Polub 0
Zforkuj 0

Ostatnio aktywny 6 months ago

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 1 insertion, 1 deletion

migrate_to_v2.sh

@@ -16,7 +16,7 @@ wget https://gist.githubusercontent.com/waja/37202007b10837a7fc2e6eacacd9b335/ra
16 16 ADMIN_CRED="$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
17 17 EMAIL="$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
18 18 echo "LEMAIL=${EMAIL}" > ${BASEPATH}/.env
19 - echo "#LEAPI=https://acme-staging-v02.api.letsencrypt.org/directory" ${BASEPATH}/.env
19 + echo "#LEAPI=https://acme-staging-v02.api.letsencrypt.org/directory" >> ${BASEPATH}/.env
20 20 echo "DASHBOARD_USERS=${ADMIN_CRED}" >> ${BASEPATH}/.env
21 21
22 22 # Migrate old acme store to the new once

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 2 insertions, 2 deletions

migrate_to_v2.sh

@@ -1,7 +1,5 @@
1 1 #!/bin/bash
2 2 BASEPATH="/srv/docker/traefik2/"
3 - ADMIN_CRED="$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
4 - EMAIL="$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
5 3
6 4 export TRAEFIK_DIR="traefik2"
7 5
@@ -15,6 +13,8 @@ wget https://gist.githubusercontent.com/waja/37202007b10837a7fc2e6eacacd9b335/ra
15 13 bash /tmp/deploy_traefik.sh
16 14
17 15 # Migrate settings from old toml config
16 + ADMIN_CRED="$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
17 + EMAIL="$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
18 18 echo "LEMAIL=${EMAIL}" > ${BASEPATH}/.env
19 19 echo "#LEAPI=https://acme-staging-v02.api.letsencrypt.org/directory" ${BASEPATH}/.env
20 20 echo "DASHBOARD_USERS=${ADMIN_CRED}" >> ${BASEPATH}/.env

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 2 insertions, 2 deletions

migrate_to_v2.sh

@@ -1,7 +1,7 @@
1 1 #!/bin/bash
2 2 BASEPATH="/srv/docker/traefik2/"
3 - ADMIN_CRED=$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)
4 - EMAIL=$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)
3 + ADMIN_CRED="$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
4 + EMAIL="$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)"
5 5
6 6 export TRAEFIK_DIR="traefik2"
7 7

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 2 insertions, 2 deletions

migrate_to_v2.sh

@@ -1,7 +1,7 @@
1 1 #!/bin/bash
2 2 BASEPATH="/srv/docker/traefik2/"
3 - ADMIN_CRED='$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)'
4 - EMAIL='$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)'
3 + ADMIN_CRED=$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)
4 + EMAIL=$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)
5 5
6 6 export TRAEFIK_DIR="traefik2"
7 7

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 3 insertions, 3 deletions

deploy_traefik.sh

@@ -41,7 +41,7 @@ services:
41 41 # Enable Traefik for it's own backend
42 42 - traefik.enable=true
43 43 # Dashboard
44 - - traefik.http.routers.traefik.rule=Host(`traefik.test.org`)
44 + - traefik.http.routers.traefik.rule=Host(\`traefik.test.org\`)
45 45 - traefik.http.routers.traefik.entrypoints=websecure
46 46 - traefik.http.routers.traefik.tls=true
47 47 - traefik.http.routers.traefik.tls.certresolver=default
@@ -72,7 +72,7 @@ services:
72 72 traefik:
73 73 labels:
74 74 # See https://docs.traefik.io/migration/v1-to-v2/#strip-and-rewrite-path-prefixes
75 - - traefik.http.routers.traefik.rule=Host(`$(hostname -f)`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))
75 + - traefik.http.routers.traefik.rule=Host(\`$(hostname -f)\`) && (PathPrefix(\`/traefik\`) || PathPrefix(\`/api\`))
76 76 # Redefine middleware for router 'traefik' as we add more middlewares
77 77 - traefik.http.routers.traefik.middlewares=authtraefik@docker,traefik-dashboard-stripprefix@file,default-security-headers@file
78 78 EOF
@@ -167,7 +167,7 @@ http:
167 167 # global redirect to https
168 168 # per domain see https://doc.traefik.io/traefik/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers
169 169 web-to-websecure:
170 - rule: "hostregexp(`{host:.+}`)"
170 + rule: "hostregexp(\`{host:.+}\`)"
171 171 service: "redirect-dummy@file"
172 172 entryPoints:
173 173 - "web"

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 27 insertions

migrate_to_v2.sh(stworzono plik)

@@ -0,0 +1,27 @@
1 + #!/bin/bash
2 + BASEPATH="/srv/docker/traefik2/"
3 + ADMIN_CRED='$(grep users ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)'
4 + EMAIL='$(grep email ${BASEPATH}/../traefik/config/traefik.toml | cut -d \" -f2)'
5 +
6 + export TRAEFIK_DIR="traefik2"
7 +
8 + # Download deployment script
9 + wget https://gist.githubusercontent.com/waja/37202007b10837a7fc2e6eacacd9b335/raw/deploy_traefik.sh \
10 + -O /tmp/deploy_traefik.sh && \
11 + # Remove auto start of the traefik daemon
12 + sed '/^systemctl/d' -i /tmp/deploy_traefik.sh && \
13 + sed -i '/etc\/systemd\/system\/$/d' /tmp/deploy_traefik.sh && \
14 + # Run deployment
15 + bash /tmp/deploy_traefik.sh
16 +
17 + # Migrate settings from old toml config
18 + echo "LEMAIL=${EMAIL}" > ${BASEPATH}/.env
19 + echo "#LEAPI=https://acme-staging-v02.api.letsencrypt.org/directory" ${BASEPATH}/.env
20 + echo "DASHBOARD_USERS=${ADMIN_CRED}" >> ${BASEPATH}/.env
21 +
22 + # Migrate old acme store to the new once
23 + wget https://github.com/traefik/traefik-migration-tool/releases/download/v0.13.1/traefik-migration-tool_v0.13.1_linux_amd64.tar.gz -P /tmp
24 + tar -xf /tmp/traefik-migration-tool_v0.13.1_linux_amd64.tar.gz -C /tmp
25 + /tmp/traefik-migration-tool acme -i /srv/docker/traefik/config/acme.json -o /srv/docker/traefik2/config/acme-new.json
26 +
27 + # systemctl daemon-reload

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 121 insertions, 60 deletions

deploy_traefik.sh

@@ -1,27 +1,58 @@
1 1 #!/bin/bash
2 - DOCKER_BASE=/srv/docker
2 + DOCKER_BASE="${DOCKER_BASE:-/srv/docker}"
3 + TRAEFIK_DIR="${TRAEFIK_DIR:-traefik}"
3 4
4 - mkdir -p ${DOCKER_BASE}/traefik/container.conf
5 + mkdir -p ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf
6 +
7 + touch ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf/.env
8 + ln -s container.conf/.env ${DOCKER_BASE}/${TRAEFIK_DIR}/
9 +
10 + cat > ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf/docker-compose.yml <<EOF
11 + # Inspired by https://containo.us/blog/traefik-2-0-docker-101-fc2893944b9d/
5 12
6 - cat > ${DOCKER_BASE}/traefik/container.conf/docker-compose.yml <<EOF
7 13 version: '3.7'
8 14
9 15 services:
10 16 traefik:
11 - image: traefik:1.7-alpine
17 + image: traefik:2.4
18 + command:
19 + - --entrypoints.web.address=:80
20 + - --entrypoints.websecure.address=:443
21 + - "--log.level=INFO"
22 + - --providers.docker=true
23 + - --providers.docker.exposedbydefault=false
24 + - --api=true
25 + - --certificatesresolvers.default.acme.caserver=\${LEAPI:-https://acme-v02.api.letsencrypt.org/directory}
26 + - --certificatesresolvers.default.acme.email=\${LEMAIL:-ssladmin@test.org}
27 + - --certificatesresolvers.default.acme.storage=/etc/traefik/acme.json
28 + - --certificatesresolvers.default.acme.tlschallenge=true
29 + - --providers.file.filename=/etc/traefik/traefik_providers.yaml
30 + - --providers.file.watch=true
31 + logging:
32 + options:
33 + max-size: "100M"
34 + max-file: "10"
12 35 networks:
13 36 - system_traefik
14 37 environment:
15 38 - LC_ALL=C.UTF-8
16 39 - TZ=Europe/Berlin
17 40 labels:
41 + # Enable Traefik for it's own backend
18 42 - traefik.enable=true
19 - - traefik.backend=traefik
20 - - traefik.port=8080
43 + # Dashboard
44 + - traefik.http.routers.traefik.rule=Host(`traefik.test.org`)
45 + - traefik.http.routers.traefik.entrypoints=websecure
46 + - traefik.http.routers.traefik.tls=true
47 + - traefik.http.routers.traefik.tls.certresolver=default
48 + - traefik.http.routers.traefik.service=api@internal
49 + # Basic auth for dashboard
50 + - traefik.http.routers.traefik.middlewares=authtraefik@docker,default-security-headers@file
51 + # middleware authtraefik
52 + - traefik.http.middlewares.authtraefik.basicauth.users=\${DASHBOARD_USERS:-admin:\$\$apr1\$\$AAbCdQpX\$\$ajelS9mMisKRG.lqcY/uXU/} # user/password
21 53 ports:
22 54 - "80:80"
23 55 - "443:443"
24 - - "8080:8080"
25 56 restart: always
26 57 volumes:
27 58 - "./config/:/etc/traefik/"
@@ -31,24 +62,22 @@ networks:
31 62 system_traefik:
32 63 external: true
33 64 EOF
34 - ln -s container.conf/docker-compose.yml ${DOCKER_BASE}/traefik/
65 + ln -s container.conf/docker-compose.yml ${DOCKER_BASE}/${TRAEFIK_DIR}/
35 66
36 - cat > ${DOCKER_BASE}/traefik/container.conf/production.yml <<EOF
67 + cat > ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf/production.yml <<EOF
37 68 version: '3.7'
38 69
39 70 services:
40 71
41 72 traefik:
42 - logging:
43 - options:
44 - max-size: "100M"
45 - max-file: "10"
46 73 labels:
47 - - traefik.frontend.rule=Host:host.test.org;PathPrefixStrip:/traefik
48 - - com.centurylinklabs.watchtower.enable=true
74 + # See https://docs.traefik.io/migration/v1-to-v2/#strip-and-rewrite-path-prefixes
75 + - traefik.http.routers.traefik.rule=Host(`$(hostname -f)`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))
76 + # Redefine middleware for router 'traefik' as we add more middlewares
77 + - traefik.http.routers.traefik.middlewares=authtraefik@docker,traefik-dashboard-stripprefix@file,default-security-headers@file
49 78 EOF
50 79
51 - cat > ${DOCKER_BASE}/traefik/container.conf/traefik.service <<EOF
80 + cat > ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf/traefik.service <<EOF
52 81 [Unit]
53 82 Description=Traefik Proxy Service
54 83 After=network.target docker.service
@@ -68,50 +97,82 @@ ExecStop=/usr/local/bin/docker-compose -f "\${WORK_DIR}/docker-compose.yml" -f "
68 97 [Install]
69 98 WantedBy=docker.service
70 99 EOF
71 - ln -s ${DOCKER_BASE}/traefik/container.conf/traefik.service /etc/systemd/system/
72 -
73 - mkdir -p ${DOCKER_BASE}/traefik/config
74 -
75 - cat > ${DOCKER_BASE}/traefik/config/traefik.toml <<EOF
76 - logLevel = "DEBUG"
77 - defaultEntryPoints = ["http", "https"]
78 -
79 - # WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
80 - [web]
81 - address = ":8080"
82 - [web.auth.basic]
83 - users = ["admin:$apr1$AAbCdQpX$ajolS9mMfKRG.lqcY/uXU/"]
84 -
85 - # Connection to docker host system (docker.sock)
86 - [docker]
87 - domain = "test.org"
88 - watch = true
89 - # This will hide all docker containers that don't have explicitly
90 - # set label to "enable"
91 - exposedbydefault = false
92 -
93 - # Force HTTPS
94 - [entryPoints]
95 - [entryPoints.http]
96 - address = ":80"
97 - [entryPoints.http.redirect]
98 - entryPoint = "https"
99 - [entryPoints.https]
100 - address = ":443"
101 - [entryPoints.https.tls]
102 - minVersion = "VersionTLS12"
103 -
104 - # Let's encrypt configuration
105 - [acme]
106 - email="ssladmin@test.org"
107 - storage="/etc/traefik/acme.json"
108 - entryPoint="https"
109 - acmeLogging=true
110 - onDemand=false
111 - OnHostRule=true
112 -
113 - [acme.httpChallenge]
114 - entryPoint = "http"
100 + ln -s ${DOCKER_BASE}/${TRAEFIK_DIR}/container.conf/traefik.service /etc/systemd/system/
101 +
102 + mkdir -p ${DOCKER_BASE}/${TRAEFIK_DIR}/config
103 +
104 + cat > ${DOCKER_BASE}/${TRAEFIK_DIR}/config/traefik_providers.yaml <<EOF
105 + ---
106 + tls:
107 + options:
108 + default:
109 + minVersion: VersionTLS12
110 + sniStrict: true
111 + cipherSuites:
112 + # TLS 1.2 cipher suites.
113 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
114 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
115 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
116 + # IE 11 and Safari < 9 + iOS <9, OSX < 10.11
117 + - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
118 + # TLS 1.3 cipher suites.
119 + - TLS_AES_128_GCM_SHA256
120 + - TLS_AES_256_GCM_SHA384
121 + - TLS_CHACHA20_POLY1305_SHA256
122 + # TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator that the client is doing version fallback. See RFC 7507.
123 + - TLS_FALLBACK_SCSV
124 + curvePreferences:
125 + - CurveP521
126 + - CurveP384
127 +
128 + http:
129 + middlewares:
130 + redirect-web-to-websecure:
131 + redirectScheme:
132 + scheme: https
133 + permanent: true
134 + default-security-headers:
135 + headers:
136 + accessControlAllowMethods:
137 + - GET
138 + - POST
139 + - DELETE
140 + - OPTIONS
141 + accessControlAllowOriginList: ["<origin>"]
142 + accessControlMaxAge: 100
143 + browserXssFilter: true
144 + contentTypeNosniff: true
145 + forceSTSHeader: true
146 + # frameDeny: true
147 + sslRedirect: true
148 + stsIncludeSubdomains: true
149 + stsPreload: true
150 + stsSeconds: 315360000
151 + # contentSecurityPolicy: "default-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;font-src 'self' data:;connect-src 'self' ws: wss:"
152 + # customRequestHeaders:
153 + # X-Frame-Options: "SAMEORIGIN"
154 + # customFrameOptionsValue: "SAMEORIGIN"
155 + referrerPolicy: "same-origin"
156 + featurePolicy: "vibrate 'self'"
157 + traefik-dashboard-stripprefix:
158 + stripPrefix:
159 + prefixes:
160 + - "/traefik"
161 + services:
162 + redirect-dummy:
163 + loadBalancer:
164 + servers:
165 + - url: ""
166 + routers:
167 + # global redirect to https
168 + # per domain see https://doc.traefik.io/traefik/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers
169 + web-to-websecure:
170 + rule: "hostregexp(`{host:.+}`)"
171 + service: "redirect-dummy@file"
172 + entryPoints:
173 + - "web"
174 + middlewares:
175 + - redirect-web-to-websecure@file
115 176 EOF
116 177
117 178 systemctl daemon-reload && systemctl enable traefik && systemctl start traefik

Jan Wagner zrewidował ten Gist 4 years ago. Przejdź do rewizji

1 file changed, 22 insertions

deploy_socat.sh(stworzono plik)

@@ -0,0 +1,22 @@
1 + #!/bin/bash
2 +
3 + if [ $(ip -6 route | grep -c ^default) -eq 0 ]; then exit; fi
4 + apt install socat || exit
5 +
6 + cat > /etc/systemd/system/socat\@.service <<EOF
7 + [Unit]
8 + Description=ipv6 to ipv4 port forwarding
9 + After=network.target
10 +
11 + [Service]
12 + Type=simple
13 + ExecStart=/usr/bin/socat TCP6-LISTEN:%i,ipv6only=1,reuseaddr,fork TCP4:127.0.0.1:%i
14 +
15 + [Install]
16 + WantedBy=docker.service
17 + EOF
18 + systemctl daemon-reload
19 + for PROTO in http https; do
20 + systemctl enable socat@${PROTO}.service
21 + systemctl start socat@${PROTO}.service
22 + done

Jan Wagner zrewidował ten Gist 6 years ago. Przejdź do rewizji

2 files changed, 3 insertions, 1 deletion

deploy_traefik.sh

@@ -99,7 +99,7 @@ exposedbydefault = false
99 99 [entryPoints.https]
100 100 address = ":443"
101 101 [entryPoints.https.tls]
102 - minVersion = "VersionTLS11"
102 + minVersion = "VersionTLS12"
103 103
104 104 # Let's encrypt configuration
105 105 [acme]

migrate_traefik_TLS12.sh(stworzono plik)

@@ -0,0 +1,2 @@
1 + #!/bin/bash
2 + sed -i s/VersionTLS11/VersionTLS12/ /srv/docker/traefik/config/traefik.toml && systemctl restart traefik

Jan Wagner zrewidował ten Gist 6 years ago. Przejdź do rewizji

1 file changed, 4 insertions

deploy_traefik.sh

@@ -39,6 +39,10 @@ version: '3.7'
39 39 services:
40 40
41 41 traefik:
42 + logging:
43 + options:
44 + max-size: "100M"
45 + max-file: "10"
42 46 labels:
43 47 - traefik.frontend.rule=Host:host.test.org;PathPrefixStrip:/traefik
44 48 - com.centurylinklabs.watchtower.enable=true
Nowsze Starsze

Obsługiwane przez Opengist Load: 29ms

Polski