nebula/docker/conf/traefik.toml

defaultEntryPoints = ["http", "https"]
sendAnonymousUsage = true
checkNewVersion = false

[traefikLog]
[accessLog]

[entryPoints]
[entryPoints.https]
  address = ":443"
  # This is required for ACME support
  [entryPoints.https.tls]
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/git.captnemo.in.crt"
    keyFile  = "/etc/traefik/git.captnemo.in.key"
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/rss.captnemo.in.crt"
    keyFile  = "/etc/traefik/rss.captnemo.in.key"
  [[entryPoints.https.tls.certificates]]
    certFile = "/etc/traefik/tatooine.club.crt"
    keyFile  = "/etc/traefik/tatooine.club.key"

[docker]
  # Make sure you mount this as readonly
  # NOTE: readonly doesn't reduce the risk because
  # it is a unix socket - it doesn't automatically translate
  # read|write perms to GET/POST requests.
  endpoint = "unix:///var/run/docker.sock"
  domain = "bb8.fun"
  watch = true
  exposedbydefault = false

[file]
[backends]

# This is currently not exposed
# Since I can't apply a authentication
# on this yet

[web]
  address = ":1111"
  readOnly = true

# To enable Traefik to export internal metrics to Prometheus
[web.metrics.prometheus]

[acme]
email = "acme@captnemo.in"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = false
onDemand   = false
acmelogging = true

[acme.httpChallenge]
  entryPoint = "http"

[acme.dnsChallenge]
  provider = "cloudflare"
  delayBeforeCheck = 120
  resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

# Primary 2 wildcard certs
[[acme.domains]]
  main = "*.bb8.fun"
# Internal services are also protected!
[[acme.domains]]
  main = "*.in.bb8.fun"
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`defaultEntryPoints = ["http", "https"]`
Be a good citizen and report anon metrics to traefik 2018-03-02 09:00:40 +00:00			`sendAnonymousUsage = true`
cleanup, downgrade traefik 2018-04-19 15:10:52 +00:00			`checkNewVersion = false`

			`[traefikLog]`
			`[accessLog]`
Be a good citizen and report anon metrics to traefik 2018-03-02 09:00:40 +00:00
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[entryPoints]`
			`[entryPoints.https]`
			`address = ":443"`
			`# This is required for ACME support`
			`[entryPoints.https.tls]`
Switches gitea to git.captnemo.in 2017-12-25 12:28:13 +00:00			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/git.captnemo.in.crt"`
			`keyFile = "/etc/traefik/git.captnemo.in.key"`
Adds tt-rss and radarr 2018-01-29 20:09:36 +00:00			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/rss.captnemo.in.crt"`
			`keyFile = "/etc/traefik/rss.captnemo.in.key"`
[traefik] New tatooine.club keys Had to disable redirect 2022-12-26 07:18:34 +00:00			`[[entryPoints.https.tls.certificates]]`
			`certFile = "/etc/traefik/tatooine.club.crt"`
			`keyFile = "/etc/traefik/tatooine.club.key"`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00
workaround for traefik bug - XFO/Ref policy can't be applied yet 2017-11-29 21:15:38 +00:00			`[docker]`
Single certificate is better 2017-12-03 17:56:11 +00:00			`# Make sure you mount this as readonly`
Security note about docker socket mount 2021-02-02 08:37:15 +00:00			`# NOTE: readonly doesn't reduce the risk because`
			`# it is a unix socket - it doesn't automatically translate`
			`# read\|write perms to GET/POST requests.`
workaround for traefik bug - XFO/Ref policy can't be applied yet 2017-11-29 21:15:38 +00:00			`endpoint = "unix:///var/run/docker.sock"`
			`domain = "bb8.fun"`
			`watch = true`
Use variable for mariadb version 2018-05-05 20:15:12 +00:00			`exposedbydefault = false`
workaround for traefik bug - XFO/Ref policy can't be applied yet 2017-11-29 21:15:38 +00:00
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[file]`
			`[backends]`

Adds things 2017-11-26 20:16:49 +00:00			`# This is currently not exposed`
			`# Since I can't apply a authentication`
			`# on this yet`
Upgrades gitea 2018-02-03 07:36:06 +00:00
Sets up traefik 2017-11-04 21:27:00 +00:00			`[web]`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`address = ":1111"`
			`readOnly = true`

Traefik monitoring 2018-02-09 20:56:31 +00:00			`# To enable Traefik to export internal metrics to Prometheus`
			`[web.metrics.prometheus]`

Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00			`[acme]`
			`email = "acme@captnemo.in"`
			`storage = "/acme/acme.json"`
			`entryPoint = "https"`
Upgrades gitea 2018-02-03 07:36:06 +00:00			`onHostRule = false`
Adds things 2017-11-26 20:16:49 +00:00			`onDemand = false`
Comment out mysql, upgrade acme config 2017-12-04 06:11:13 +00:00			`acmelogging = true`
Switched apache to 90, traefik to 80 2017-11-26 14:22:49 +00:00
Switch over to HTTP challenge for traefik - This is much faster and more reliable - Unfortunately, can't work for internal domains - so in.bb8.fun certs are up-in-the-air for now - they will keep working till the authorizations stay valid 2018-02-17 21:32:12 +00:00			`[acme.httpChallenge]`
			`entryPoint = "http"`

wildcard certs are here!!! 2018-03-28 10:15:44 +00:00			`[acme.dnsChallenge]`
			`provider = "cloudflare"`
minor fixes and upgrades 2022-01-08 16:49:38 +00:00			`delayBeforeCheck = 120`
fix resolver for dns/acme 2023-06-01 08:31:12 +00:00			`resolvers = ["1.1.1.1:53", "8.8.8.8:53"]`
Work on proxying content via sydney - cloudflare + LE - traefik now has ingress on 443 - basic auth added for now 2017-11-26 11:23:34 +00:00
wildcard certs are here!!! 2018-03-28 10:15:44 +00:00			`# Primary 2 wildcard certs`
			`[[acme.domains]]`
			`main = "*.bb8.fun"`
			`# Internal services are also protected!`
			`[[acme.domains]]`
			`main = "*.in.bb8.fun"`