|Next ->