Umstieg - Traefik V2 auf V3

[csaeum]

Ich bin durch Youtube auf dieses Forum gestossen auf der Suche nach Lösung zu Traefik:

Dabei dann auch über diesen Link: https://www.benjaminrancourt.ca/a-co...configuration/

Ich arbeite schon mit Docker und Traefik seit gut 3 Jahren und habe mir eine gute Config über Stunden zusammenerarbeitet.

Aber heute bin ich auf einen Fehler gestossen und dachte das ich in dem Zusammenhang auf die V3 umsteige oder Versuche umzusteigen:

Docker-Compose.yml von Traefik:

Code:

volumes:
  letsencrypt-data:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/letsencrypt

# https://www.benjaminrancourt.ca/a-complete-traefik-configuration/
services:
  traefik:
    image: "traefik:v3.0"
    container_name: ${COMPOSE_PROJECT_NAME}
    command:
      - "--providers.file.filename=/traefik.yml"
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik.entrypoints: "websecure-https"
      traefik.http.routers.traefik.middlewares: "traefikAuth@file,default@file"
      traefik.http.routers.traefik.rule: "${HOSTRULE}"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.tls: "true"
      traefik.http.routers.traefik.tls.certresolver: "letsEncrypt"
      traefik.http.routers.traefik.tls.options: "modern@file"

    networks:
      - "${PROXY_NETWORK}"
      - "default"
    ports:
      # To be able to listen on port 80 (http)
      - mode: host
        published: 80
        target: 80
      # To be able to listen on port 443 (https)
      - mode: host
        published: 443
        target: 443
    restart: ${RESTART}
    volumes:
      - ./configs/traefik/config.yml:/etc/traefik/config.yml:ro
      - ./configs/traefik/traefik.yml:/traefik.yml:ro
      # Set the container timezone by sharing the read-only localtime
      - /etc/localtime:/etc/localtime:ro
      - letsencrypt-data:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

networks:
  traefik_proxy:
    external: true
    name: ${PROXY_NETWORK}
  default:
    driver: bridge

Traefik.yml

Code:

api:
  dashboard: true # Enable the dashboard

certificatesResolvers:
  letsEncrypt:
    acme:
      tlschallenge: true
      email: "webmaster@domain.de"
      storage: "/letsencrypt/Traefik.json"

entryPoints:
  web-http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "https"
          scheme: "https"
  websecure-https:
    address: ":443"
    http:
      tls:
        certResolver: letsEncrypt

log:
  level: DEBUG

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"   # Listen to the UNIX Docker socket
    exposedByDefault: false                   # Only expose container that are explicitly enabled (using label traefik.enabled)
    network: "traefik_proxy"                  # Default network to use for connections to all containers.
  file:
    filename: "/etc/traefik/config.yml"       # Link to the dynamic configuration
    watch: true                               # Watch for modifications
  providersThrottleDuration: 10               # Configuration reload frequency

Config.yml

Code:

http:
  middlewares:
    # A basic authentification middleware, to protect the Traefik dashboard to anyone except myself
    # Use with traefik.http.routers.myRouter.middlewares: "traefikAuth@file"
    # Password generieren: echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
    # Passwort beachten - $ muss mit einen 2ten $ versehen werden
    traefikAuth:
      basicAuth:
        users:
          - "test:$$apr1$$pm8qg13l$$Nt2/Q0cgKS2pSLQwSPC6w0"


    # Recommended default middleware for most of the services
    # Use with traefik.http.routers.myRouter.middlewares: "default@file"
    # Equivalent of traefik.http.routers.myRouter.middlewares: "default-security-headers@file,error-pages@file,gzip@file"
    default:
      chain:
        middlewares:
          - default-security-headers
          - error-pages
          - gzip

    # Add automatically some security headers
    # Use with traefik.http.routers.myRouter.middlewares: "default-security-headers@file"
    default-security-headers:
      headers:
        browserXssFilter: true                            # X-XSS-Protection=1; mode=block
        contentTypeNosniff: true                          # X-Content-Type-Options=nosniff
        forceSTSHeader: true                              # Add the Strict-Transport-Security header even when the connection is HTTP
        frameDeny: true                                   # X-Frame-Options=deny
        referrerPolicy: "strict-origin-when-cross-origin"
        sslRedirect: true                                 # Allow only https requests
        stsIncludeSubdomains: true                        # Add includeSubdomains to the Strict-Transport-Security header
        stsPreload: true                                  # Add preload flag appended to the Strict-Transport-Security header
        stsSeconds: 63072000                              # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)

    # Serve the error pages when the status is included inside the following ranges
    # Use with traefik.http.routers.myRouter.middlewares: "error-pages@file"
    error-pages:
      errors:
        query: "erreur{status}/"
        service: traefik-error-pages
        status:
          - "403-404"
          - "500"
          - "503"

    # Enables the GZIP compression (https://docs.traefik.io/middlewares/compress/)
    #   if the response body is larger than 1400 bytes
    #   if the Accept-Encoding request header contains gzip
    #   if the response is not already compressed (Content-Encoding is not set)
    # Use with traefik.http.routers.myRouter.middlewares: "gzip@file"
    gzip:
      compress: {}

  services:
    # Error pages
    traefik-error-pages:
      loadBalancer:
        servers:
          - url: "https://www.usherbrooke.ca/error-pages/"


# See https://doc.traefik.io/traefik/https/tls/
tls:
  options:
    # To use with the label "traefik.http.routers.myrouter.tls.options=modern@file"
    modern:
      minVersion: "VersionTLS13"                          # Minimum TLS Version
      sniStrict: true                                     # Strict SNI Checking
    
    # To use with the label "traefik.http.routers.myrouter.tls.options=intermediate@file"
    intermediate:
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      minVersion: "VersionTLS12"                          # Minimum TLS Version
      sniStrict: true                                     # Strict SNI Checking
    
    # To use with the label "traefik.http.routers.myrouter.tls.options=old@file"
    old:
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
        - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
        - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
        - "TLS_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_RSA_WITH_AES_128_CBC_SHA256"
        - "TLS_RSA_WITH_AES_128_CBC_SHA"
        - "TLS_RSA_WITH_AES_256_CBC_SHA"
        - "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
      minVersion: "TLSv1"                                 # Minimum TLS Version
      sniStrict: true                                     # Strict SNI Checking

Mein erstes Ziel wäre das ich das Dashboard von Traefik aufbekomme mit den user: test und password: test

aber hier sperrt es gerade schon

[csaeum]

Also vielleicht sollte man nicht bis spät Nachts oder Morgens sowas versuchen schon gar nicht wenn man den ganzen Tag schon an Problemen sitzt.

Hier meine Verzeichnisstruktur:


zu meinen Anfangspost habe ich nun folgende Dateien:

docker-compose.yml

Code:

volumes:
  letsencrypt-data:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/letsencrypt

services:
  traefik:
    image: "traefik:v3.0"
    container_name: ${COMPOSE_PROJECT_NAME}
    command:
      - "--providers.file.filename=/traefik.yml"
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik.rule: "${HOSTRULE}"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.middlewares: "myauth"
      traefik.http.middlewares.myauth.basicauth.users: test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
    networks:
      - "${PROXY_NETWORK}"
      - "default"
    ports:
      # To be able to listen on port 80 (http)
      - mode: host
        published: 80
        target: 80
      # To be able to listen on port 443 (https)
      - mode: host
        published: 443
        target: 443
    restart: ${RESTART}
    volumes:
#      - ./configs/traefik/config.yml:/etc/traefik/config.yml:ro
      - ./configs/traefik/traefik.yml:/traefik.yml:ro
      - ./logs/access.log:/var/log/access.log
      - ./logs/traefik.log:/var/log/traefik.log
      # Set the container timezone by sharing the read-only localtime
      - /etc/localtime:/etc/localtime:ro
      - letsencrypt-data:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

networks:
  traefik_proxy:
    external: true
    name: ${PROXY_NETWORK}
  default:
    driver: bridge

traefik.yml

Code:

accessLog:
  filePath: "/var/log/access.log"

api:
  # Enable the dashboard
  dashboard: true
  insecure: false

certificatesResolvers:
  letsEncrypt:
    acme:
      tlschallenge: true
      email: "webmaster@example.com"
      storage: "/letsencrypt/Traefik.json"

entryPoints:
  web-http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "https"
          scheme: "https"
  websecure-https:
    address: ":443"
    http:
      tls:
        certResolver: letsEncrypt

log:
  level: DEBUG
  filePath: /var/log/traefik.log

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"   # Listen to the UNIX Docker socket
    exposedByDefault: false                   # Only expose container that are explicitly enabled (using label traefik.enabled)
    network: "traefik_proxy"                  # Default network to use for connections to all containers.
  file:
    filename: "/etc/traefik/config.yml"       # Link to the dynamic configuration
    watch: true                               # Watch for modifications
  providersThrottleDuration: 10               # Configuration reload frequency

Das Dashboard ist nun über die Auth erreichbar, mein Wunsch wäre es die Logindaten statt im Label in der config.yml zu haben.
Dazu wäre mein Wunsch das man gzip für alle Seiten sowie das alle Headers sowie auch die Remote IP der Besucher der Container an diese durchgereicht wird.
Gestern hatte ich hier ein großes Problem mit den CORS Headern.
Würde mich freuen wenn wir für alle hier eine super Config zusammenbekommen.

Ich werde die Container auch auf GITHub hochladen.
Als nächstes will ich den Portainer zum laufen bekommen aber dies nicht in dieser Config sondern als Extra Docker Stack