wululu_web/invoiceninja-docker
3
0
Fork 0
mirror of https://github.com/invoiceninja/dockerfiles.git synced 2026-01-26 00:02:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert "add traefik config example"

Browse Source
This commit is contained in:
David Bomba
2023-04-29 09:01:55 +10:00
committed by GitHub
parent 70e1de9a95
commit 33a55e362b
12 changed files with 44 additions and 374 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
config/traefik/README.md
View File

@@ -1,35 +0,0 @@
# Docker for [Invoice Ninja](https://www.invoiceninja.com/) using [Traefik proxy](https://doc.traefik.io/traefik/)
## Why use Traefik Proxy
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
Traefik in combination with [Cloudflare](https://cloudflare.com) receives and serves all SSL certificates for each service domain automaticly by issuing a wildcard SSL certificate.
## Requirements
1. A domain using the Cloudflare nameservers [Cloudflare Docs](https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare/)
1. An API token with at least the following permissions: `Zone:Read, Zone Settings:Read, DNS:Edit` [Cloudflare Docs](https://developers.cloudflare.com/fundamentals/api/)
## Usage
1. Either copy the [HTTP-01 docker-compose.override.yml](./examples/http-01/docker-compose.override.yml) to the repositorie's root directory for issueing ssl certificates via `http-01` challenge, or copy the [DNS-01 cloudflare docker-compose.override.yml](./examples/dns-01-cloudflare/docker-compose.override.yml) to use Cloudflare and `dns-01` challenge.
1. Set the Traefik proxy vars in the [env](../../env) file
1. Update the basic-auth username and password in [dynamic-http.yml](./config/dynamic-http.yml)
1. Start the docker compose stack
A few seconds later, you should be able to visit `https://${APP_URL_DOMAIN}:8080/dashboard/` and should be prompted for a username and password. If you have not changed it, it should be `username` and `EncryptedPassword`.
If there are no errors listed, you should be able to visit InvoiceNinja via `${APP_URL}`.
## Troubleshooting
If anything does not work as expected, consider checking Traefik's container logs via
```bash
docker compose logs -tf traefik
```
and check the official [Traefik Documentation](https://doc.traefik.io/traefik/).

42
config/traefik/config/dynamic-http.yml
View File

@@ -1,42 +0,0 @@
---
http:
middlewares:
basic-auth:
basicAuth:
users:
# Generate encrypted password string via 'htpasswd -nB username'
# enter your password twice and paste the output here
# myusername:mysafepassword
- "myusername:$2y$05$Tx/.9qaFoZiLi41ZDvO1fOqiSohhuAr8jf9yEbQxZWlqANMKQYnYe"
gzip:
compress: {}
security-headers:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy: "no-referrer"
customRequestHeaders:
X-Forwarded-Proto: "https"
strict-ratelimit:
rateLimit:
average: 10
burst: 50
default-ratelimit:
rateLimit:
average: 100
burst: 50
high-ratelimit:
rateLimit:
average: 1000
burst: 500
default:
chain:
middlewares:
- "security-headers"
- "gzip"

19
config/traefik/config/dynamic-tls.yml
View File

@@ -1,19 +0,0 @@
---
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384

98
config/traefik/examples/dns-01-cloudflare/docker-compose.override.yml
View File

@@ -1,98 +0,0 @@
version: "3.7"
services:
traefik:
# The official v2 Traefik docker image
image: traefik:latest
container_name: traefik
restart: always
env_file: env
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- "invoiceninja"
volumes:
# So that Traefik can listen to the Docker events
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# Dynamic configuration files
- "./config/traefik/config:/conf:ro"
# Enable Access Log
- "./config/traefik/logs/:/var/log/www/"
# LetsEncrypt Configuration Storage
- "./config/traefik/ssl-files:/ssl"
command:
# Send usage statistics (or not)
- "--global.sendAnonymousUsage=false"
# By default, the level is set to ERROR. Alternative logging levels are
# DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
- "--log.level=WARN"
# Enable Access Log
- "--accesslog.filepath=/var/log/www/access.log"
# Enable Dashboard
- "--api.insecure=false"
- "--api.dashboard=true"
- "--api.debug=true"
# We are using Docker
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# (Optional) Set default hostname if not given explicitly
- "--providers.docker.defaultRule=Host(`${APP_URL_DOMAIN}`)"
# Listen on port 80 (http)
- "--entrypoints.web.address=:80"
# Listen on port 443 (https)
- "--entrypoints.websecure.address=:443"
# Listen on port 8080 (traefik Dashboard)
- "--entrypoints.traefik-dashbaord.address=:8080"
# Watch dynamic configuration file
- "--providers.file.directory=/conf"
- "--providers.file.watch=true"
# Automaticly redirect from http to https
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
################ START SSL configuration ################
# ---------> Cloudflare <---------
# DNS challenge via Cloudflare
- "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.cloudflare.acme.storage=/ssl/acme.json"
- "--certificatesresolvers.cloudflare.acme.dnsChallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.dnsChallenge.delayBeforeCheck=60"
- "--certificatesresolvers.cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53"
# (Optional) Use testing server before receiving the productive ssl certificate
#- --certificatesresolvers.cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- "--entrypoints.websecure.http.tls.domains[0].main=${APP_URL_DOMAIN}"
# (Optional) Use only, if you are able to receive a wildcard ssl certificate
# - "--entrypoints.websecure.http.tls.domains[0].main=*.${APP_URL_DOMAIN}"
# --------------------------------
################ END SSL configuration ################
labels:
# Enable Traefik
- "traefik.enable=true"
# Set Network to use
- "traefik.docker.network=invoiceninja"
# Set service type
- "traefik.http.routers.traefik-dashbaord.service=api@internal"
# Load dynamic config from conf/*.yml
- "traefik.http.routers.traefik-dashbaord.middlewares=default@file,basic-auth@file"
# Define entrypint to use
- "traefik.http.routers.traefik-dashbaord.entrypoints=traefik-dashbaord"
# Define Hostname and path
- "traefik.http.routers.traefik-dashbaord.rule=Host(`${APP_URL_DOMAIN}`) && PathPrefix(`/api`,`/dashboard`)"
# Enable SSL/TLS
- "traefik.http.routers.traefik-dashbaord.tls=true"
- "traefik.http.routers.traefik-dashbaord.tls.certResolver=cloudflare"
server:
labels:
# Enable Traefik
- "traefik.enable=true"
# Set Network to use
- "traefik.docker.network=invoiceninja"
# Load dynamic config
- "traefik.http.routers.ninja-nginx.middlewares=default@file"
# Service related labels
- "traefik.http.routers.ninja-nginx.entrypoints=websecure"
- "traefik.http.routers.ninja-nginx.rule=Host(`${APP_URL_DOMAIN}`)"
- "traefik.http.routers.ninja-nginx.tls=true"
- "traefik.http.routers.ninja-nginx.tls.certResolver=cloudflare"

93
config/traefik/examples/http-01/docker-compose.override.yml
View File

@@ -1,93 +0,0 @@
version: "3.7"
services:
traefik:
# The official v2 Traefik docker image
image: traefik:latest
container_name: traefik
restart: always
env_file: env
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- "invoiceninja"
volumes:
# So that Traefik can listen to the Docker events
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# Dynamic configuration files
- "./config/traefik/config:/conf:ro"
# Enable Access Log
- "./config/traefik/logs/:/var/log/www/"
# LetsEncrypt Configuration Storage
- "./config/traefik/ssl-files:/ssl"
command:
# Send usage statistics (or not)
- "--global.sendAnonymousUsage=false"
# By default, the level is set to ERROR. Alternative logging levels are
# DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
- "--log.level=WARN"
# Enable Access Log
- "--accesslog.filepath=/var/log/www/access.log"
# Enable Dashboard
- "--api.insecure=false"
- "--api.dashboard=true"
- "--api.debug=true"
# We are using Docker
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# (Optional) Set default hostname if not given explicitly
- "--providers.docker.defaultRule=Host(`${APP_URL_DOMAIN}`)"
# Listen on port 80 (http)
- "--entrypoints.web.address=:80"
# Listen on port 443 (https)
- "--entrypoints.websecure.address=:443"
# Listen on port 8080 (traefik Dashboard)
- "--entrypoints.traefik-dashbaord.address=:8080"
# Watch dynamic configuration file
- "--providers.file.directory=/conf"
- "--providers.file.watch=true"
# Automaticly redirect from http to https
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
################ START SSL configuration ################
# ---------> LetsEncrypt <---------
# HTTP-Challenge
- "--certificatesresolvers.http-01.acme.httpchallenge=true"
- "--certificatesresolvers.http-01.acme.httpchallenge.entrypoint=web"
# (Optional) Use testing server before receiving the productive ssl certificate
#- "--certificatesresolvers.http-01.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.http-01.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.http-01.acme.storage=/ssl/acme.json"
################ END SSL configuration ################
labels:
# Enable Traefik
- "traefik.enable=true"
# Set Network to use
- "traefik.docker.network=invoiceninja"
# Set service type
- "traefik.http.routers.traefik-dashbaord.service=api@internal"
# Load dynamic config from conf/*.yml
- "traefik.http.routers.traefik-dashbaord.middlewares=default@file,basic-auth@file"
# Define entrypint to use
- "traefik.http.routers.traefik-dashbaord.entrypoints=traefik-dashbaord"
# Define Hostname and path
- "traefik.http.routers.traefik-dashbaord.rule=Host(`${APP_URL_DOMAIN}`) && PathPrefix(`/api`,`/dashboard`)"
# Enable SSL/TLS
- "traefik.http.routers.traefik-dashbaord.tls=true"
- "traefik.http.routers.traefik-dashbaord.tls.certResolver=http-01"
server:
labels:
# Enable Traefik
- "traefik.enable=true"
# Set Network to use
- "traefik.docker.network=invoiceninja"
# Load dynamic config
- "traefik.http.routers.ninja-nginx.middlewares=default@file"
# Service related labels
- "traefik.http.routers.ninja-nginx.entrypoints=websecure"
- "traefik.http.routers.ninja-nginx.rule=Host(`${APP_URL_DOMAIN}`)"
- "traefik.http.routers.ninja-nginx.tls=true"
- "traefik.http.routers.ninja-nginx.tls.certResolver=http-01"

0
config/traefik/logs/.gitkeep
View File

0
config/traefik/ssl-files/.gitkeep
View File