The gateway to many of the services running in my infrastructure is my reverse proxy. For years, I have been running an Nginx setup, but have recently switched to running the same proxy I generally use in production systems. Traefik Proxy.
This is partially because I need a simple reference system that I can use to bootstrap production systems, and because it has much less complexity for new people to understand the configuration. However, being my home system, I am happy to take on more risky configurations to understand the impacts and push the envelopes of my understanding. For this reason, the docker-compose file below, uses the latest tag, instead of a specific version.
To start with I create a directory structure like this:
traefik
├── config
│ ├── certs
│ ├── dynamic
│ │ └── dynamic_conf.yml
│ └── traefik.yml
└── docker-compose.yml
version: '3.7'
services:
traefik:
image: traefik:latest
command:
- "--configFile=/traefik.yml"
restart: always
# ports: # not required in network mode: host
# - "80:80"
# - "443:443"
# - "81:81"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/ubuntu/traefik/config/traefik.yml:/traefik.yml:ro
- /home/ubuntu/traefik/config/dynamic:/dynamic:ro
- /home/ubuntu/traefik/config/certs:/certs:rw
network_mode: hostentryPoints:
traefik:
address: ":81"
web:
address: ":80"
websecure:
address: ":443"
providers:
file:
directory: "/dynamic"
watch: true
api:
dashboard: true
insecure: true
certificatesResolvers:
resolver:
acme:
email: "<email.domain>"
storage: "certs/acme.json"
httpChallenge:
entryPoint: web
http:
routers:
home-assistant:
rule: "Host(`ha`)"
service: home-assistant
entrypoints:
- websecure
tls:
certResolver: resolver
services:
home-assistant:
loadBalancer:
servers:
- url: "http://192.168.21.29:8123"
serversTransports:
default:
insecureSkipVerify: true