添加 Traefik Proxy 的配置模板。

2023-03-10 17:24:36 +08:00 · 2023-03-10 17:24:36 +08:00 · a56a52d091
commit a56a52d091
parent 9cd6b9d5b2
3 changed files with 115 additions and 0 deletions
--- a/Proxy/Readme.md
+++ b/Proxy/Readme.md
@ -0,0 +1,18 @@
+# Traefik Proxy
+
+官方地址：[Traefik Proxy - TraefikLabs](https://traefik.io/traefik/)
+
+配置已设定为：
+
+- 启用 HTTP 和 HTTPS
+- 已按照 Mozilla 的 SSL 安全建议配置了 SSL
+  - 默认可使用最低的 TLS 版本：1.2
+  - 已按 Mozilla 的建议限制了 TLS 1.2 的密码套件
+- 提供 `highSecure` TLS 选项，可在 Docker Container Labels 中配置使用
+  - 仅支持 TLS 1.3
+
+需要注意的事情：
+
+- 证书配置需要手动设置证书关联的邮箱地址.
+- 需要路由的容器，必须在 Labels 添加 `traefik.enable=true`，否则不会被路由
+- 在附带的 `docker-compose.yml` 中有一些说明，请仔细阅读
--- a/Proxy/docker-compose.yml
+++ b/Proxy/docker-compose.yml
@ -0,0 +1,33 @@
+version: '3'
+
+networks:
+  web:
+    name: web
+    driver: bridge
+
+# 如果使用本 Compose 配置文件启动 Traefik，那么在其他 Compose 文件中只需要这样声明：
+#
+# networks:
+#   web:
+#     name: web
+#     external: true
+#
+# 然后让需要使用 Traefik 路由的容器加入 web 网络，并在 labels 中添加如下声明（基本的）：
+# labels:
+#   - traefik.enable=true
+#   - traefik.http.routers.jenkins.rule=Host(`<Route Domain>`)
+
+services:
+  traefik:
+    # 使用前请更新至最新版.
+    image: traefik:v2.9
+    container_name: traefik
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik.yml:/etc/traefik/traefik.yml
+      - ./traefik/acme/:/etc/traefik/acme
+    networks:
+      - web
--- a/Proxy/traefik.yml
+++ b/Proxy/traefik.yml
@ -0,0 +1,64 @@
+providers:
+  docker: 
+    endpoint: "unix:///var/run/docker.sock"
+    network: "web"
+    exposedByDefault: false
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: defaultResolver
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        # TLS 1.2
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_RSA_WITH_AES_256_GCM_SHA384
+        # TLS 1.3
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      sniStrict: true
+    highSecure:
+      minVersion: VersionTLS13
+      sniStrict: true
+
+certificatesResolvers:
+  defaultResolver:
+    # Enable ACME (Let's Encrypt): automatic SSL.
+    acme:
+
+      # Email address used for registration.
+      #
+      # Required
+      #
+      email: "<Website owner email>"
+
+      # File or key used for certificates storage.
+      #
+      # Required
+      #
+      storage: "/etc/traefik/acme/acme.json"
+      httpChallenge:
+        entryPoint: web
+      tlsChallenge: {}
+