update traefik

[tomkralidis]

Updates Traefik setup (NOTE: first pass, needs testing).

[justb4]

Yes, will need quite some rework. Not only under the traefik dir, but also all services/*/docker-compose.yml. The config conventions have completely changed since Traefik v1. Advantage is we don't need all the config files, and store SSL certs in a Docker Volume. Below is the rough sketch.

A Traefik v3 docker-compose.yml in my projects looks like this with adaptations:

services:
  traefik:
    image: traefik:v3.1.6

    container_name: traefik

    restart: always

    environment:
      - TZ=Europe/Amsterdam

    ports:
      - "${HTTP_PORT}:80"
      - "443:443"

    command:
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443

      # Define Providers
      - --providers.docker
      - --providers.docker.watch=true
      - --providers.docker.exposedbydefault=false
      - --providers.file
      - --providers.file.directory=/etc/traefikdyn

      # Create the certificate resolver "le" for Let's Encrypt
      - [email protected]
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true

      - --accesslog
      - --accesslog.filePath=/var/log/traefik/access.log
      - --accesslog.fields.names.StartUTC=drop
      - 
      # Enable the Traefik log, for configurations and errors
      - --log
      - --log.level=info
      - --log.filePath=/var/log/traefik/traefik.log

    labels:
      - "traefik.enable=true"

      # Permanent redirect http to https middleware
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

      # Always redirect our main/production domain from http to https
      - "traefik.http.routers.traefik_http.rule=Host(`demo.pygeoapi.io`)"
      - "traefik.http.routers.traefik_http.entrypoints=http"
      - "traefik.http.routers.traefik_http.middlewares=https_redirect@docker"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./log/traefik:/var/log/traefik
      # Mount the volume to store the certificates
      - traefik_certificates:/certificates
      - ./dynconfig/:/etc/traefikdyn/

volumes:
  traefik_certificates:

networks:
  default:
    name: service-network
    external: true

Some shell vars are set in local env files. The idea is that one can run the entire stack on a local system with just Docker installed. But then one needs other HTTP ports and no SSL-certificates. A typical service docker-compose.yml then looks like this:

services:

  docs:
    
    image: map5/docs:latest

    container_name: docs

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=service-network"

      - "traefik.http.routers.docs_https.rule=Host(`demo.pygeoapi.io`) && PathPrefix(`/docs`)"
      - "traefik.http.routers.docs_https.entrypoints=https"
      - "traefik.http.routers.docs_https.tls=true"
      - "traefik.http.routers.docs_https.tls.certresolver=le"
      - "traefik.http.routers.docs_https.tls.options=my_default@file"
      - "traefik.http.routers.docs_https.middlewares=secure-headers@file"

      - "traefik.http.routers.docs_http.rule=Host(`localhost`) && PathPrefix(`/docs`)"
      - "traefik.http.routers.docs_http.entrypoints=http"

networks:
  default:
    name: service-network
    external: true

The remaining files are options and middlewares defined in .yml files under git/services/traefik/dynconfig/:

tls.yml for TLS options:

# https://www.djpic.net/articles/traefik-v2-secure-tls-and-header-configuration-with-docker-provider/
tls:
  options:
    my_default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    tlsv13only:
      minVersion: VersionTLS13

See https://www.djpic.net/articles/traefik-v2-secure-tls-and-header-configuration-with-docker-provider/ why TLS options needed.
This will give Cap A for the SSL certificate. It is currently 'B' because defaults are used:

middlewares.yml for Traefik Middleware defs, secure headers, options:

# https://www.djpic.net/articles/traefik-v2-secure-tls-and-header-configuration-with-docker-provider/
http:
  middlewares:
    secure-headers:
      headers:
        # sslRedirect: true - no use explicit middleware rules!
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 63072000
        contentTypeNosniff: true
        accessControlAllowMethods:
          - GET
          - POST
          - PUT
        accessControlAllowOriginList: '*'
        accessControlMaxAge: 100
        addVaryheader: true
        accessControlAllowHeaders: Authorization
        hostsproxyheaders: X-Forwarded-Host
        # referrerPolicy: origin-when-cross-origin

In an env.sh file conditional vars can be set:

#!/bin/bash

export HTTP_PORT="80"

[[ ${HOSTNAME} != "PYGEOAPI" ]] && HTTP_PORT="8000"

And the start.sh script

#!/bin/bash

./stop.sh

source ./env.sh

mkdir -p ./log
chmod 755  ./log
docker compose up -d

And stop.sh

#!/bin/bash

# stop
source ./env.sh
docker compose down --remove-orphans