添加 Traefik Proxy 的配置模板。

2023-03-10 17:24:36 +08:00 · 2023-03-10 17:24:36 +08:00 · a56a52d091
commit a56a52d091
parent 9cd6b9d5b2
3 changed files with 115 additions and 0 deletions
--- a/Proxy/Readme.md
+++ b/Proxy/Readme.md
@ -0,0 +1,18 @@
 # Traefik Proxy
 官方地址：[Traefik Proxy - TraefikLabs](https://traefik.io/traefik/)
 配置已设定为：
 - 启用 HTTP 和 HTTPS
 - 已按照 Mozilla 的 SSL 安全建议配置了 SSL
  - 默认可使用最低的 TLS 版本：1.2
  - 已按 Mozilla 的建议限制了 TLS 1.2 的密码套件
 - 提供 `highSecure` TLS 选项，可在 Docker Container Labels 中配置使用
  - 仅支持 TLS 1.3
 需要注意的事情：
 - 证书配置需要手动设置证书关联的邮箱地址.
 - 需要路由的容器，必须在 Labels 添加 `traefik.enable=true`，否则不会被路由
 - 在附带的 `docker-compose.yml` 中有一些说明，请仔细阅读
--- a/Proxy/docker-compose.yml
+++ b/Proxy/docker-compose.yml
@ -0,0 +1,33 @@
 version: '3'
 networks:
  web:
    name: web
    driver: bridge
 # 如果使用本 Compose 配置文件启动 Traefik，那么在其他 Compose 文件中只需要这样声明：
 #
 # networks:
 #   web:
 #     name: web
 #     external: true
 #
 # 然后让需要使用 Traefik 路由的容器加入 web 网络，并在 labels 中添加如下声明（基本的）：
 # labels:
 #   - traefik.enable=true
 #   - traefik.http.routers.jenkins.rule=Host(`<Route Domain>`)
 services:
  traefik:
    # 使用前请更新至最新版.
    image: traefik:v2.9
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./traefik/acme/:/etc/traefik/acme
    networks:
      - web
--- a/Proxy/traefik.yml
+++ b/Proxy/traefik.yml
@ -0,0 +1,64 @@
 providers:
  docker: 
    endpoint: "unix:///var/run/docker.sock"
    network: "web"
    exposedByDefault: false
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: defaultResolver
 tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        # TLS 1.2
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_RSA_WITH_AES_128_GCM_SHA256
        - TLS_RSA_WITH_AES_256_GCM_SHA384
        # TLS 1.3
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      sniStrict: true
    highSecure:
      minVersion: VersionTLS13
      sniStrict: true
 certificatesResolvers:
  defaultResolver:
    # Enable ACME (Let's Encrypt): automatic SSL.
    acme:
      # Email address used for registration.
      #
      # Required
      #
      email: "<Website owner email>"
      # File or key used for certificates storage.
      #
      # Required
      #
      storage: "/etc/traefik/acme/acme.json"
      httpChallenge:
        entryPoint: web
      tlsChallenge: {}