-
-
Save jeroenhe/7dfe273277bbbd1c2ea2cb7c647b24fa to your computer and use it in GitHub Desktop.
version: "2.4" | |
services: | |
traefik: | |
build: . | |
container_name: traefik | |
hostname: traefik | |
restart: unless-stopped | |
networks: ["proxy"] | |
ports: | |
- "443:443" | |
environment: | |
- "AWS_HOSTED_ZONE_ID=" | |
- "AWS_ACCESS_KEY_ID=" | |
- "AWS_SECRET_ACCESS_KEY=" | |
volumes: | |
- type: volume | |
source: traefik_letsencrypt | |
target: /letsencrypt | |
- type: bind | |
source: /var/run/docker.sock | |
target: /var/run/docker.sock | |
labels: | |
- traefik.enable=false | |
logging: | |
driver: "json-file" | |
options: | |
max-size: "10m" | |
max-file: "2" | |
unifi: | |
image: linuxserver/unifi-controller:6.0.41-ls90 | |
container_name: unifi | |
hostname: unifi | |
restart: always | |
networks: ["proxy"] | |
ports: | |
# https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used | |
# Port used for STUN. | |
- "3478:3478/udp" | |
# Port used for device and controller communication. | |
- "8080:8080" | |
# - "8081:8081" | |
# Port used for controller GUI/API as seen in a web browser | |
# - "8443:8443" | |
# Port used for HTTPS portal redirection. | |
# - "8843:8843" | |
# Port used for HTTP portal redirection. | |
# - "8880:8880" | |
# Port used for device discovery | |
- "10001:10001/udp" | |
environment: | |
- PGID=65539 | |
- PUID=1055 | |
- TZ=Europe/Amsterdam | |
volumes: | |
- type: volume | |
source: unifi_data | |
target: /usr/lib/unifi/data | |
healthcheck: | |
test: ["CMD", "curl", "-f", "http://localhost:8080"] | |
interval: 30s | |
timeout: 10s | |
retries: 5 | |
labels: | |
- com.centurylinklabs.watchtower.enable=false | |
- traefik.enable=true | |
- traefik.http.routers.unifi.entrypoints=websecure | |
- traefik.http.routers.unifi.rule=Host(`unificontroller.mydomain.io`) | |
- traefik.http.routers.unifi.tls=true | |
- traefik.http.routers.unifi.tls.certresolver=myresolver | |
- traefik.http.routers.unifi.tls.domains[0].main=unificontroller.mydomain.io | |
- traefik.http.routers.unifi.tls.domains[0].sans=unificontroller.mydomain.io | |
- traefik.http.routers.unifi.service=unifi | |
- traefik.http.routers.unifi.middlewares=unifiHeaders@file | |
- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https | |
- traefik.http.services.unifi.loadbalancer.server.port=8443 | |
- traefik.http.services.unifi.loadbalancer.server.scheme=https | |
logging: | |
driver: "json-file" | |
options: | |
max-size: "10m" | |
max-file: "2" | |
mem_limit: 1500M | |
networks: | |
proxy: | |
volumes: | |
traefik_letsencrypt: | |
unifi_data: | |
FROM traefik:v2.3.2 | |
COPY traefik.yml /etc/traefik/traefik.yml | |
RUN mkdir /etc/traefik/conf | |
COPY tls.yml /etc/traefik/conf | |
COPY http.yml /etc/traefik/conf |
http: | |
middlewares: | |
unifiHeaders: | |
headers: | |
customRequestHeaders: | |
Authorization: "" # Removes |
tls: | |
options: | |
default: | |
minVersion: VersionTLS12 | |
cipherSuites: | |
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" | |
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | |
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | |
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" | |
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" | |
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" |
# https://gist.github.com/containeroo-gists/0e79fb145252611ee1bb0da2c31f243d | |
# https://gist.github.com/containeroo-gists/27666fe7d32199f40c01b20f49cc0454 | |
global: | |
checkNewVersion: false | |
sendAnonymousUsage: false | |
entryPoints: | |
websecure: | |
address: ":443" | |
providers: | |
docker: | |
exposedByDefault: false | |
file: | |
directory: /etc/traefik/conf | |
# API and dashboard configuration | |
api: | |
dashboard: false | |
log: | |
level: INFO | |
accessLog: | |
filters: | |
statusCodes: | |
- "400-600" | |
# default format: <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms | |
retryAttempts: true | |
minDuration: "200ms" | |
certificatesResolvers: | |
myresolver: | |
acme: | |
# Using the Let's Encrypt staging server | |
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory | |
#caServer: https://acme-v02.api.letsencrypt.org/directory | |
email: webmaster@mydomain.io | |
storage: /letsencrypt/acme.json | |
dnsChallenge: | |
provider: route53 | |
delayBeforeCheck: 0 | |
resolvers: | |
- "1.1.1.1:53" | |
- "8.8.8.8:53" | |
# https://community.traefik.io/t/insecureskipverify-explanation/2195 | |
# Required for traefik --> Unifi Controller (:8443) | |
serversTransport: | |
insecureSkipVerify: true |
@jeroenhendricksen This is a great example, thanks for contributing!
You are welcome :)
Not sure if you know, but these gists belong to a blog article of mine.
Love it, some great articles on there. I added it to my changedetection box.
You got a star :) Finally a simple, clear and to the point example to get unifi controller behind traefik. Thank you!
Hey Jereon! I started getting this to work and it works very nicely- thank you, especially the http.yml and traefik.yml parts!
On thing I am having some trouble with, and will be spending some time on in the near future, is enabling ssl for access to the guest portal (port 8843) we use. I am guessing it is something simple.
So far I enabled the port in the compose file (uncomment 8443:8443) and tried adding labels along the lines of:
- "traefik.http.routers.unifi-http.entrypoints=web"
- "traefik.http.routers.unifi-http.rule=Host(`${my_unifi_host}`)"
- "traefik.http.routers.unifi-http.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
So, I write this in case you know off the bat how the traefik headers would be for enabling access to 8443.
In any case, I'll update mine when I have it figured out in case it helps others that might be using the guest portal.
Cheers!
- "traefik.http.routers.unifi.service=unifi-https-svc"
- "traefik.http.services.unifi-https-svc.loadbalancer.server.port=8443"
- "traefik.http.services.unifi-https-svc.loadbalancer.server.scheme=https"
@jeroenhendricksen This is a great example, thanks for contributing!