services: traefik: image: "traefik:v3.6@sha256:aaf0f6185419a50c74651448c1a5bf4606bd2d2ddb7b8749eed505d55bf8b8ea" # container_name: "traefik" restart: unless-stopped security_opt: - no-new-privileges:true networks: - proxy command: - --log.level=DEBUG - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json - "--providers.file.filename=/etc/traefik/dynamic_conf.yml" - "--providers.file.watch=true" ports: - "${PORT}:80" - "4443:443" - "8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./data/letsencrypt:/letsencrypt" - ./asd.yaml:/etc/traefik/dynamic_conf.yml whoami: image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab" restart: unless-stopped networks: - proxy labels: - "env=${ENV}" - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`test.staging.kovagoadi.hu`)" - "traefik.http.routers.https.rule=Host(`test.staging.kovagoadi.hu`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt # catchall-shim: # image: traefik/whoami # networks: # - proxy # labels: # - "traefik.enable=true" # # ------------------------------------------------------- # # 1. HTTPS Handling (TCP Passthrough) -> Port 443 # # ------------------------------------------------------- # # Use a TCP Router for Port 443 # - "traefik.tcp.routers.https.entrypoints=https" # # Match Any Domain (Wildcard SNI) # - "traefik.tcp.routers.https.rule=HostSNI(`*`)" # # CRITICAL: Passthrough = true # # Traefik will NOT decrypt. It passes the encrypted stream to Nginx. # - "traefik.tcp.routers.https.tls.passthrough=true" # # Low priority so other specific routes in Traefik override this # - "traefik.tcp.routers.catchall-https.priority=1" # # Point to the Nginx service # - "traefik.tcp.routers.https.service=nginx-backend-secure" # # Define the destination IP for HTTPS (Note: 'server.address', not 'url') # # Replace 192.168.1.100 with your Nginx IP # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85" # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.port=443" # - "env=${ENV}" # # ------------------------------------------------------- # # 2. HTTP Handling (Standard Proxy) -> Port 80 # # ------------------------------------------------------- # # Since HTTP is unencrypted, we can use a standard HTTP router. # # This forwards the request to Nginx port 80 (for Certbot challenges/redirects). # # - "traefik.http.routers.catchall-http.entrypoints=web" # # - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)" # # # - "traefik.http.routers.catchall-http.priority=1" # # - "traefik.http.routers.catchall-http.service=nginx-backend-plain" # # # Define the destination IP for HTTP # # - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80" networks: proxy: