traefik/bc.sh
:
#!/usr/bin/env bash
set -eu
service=(
--project traefik
--name traefik
--image traefik:v3.1
--cmd --entryPoints.http.address=:80
--cmd --entryPoints.https.address=:443
# --cmd --providers.docker
--cmd --providers.docker.exposedbydefault=false
--cmd --certificatesresolvers.tls-resolver.acme.email=me@gmail.com
--cmd --certificatesresolvers.tls-resolver.acme.storage=acme/json
# --cmd --certificatesresolvers.tls-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
--cmd --certificatesresolvers.tls-resolver.acme.tlschallenge
# --cmd --certificatesresolvers.http-resolver.acme.email=me@gmail.com
# --cmd --certificatesresolvers.http-resolver.acme.storage=acme/http
# # --cmd --certificatesresolvers.http-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
# # --cmd --certificatesresolvers.http-resolver.acme.httpchallenge
# --cmd --certificatesresolvers.http-resolver.acme.httpchallenge.entrypoint=http
--cmd --accesslog
--cmd --log.level=DEBUG
--args -p 80:80
--args -p 443:443
--cmd --api
# --cmd --api.dashboard=false
--args -l traefik.enable=true
--args -l traefik.http.routers.traefik-http.rule=Host'("traefik.example.com")'
--args -l traefik.http.middlewares.redirect.redirectscheme.scheme=https
--args -l traefik.http.routers.traefik-http.middlewares=redirect
--args -l traefik.http.routers.traefik-https.rule=Host'("traefik.example.com")'
# --args -l traefik.http.routers.traefik-https.rule='Host("traefik.example.com") && (PathPrefix("/api") || PathPrefix("/dashboard"))'
--args -l traefik.http.routers.traefik-https.service=api@internal
--args -l traefik.http.middlewares.ip-access.ipallowlist.sourcerange=IP
--args -l traefik.http.middlewares.auth.basicauth.users=test:'$2y$05$7J1ejS9JHV8z1wYRkjF6/ehHi2PFZn1kkHdql2.O/NCaygTkuzZeu'
--args -l traefik.http.routers.traefik-https.middlewares=ip-access,auth
--args -l traefik.http.routers.traefik-https.tls.certresolver=tls-resolver
# --args -l traefik.http.routers.traefik-https.tls.certresolver=http-resolver
--args -v /var/run/docker.sock:/var/run/docker.sock:ro
--args -v traefik_acme:/acme
)
~/bcompose/bc.sh \
"${service[@]}" \
-- \
"$@"
prj/bc.sh
:
#!/usr/bin/env bash
set -eu
service=(
--project prj
--name whoami
--image traefik/whoami
--external-network traefik
--args -l traefik.enable=true
# network tells traefik which ip to use
--args -l traefik.docker.network=traefik
--args -l traefik.http.routers.whoami-http.rule=Host'("example.com")'
# a middleware can be defined multiple times (the same name) if the settings are the same
--args -l traefik.http.middlewares.redirect.redirectscheme.scheme=https
--args -l traefik.http.routers.whoami-http.middlewares=redirect
--args -l traefik.http.routers.whoami-https.rule=Host'("example.com")'
--args -l traefik.http.middlewares.ip-access.ipallowlist.sourcerange=IP
--args -l traefik.http.middlewares.auth.basicauth.users=test:'$2y$05$7J1ejS9JHV8z1wYRkjF6/ehHi2PFZn1kkHdql2.O/NCaygTkuzZeu'
--args -l traefik.http.routers.whoami-https.middlewares=ip-access,auth
--args -l traefik.http.routers.whoami-https.tls.certresolver=tls-resolver
# --args -l traefik.http.routers.whoami-https.tls.certresolver=http-resolver
)
~/bcompose/bc.sh \
"${service[@]}" \
-- \
"$@"
$ curl -sSu test:password --location-trusted example.com
$ curl -sSu test:password --location-trusted traefik.example.com/api/rawdata | jq -C . | less -R
HTTPS router can't accept HTTP requests:
When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non TLS) requests).
https://doc.traefik.io/traefik/routing/routers/#general
In the rules one has to use backticks or double quotes:
To set the value of a rule, use backticks
`
or escaped double-quotes\"
. Single quotes'
are not accepted since the values are Go's String Literals.
https://doc.traefik.io/traefik/routing/routers/#rule
traefik
displays the static configuration when it starts (--log.level=DEBUG
).
2024-08-08T07:32:44Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.1.1 built on 2024-07-30T13:55:22Z version=3.1.1
2024-08-08T07:32:44Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={
accessLog: {
fields: {defaultMode:"keep", headers: {defaultMode: "drop"}},
filters: {},
format: "common"
},
api: {dashboard: true},
certificatesResolvers: {
tls-resolver: {
acme: {
caServer: "https://acme-v02.api.letsencrypt.org/directory",
certificatesDuration: 2160,
email: "me@gmail.com",
keyType: "RSA4096",
storage: "acme/json",
tlsChallenge: {}
}
}
},
entryPoints: {
http: {
address: ":80",
forwardedHeaders: {},
http: {},
http2: {maxConcurrentStreams: 250},
transport: {
lifeCycle: {graceTimeOut: "10s"},
respondingTimeouts: {idleTimeout: "3m0s", readTimeout: "1m0s"}
},
udp: {timeout: "3s"}
},
https: {
address: ":443",
forwardedHeaders: {},
http: {},
http2: {maxConcurrentStreams: 250},
transport: {
lifeCycle: {graceTimeOut: "10s"},
respondingTimeouts: {idleTimeout: "3m0s", readTimeout: "1m0s"}
},
udp: {timeout: "3s"}
}
},
global: {checkNewVersion: true},
log: {format: "common", level: "DEBUG"},
providers: {
docker: {
defaultRule: "Host(`{{ normalize .Name }}`)",
endpoint: "unix:///var/run/docker.sock",
watch: true
},
providersThrottleDuration: "2s"
},
serversTransport: {maxIdleConnsPerHost: 200},
tcpServersTransport: {dialKeepAlive: "15s", dialTimeout: "30s"}
}
...
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
> Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
> Looking for provided certificate(s) to validate ["traefik.example.com"]...
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:897
> Domains need ACME certificates generation for domains "traefik.example.com".
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
domains=["traefik.example.com"]
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:619
> Loading ACME certificates [traefik.example.com]...
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251
> Building ACME client...
providerName=tls-resolver.acme
2024-08-08T07:32:45Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257
> https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
2024-08-08T07:32:46Z INF github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:371
> Register...
providerName=tls-resolver.acme
2024-08-08T07:32:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] acme: Registering account for me@gmail.com
lib=lego
2024-08-08T07:32:46Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:331
> Using TLS Challenge provider.
providerName=tls-resolver.acme
2024-08-08T07:32:46Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] acme: Obtaining bundled SAN certificate
lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/387571547766
lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] acme: use tls-alpn-01 solver
lib=lego
2024-08-08T07:32:48Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] acme: Trying to solve TLS-ALPN-01
lib=lego
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_tls.go:42
> TLS Challenge Present temp certificate for traefik.example.com
providerName=tlsalpn.acme
...
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131
> Adding certificate for domain(s) acme challenge temp,traefik.example.com
...
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
> Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
> Looking for provided certificate(s) to validate ["traefik.example.com"]...
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:48Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895
> No ACME certificate generation required for domains
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
domains=["traefik.example.com"]
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:54Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] The server validated our request
lib=lego
2024-08-08T07:32:54Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/challenge_tls.go:89
> TLS Challenge CleanUp temp certificate for traefik.example.com
providerName=tlsalpn.acme
2024-08-08T07:32:54Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] acme: Validations succeeded; requesting certificates
lib=lego
...
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:384
> Trying to challenge certificate for domain [traefik.example.com] found in HostSNI rule
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851
> Looking for provided certificate(s) to validate ["traefik.example.com"]...
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:55Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895
> No ACME certificate generation required for domains
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
domains=["traefik.example.com"]
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
2024-08-08T07:32:58Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48
> [INFO] [traefik.example.com] Server responded with a certificate.
lib=lego
2024-08-08T07:32:58Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:643
> Certificates obtained for domains [traefik.example.com]
ACME CA=https://acme-v02.api.letsencrypt.org/directory
acmeCA=https://acme-v02.api.letsencrypt.org/directory
providerName=tls-resolver.acme
routerName=traefik-https@docker
rule="Host(\"traefik.example.com\")"
...
2024-08-08T07:32:58Z DBG github.com/traefik/traefik/v3/pkg/tls/certificate.go:131
> Adding certificate for domain(s) traefik.example.com