From a56a52d09127a4c0653fdeaa9e383614c8a01dfa Mon Sep 17 00:00:00 2001
From: LamGC <lam827@lamgc.net>
Date: Fri, 10 Mar 2023 17:24:36 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20Traefik=20Proxy=20?=
 =?UTF-8?q?=E7=9A=84=E9=85=8D=E7=BD=AE=E6=A8=A1=E6=9D=BF=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Traefik Proxy/Readme.md          | 18 +++++++++
 Traefik Proxy/docker-compose.yml | 33 ++++++++++++++++
 Traefik Proxy/traefik.yml        | 64 ++++++++++++++++++++++++++++++++
 3 files changed, 115 insertions(+)
 create mode 100644 Traefik Proxy/Readme.md
 create mode 100644 Traefik Proxy/docker-compose.yml
 create mode 100644 Traefik Proxy/traefik.yml

diff --git a/Traefik Proxy/Readme.md b/Traefik Proxy/Readme.md
new file mode 100644
index 0000000..7385d85
--- /dev/null
+++ b/Traefik Proxy/Readme.md	
@@ -0,0 +1,18 @@
+# Traefik Proxy
+
+官方地址：[Traefik Proxy - TraefikLabs](https://traefik.io/traefik/)
+
+配置已设定为：
+
+- 启用 HTTP 和 HTTPS
+- 已按照 Mozilla 的 SSL 安全建议配置了 SSL
+  - 默认可使用最低的 TLS 版本：1.2
+  - 已按 Mozilla 的建议限制了 TLS 1.2 的密码套件
+- 提供 `highSecure` TLS 选项，可在 Docker Container Labels 中配置使用
+  - 仅支持 TLS 1.3
+
+需要注意的事情：
+
+- 证书配置需要手动设置证书关联的邮箱地址.
+- 需要路由的容器，必须在 Labels 添加 `traefik.enable=true`，否则不会被路由
+- 在附带的 `docker-compose.yml` 中有一些说明，请仔细阅读
diff --git a/Traefik Proxy/docker-compose.yml b/Traefik Proxy/docker-compose.yml
new file mode 100644
index 0000000..27ce3bb
--- /dev/null
+++ b/Traefik Proxy/docker-compose.yml	
@@ -0,0 +1,33 @@
+version: '3'
+
+networks:
+  web:
+    name: web
+    driver: bridge
+
+# 如果使用本 Compose 配置文件启动 Traefik，那么在其他 Compose 文件中只需要这样声明：
+#
+# networks:
+#   web:
+#     name: web
+#     external: true
+#
+# 然后让需要使用 Traefik 路由的容器加入 web 网络，并在 labels 中添加如下声明（基本的）：
+# labels:
+#   - traefik.enable=true
+#   - traefik.http.routers.jenkins.rule=Host(`<Route Domain>`)
+
+services:
+  traefik:
+    # 使用前请更新至最新版.
+    image: traefik:v2.9
+    container_name: traefik
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik.yml:/etc/traefik/traefik.yml
+      - ./traefik/acme/:/etc/traefik/acme
+    networks:
+      - web
\ No newline at end of file
diff --git a/Traefik Proxy/traefik.yml b/Traefik Proxy/traefik.yml
new file mode 100644
index 0000000..cf93426
--- /dev/null
+++ b/Traefik Proxy/traefik.yml	
@@ -0,0 +1,64 @@
+providers:
+  docker: 
+    endpoint: "unix:///var/run/docker.sock"
+    network: "web"
+    exposedByDefault: false
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: defaultResolver
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        # TLS 1.2
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_RSA_WITH_AES_256_GCM_SHA384
+        # TLS 1.3
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      sniStrict: true
+    highSecure:
+      minVersion: VersionTLS13
+      sniStrict: true
+
+certificatesResolvers:
+  defaultResolver:
+    # Enable ACME (Let's Encrypt): automatic SSL.
+    acme:
+
+      # Email address used for registration.
+      #
+      # Required
+      #
+      email: "<Website owner email>"
+
+      # File or key used for certificates storage.
+      #
+      # Required
+      #
+      storage: "/etc/traefik/acme/acme.json"
+      httpChallenge:
+        entryPoint: web
+      tlsChallenge: {}
+