-
Notifications
You must be signed in to change notification settings - Fork 1
/
docker-compose.yml
178 lines (171 loc) · 14.1 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
version: "3.3"
# docker-compose.yml configuration for a simple HTTP service container
# that sits behind traefik and returns harmless information about the HTTP request. Useful
# for debugging connectivity and Traefik configuration issues.
#
# WARNING: This stack exposes all HTTP client headers to any client that can access it. This
# includes cookies marked 'httpOnly' as well as headers added by reverse proxies
# before being forwarded to this service. In notrivial configurations it may pose
# a security risk. For example, JavaScript running in a browser in the same
# site domain will be able to read its httpOnly cookies, which can create a
# cross-site scripting attack risk even if this service is behind authentication.
# Do not use this stack in a production environment without careful consideration .
#
# Environment Variables:
# SUBDOMAIN The DNS subdomain that is prepended to ${PARENT_DNS_DOMAIN} to get this service's
# DNS name. Also used as the URL prefix for
# path-based routing.
# The fully qualified DNS name ${SUBDOMAIN}.${PARENT_DNS_DOMAIN} must be a
# valid DNS name that resolves to your gateway router's public IP address. *before*
# starting this stack. If you do not, lets-encrypt will be unable to validate the
# certificate request, and will eventually throttle you for a week at a time.
# If omitted, defaults to 'whoami'.
#
# WHOAMI_HOSTNAME The linux hostname used for the service container. Not related to the HTTP hostname
# which is ${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}. This value is included in the whoami
# HTTP respose as "Hostname: ${WHOAMI_HOSTNAME:-${SUBDOMAIN:-whoami}}".
# It is useful to distinguish between responses from multiple instances of this service container.
# If omitted, defaults to ${SUBDOMAIN:-whoami}.
#
# === Variables below are provided by Portainer when launched on tp_hub, and do not need to be added to launch environment variables ===
#
#
# PARENT_DNS_DOMAIN The parent DNS domain name. The fully qualified DNS name will be "${SUBDOMAIN}.${PARENT_DNS_DOMAIN}".
#
# SHARED_APP_HOST_RULE
# The "Host" Traefik rule expression that will match all HTTP(S) hostnames for the shared public
# apps.
#
# SHARED_LAN_APP_HTTP_HOST_RULE
# The "Host" Traefik rule expression that will match all HTTP hostnames for the private LAN-only
# apps.
#
# SHARED_LAN_APP_HTTPS_HOST_RULE
# The "Host" Traefik rule expression that will match all HTTPS hostnames for the private LAN-only
# apps.
#
# This stack serves:
# http://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN} (public internet or private LAN) (hostname based)
# https://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN} (public internet or private LAN) (hostname based)
# http://${SHARED_APP_DNS_NAME}/${SUBDOMAIN:-whoami} (public internet or private LAN) (path-based, handled by <common-lan-local-hostname> router; see below)
# https://${SHARED_APP_DNS_NAME}/${SUBDOMAIN:-whoami} (public internet or private LAN) (path-based)
# http://${SHARED_LAN_APP_DNS_NAME}/${SUBDOMAIN:-whoami} (private LAN) (path-based, handled by <common-lan-local-hostname> router; see below)
# https://${SHARED_LAN_APP_DNS_NAME}/${SUBDOMAIN:-whoami} (private LAN only) (path-based)
# http://<common-lan-local-hostname>/${SUBDOMAIN:-whoami} (private LAN only) (path-based, multiple hostnames accepted; see below)
#
# Where <common-lan-local-hostname> is one of:
# ${SHARED_APP_DNS_NAME}
# ${SHARED_LAN_APP_DNS_NAME}
# ${HUB_HOSTNAME}
# ${HUB_HOSTNAME2}
# ${HUB_LAN_IP}
# localhost
# 127.0.0.1
#
# The exact list will vary based on configuration.
#
# The path-based routes all strip off the "/${SUBDOMAIN:-whoami}" URL" prefix before forwarding to the whoami service; the stripped
# prefix is passed on in the "X-Forwarded-Prefix" header. This technique is useful for routing a single DNS name to multiple services that
# would otherwise collide in the URL paths that they serve. It should be noted that in many cases the service itself must be configured to
# handle the X-Forwarded-Prefix in order to work correctly (e.g., to add the prefix back in when returning link URLs or redirects).
# In this case, the whoami service is so trivial that it does not care how the URL path is modified, and it never returns link URLs
# or redirects.
#
# Prerequisites:
# Prerequisites common to all stacks (only done once when traefik is initially set up):
# * The traefik docker-compose stack has been installed and runs on this host.
# * The portainer docker-compose stack has been installed and runs on this host.
# * This stack is launched within Portainer and can make use of Portainer's injected environment variables.
#
services:
whoami:
image: "traefik/whoami" # a simple, harmless HTTP server on port 80 that returns info about the HTTP request, such as headers
hostname: ${WHOAMI_HOSTNAME:-${SUBDOMAIN:-whoami}}
networks:
- traefik # The network through which traefik forwards requests to our service
restart: always # This container will be restarted when this host reboots or docker is restarted
labels:
- "traefik.enable=true" # tells traefik that this container should be reverse-proxied
# Middleware that will strip off the /${SUBDOMAIN:-whoami} prefix before forwarding to the whoami service (used by multiple routers)
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-strip-prefix.stripPrefix.prefixes=/${SUBDOMAIN:-whoami}"
# NOTE: If the routes below seem unnecessarily complex, it is because they are separated into multiple routers to allow detailed
# routing info to be included in a "X-Route-Info" header that is passed to the whoami service and then returned in the
# whoami response. This is useful for debugging and understanding traefik routing behavior. If you don't need this, it
# is possible to greatly simplify the routing configuration; e.g., by serving multiple entrypoints and hostnames with
# a single router.
# -----------------------------------------
# A router for https://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}, on the public internet entrypoint
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-public.entrypoints=websecure"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-public.rule=Host(`${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-https-public-headers.headers.customrequestheaders.X-Route-Info=entrypoint=websecure; router=${SUBDOMAIN:-whoami}-https-public"
# Add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-public.middlewares=${SUBDOMAIN:-whoami}-https-public-headers"
# -----------------------------------------
# A router for https://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}, on the local lan entrypoint
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-private.entrypoints=lanwebsecure"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-private.rule=Host(`${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-https-private-headers.headers.customrequestheaders.X-Route-Info=entrypoint=lanwebsecure; router=${SUBDOMAIN:-whoami}-https-private"
# Add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-private.middlewares=${SUBDOMAIN:-whoami}-https-private-headers"
# -----------------------------------------
# A router for http://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}, on the public internet entrypint
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-public.entrypoints=web"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-public.rule=Host(`${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-http-public-headers.headers.customrequestheaders.X-Route-Info=entrypoint=web, router=${SUBDOMAIN:-whoami}-http-public"
# Add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-public.middlewares=${SUBDOMAIN:-whoami}-http-public-headers"
# -----------------------------------------
# A router for http://${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}, on the local LAN entrypoint
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private.entrypoints=lanweb"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private.rule=Host(`${SUBDOMAIN:-whoami}.${PARENT_DNS_DOMAIN}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-http-private-headers.headers.customrequestheaders.X-Route-Info=entrypoint=lanweb, router=${SUBDOMAIN:-whoami}-http-private"
# Add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private.middlewares=${SUBDOMAIN:-whoami}-http-private-headers"
# -----------------------------------------
# A router for http(s)://${SHARED_APP_DNS_NAME}/${SUBDOMAIN:-whoami}, on the public internet entrypoint
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-public-path.entrypoints=websecure"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-public-path.rule=${SHARED_APP_HOST_RULE} && PathPrefix(`/${SUBDOMAIN:-whoami}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-https-shared-public-path-headers.headers.customrequestheaders.X-Route-Info=entrypoint=websecure, router=${SUBDOMAIN:-whoami}-https-shared-public-path"
# Strip the prefix and add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-public-path.middlewares=${SUBDOMAIN:-whoami}-strip-prefix,${SUBDOMAIN:-whoami}-https-shared-public-path-headers"
# -----------------------------------------
# A router for https://${SHARED_APP_DNS_NAME}/${SUBDOMAIN:-whoami}, on the local LAN entrypointy
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-private-path.entrypoints=lanwebsecure"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-private-path.rule=${SHARED_LAN_APP_HTTPS_HOST_RULE} && PathPrefix(`/${SUBDOMAIN:-whoami}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-https-shared-private-path-headers.headers.customrequestheaders.X-Route-Info=entrypoint=lanwebsecure, router=${SUBDOMAIN:-whoami}-https-shared-private-path"
# Strip the prefix and add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-private-path.middlewares=${SUBDOMAIN:-whoami}-strip-prefix,${SUBDOMAIN:-whoami}-https-shared-private-path-headers"
# -----------------------------------------
# A router for http://<common-lan-local-hostname>/${SUBDOMAIN:-whoami}, on the local LAN entrypoint only
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private-path.entrypoints=lanweb"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private-path.rule=${SHARED_LAN_APP_HTTP_HOST_RULE} && PathPrefix(`/${SUBDOMAIN:-whoami}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-http-private-path-headers.headers.customrequestheaders.X-Route-Info=entrypoint=lanweb, router=${SUBDOMAIN:-whoami}-http-private-path"
# Strip the prefix and add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-http-private-path.middlewares=${SUBDOMAIN:-whoami}-strip-prefix,${SUBDOMAIN:-whoami}-http-private-path-headers"
# -----------------------------------------
# A router for https://${SHARED_LAN_APP_DNS_NAME}/${SUBDOMAIN:-whoami}, on the local LAN entrypoint only
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-lan-private-path.entrypoints=lanwebsecure"
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-lan-private-path.rule=${SHARED_LAN_APP_HTTPS_HOST_RULE} && PathPrefix(`/${SUBDOMAIN:-whoami}`)"
# Following middleware will add a request header that will be displayed by whoami to show route configuration
- "traefik.http.middlewares.${SUBDOMAIN:-whoami}-https-shared-lan-private-path-headers.headers.customrequestheaders.X-Route-Info=entrypoint=lanwebsecure, router=${SUBDOMAIN:-whoami}-https-shared-lan-private-path"
# Strip the prefix and add an X-Route-Info header
- "traefik.http.routers.${SUBDOMAIN:-whoami}-https-shared-lan-private-path.middlewares=${SUBDOMAIN:-whoami}-strip-prefix,${SUBDOMAIN:-whoami}-https-shared-lan-private-path-headers"
# -----------------------------------------
networks:
# The backend docker network used for traefik reverse-proxy request forwarding. All containers
# that provide HTTP services behind the traefik reverse-proxy should be placed in
# this network. traefik will route to the service on its exposed port, if there is exactly one, or port
# 80 by default. This can be overridden with:
#
# traefik.http.services.<service-name>.loadbalancer.server.port=<custom-port>
#
# It is not necessary for containers behind the reverse-proxy to expose their HTTP port to the host.
traefik:
external: true