Traefik [Docs OS]

Ця сторінка доступна тільки для перегляду. Ви можете продивитися вихідний текст, але не можете змінювати його. Якщо ви вважаєте, що це не вірно, зверніться до адміністратора.
====== Traefik ======

==== Traefik стек (docker-compose.yml) ====

<code yaml>
version: "3.9"
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    command:
      # --- Dashboard ---
      - "--api.dashboard=true"          # вмикаємо Dashboard
      - "--api.insecure=false"          # вимикаємо доступ без auth
      # Для тесту можна включити insecure:
      # - "--api.insecure=true"

      # --- Docker provider ---
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"

      # --- EntryPoints ---
      - "--entrypoints.web.address=:80"           # HTTP
      - "--entrypoints.websecure.address=:443"   # HTTPS

      # HTTP -> HTTPS redirect
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"

      # --- ACME / Let's Encrypt ---
      - "--certificatesresolvers.lets-encrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.lets-encrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.lets-encrypt.acme.email=admin@osvex.com"
      - "--certificatesresolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"

    ports:
      - "80:80"     # HTTP
      - "443:443"   # HTTPS
      - "8080:8080" # Dashboard
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    restart: unless-stopped
    networks:
      - shared_traefik

networks:
  shared_traefik:
    external: true


</code>

💡 Пояснення:

  * **HTTP-only**: якщо хочеш тестити без TLS, можна закоментувати websecure entrypoint і редиректи.
  * **HTTPS / Let’s Encrypt**: включається через websecure entrypoint і certresolver=lets-encrypt.
  * Dashboard можна захистити Basic Auth

----

==== Monitoring стек (docker-compose.yml) ====

<code yaml>
version: "3.9"
services:

  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus
    volumes:
      - ./prometheus:/etc/prometheus
      - prom_data:/prometheus
      - ./prometheus/alerts:/etc/prometheus/alerts
    command:
      - "--config.file=/etc/prometheus/prometheus.yml"
      - "--storage.tsdb.path=/prometheus"
      - "--storage.tsdb.retention.time=30d"
    restart: unless-stopped
    ports:
      - "9090:9090"
    networks:
      - shared_traefik
      - monitoring

  alertmanager:
    image: prom/alertmanager:latest
    container_name: alertmanager
    volumes:
      - ./alertmanager:/etc/alertmanager
      - alertmanager_data:/alertmanager
    command:
      - "--config.file=/etc/alertmanager/alertmanager.yml"
      - "--storage.path=/alertmanager"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.alertmanager.rule=Host(`alertmanager.osvex.com`)"
      # --- HTTP-only ---
      - "traefik.http.routers.alertmanager.entrypoints=web"
      # --- HTTPS ---
      # - "traefik.http.routers.alertmanager.entrypoints=websecure"
      # - "traefik.http.routers.alertmanager.tls.certresolver=lets-encrypt"
      - "traefik.http.services.alertmanager.loadbalancer.server.port=9093"
      - "traefik.docker.network=shared_traefik"
    networks:
      - shared_traefik
      - monitoring

  grafana:
    image: grafana/grafana:latest
    container_name: grafana
    environment:
      - GF_SECURITY_ADMIN_USER=admin
      - GF_SECURITY_ADMIN_PASSWORD=admin
    volumes:
      - grafana_data:/var/lib/grafana
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.grafana.rule=Host(`grafana.osvex.com`)"
      # --- HTTP-only ---
      - "traefik.http.routers.grafana.entrypoints=web"
      # --- HTTPS ---
      # - "traefik.http.routers.grafana.entrypoints=websecure"
      # - "traefik.http.routers.grafana.tls.certresolver=lets-encrypt"
      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
      - "traefik.http.services.grafana.loadbalancer.server.scheme=http"
      - "traefik.docker.network=shared_traefik"
    networks:
      - shared_traefik
      - monitoring

  karma:
    image: ghcr.io/prymitive/karma:latest
    container_name: karma
    command: ["--config.file=/etc/karma/config.yml"]
    volumes:
      - ./karma:/etc/karma
      - karma_data:/karma_data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.karma.rule=Host(`karma.osvex.com`)"
      # --- HTTP-only ---
      - "traefik.http.routers.karma.entrypoints=web"
      # --- HTTPS ---
      # - "traefik.http.routers.karma.entrypoints=websecure"
      # - "traefik.http.routers.karma.tls.certresolver=lets-encrypt"
      - "traefik.http.services.karma.loadbalancer.server.port=8080"
      - "traefik.http.services.karma.loadbalancer.server.scheme=http"
      - "traefik.http.middlewares.karma-auth.basicauth.users=osvex:$$apr1$$fpZgIrG8$$BIT6g9qiTm1RM09s5BZVh/"
      - "traefik.http.routers.karma.middlewares=karma-auth"
      - "traefik.docker.network=shared_traefik"
    networks:
      - shared_traefik
      - monitoring

  loki:
    image: grafana/loki:latest
    container_name: loki
    command: ["-config.file=/etc/loki/config.yml"]
    volumes:
      - ./loki:/etc/loki
      - loki_data:/loki
    restart: unless-stopped
    ports:
      - "3100:3100"
    networks:
      - shared_traefik
      - monitoring

  promtail:
    image: grafana/promtail:latest
    container_name: promtail
    command: ["-config.file=/etc/promtail/config.yml"]
    volumes:
      - ./promtail:/etc/promtail
      - /var/log:/var/log:ro
      - /tmp:/tmp
    restart: unless-stopped
    networks:
      - shared_traefik
      - monitoring

  blackbox_exporter:
    image: prom/blackbox-exporter:latest
    container_name: blackbox_exporter
    volumes:
      - ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
    command: ["--config.file=/etc/blackbox_exporter/config.yml"]
    restart: unless-stopped
    networks:
      - shared_traefik
      - monitoring

volumes:
  prom_data:
  grafana_data:
  loki_data:
  karma_data:
  alertmanager_data:

networks:
  shared_traefik:
    external: true
  monitoring:
    driver: bridge

</code>

==== 🔹 Пояснення ====

  - **HTTP-only**: для тесту, швидкий доступ без сертифікатів, використовується entrypoint web.
  - **HTTPS / Let’s Encrypt**: розкоментувати websecure + tls.certresolver=lets-encrypt і переконатися, що Traefik має доступ до acme.json.
  - **Basic Auth**: можна підключити окремо для Dashboard або для сервісів (як у Karma).
  - **traefik.docker.network=shared_traefik**  — важливий для сервісів із декількома мережами, щоб Traefik знав, по якій мережі проксувати.