Traefik
Traefik стек (docker-compose.yml)
version: "3.9" services: traefik: image: traefik:latest container_name: traefik command: # --- Dashboard --- - "--api.dashboard=true" # вмикаємо Dashboard - "--api.insecure=false" # вимикаємо доступ без auth # Для тесту можна включити insecure: # - "--api.insecure=true" # --- Docker provider --- - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" # --- EntryPoints --- - "--entrypoints.web.address=:80" # HTTP - "--entrypoints.websecure.address=:443" # HTTPS # HTTP -> HTTPS redirect - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" # --- ACME / Let's Encrypt --- - "--certificatesresolvers.lets-encrypt.acme.httpchallenge=true" - "--certificatesresolvers.lets-encrypt.acme.httpchallenge.entrypoint=web" - "[email protected]" - "--certificatesresolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json" ports: - "80:80" # HTTP - "443:443" # HTTPS - "8080:8080" # Dashboard volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/letsencrypt restart: unless-stopped networks: - shared_traefik networks: shared_traefik: external: true
💡 Пояснення:
- HTTP-only: якщо хочеш тестити без TLS, можна закоментувати websecure entrypoint і редиректи.
- HTTPS / Let’s Encrypt: включається через websecure entrypoint і certresolver=lets-encrypt.
- Dashboard можна захистити Basic Auth
Monitoring стек (docker-compose.yml)
version: "3.9" services: prometheus: image: prom/prometheus:latest container_name: prometheus volumes: - ./prometheus:/etc/prometheus - prom_data:/prometheus - ./prometheus/alerts:/etc/prometheus/alerts command: - "--config.file=/etc/prometheus/prometheus.yml" - "--storage.tsdb.path=/prometheus" - "--storage.tsdb.retention.time=30d" restart: unless-stopped ports: - "9090:9090" networks: - shared_traefik - monitoring alertmanager: image: prom/alertmanager:latest container_name: alertmanager volumes: - ./alertmanager:/etc/alertmanager - alertmanager_data:/alertmanager command: - "--config.file=/etc/alertmanager/alertmanager.yml" - "--storage.path=/alertmanager" restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.alertmanager.rule=Host(`alertmanager.osvex.com`)" # --- HTTP-only --- - "traefik.http.routers.alertmanager.entrypoints=web" # --- HTTPS --- # - "traefik.http.routers.alertmanager.entrypoints=websecure" # - "traefik.http.routers.alertmanager.tls.certresolver=lets-encrypt" - "traefik.http.services.alertmanager.loadbalancer.server.port=9093" - "traefik.docker.network=shared_traefik" networks: - shared_traefik - monitoring grafana: image: grafana/grafana:latest container_name: grafana environment: - GF_SECURITY_ADMIN_USER=admin - GF_SECURITY_ADMIN_PASSWORD=admin volumes: - grafana_data:/var/lib/grafana labels: - "traefik.enable=true" - "traefik.http.routers.grafana.rule=Host(`grafana.osvex.com`)" # --- HTTP-only --- - "traefik.http.routers.grafana.entrypoints=web" # --- HTTPS --- # - "traefik.http.routers.grafana.entrypoints=websecure" # - "traefik.http.routers.grafana.tls.certresolver=lets-encrypt" - "traefik.http.services.grafana.loadbalancer.server.port=3000" - "traefik.http.services.grafana.loadbalancer.server.scheme=http" - "traefik.docker.network=shared_traefik" networks: - shared_traefik - monitoring karma: image: ghcr.io/prymitive/karma:latest container_name: karma command: ["--config.file=/etc/karma/config.yml"] volumes: - ./karma:/etc/karma - karma_data:/karma_data labels: - "traefik.enable=true" - "traefik.http.routers.karma.rule=Host(`karma.osvex.com`)" # --- HTTP-only --- - "traefik.http.routers.karma.entrypoints=web" # --- HTTPS --- # - "traefik.http.routers.karma.entrypoints=websecure" # - "traefik.http.routers.karma.tls.certresolver=lets-encrypt" - "traefik.http.services.karma.loadbalancer.server.port=8080" - "traefik.http.services.karma.loadbalancer.server.scheme=http" - "traefik.http.middlewares.karma-auth.basicauth.users=osvex:$$apr1$$fpZgIrG8$$BIT6g9qiTm1RM09s5BZVh/" - "traefik.http.routers.karma.middlewares=karma-auth" - "traefik.docker.network=shared_traefik" networks: - shared_traefik - monitoring loki: image: grafana/loki:latest container_name: loki command: ["-config.file=/etc/loki/config.yml"] volumes: - ./loki:/etc/loki - loki_data:/loki restart: unless-stopped ports: - "3100:3100" networks: - shared_traefik - monitoring promtail: image: grafana/promtail:latest container_name: promtail command: ["-config.file=/etc/promtail/config.yml"] volumes: - ./promtail:/etc/promtail - /var/log:/var/log:ro - /tmp:/tmp restart: unless-stopped networks: - shared_traefik - monitoring blackbox_exporter: image: prom/blackbox-exporter:latest container_name: blackbox_exporter volumes: - ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro command: ["--config.file=/etc/blackbox_exporter/config.yml"] restart: unless-stopped networks: - shared_traefik - monitoring volumes: prom_data: grafana_data: loki_data: karma_data: alertmanager_data: networks: shared_traefik: external: true monitoring: driver: bridge
🔹 Пояснення
- HTTP-only: для тесту, швидкий доступ без сертифікатів, використовується entrypoint web.
- HTTPS / Let’s Encrypt: розкоментувати websecure + tls.certresolver=lets-encrypt і переконатися, що Traefik має доступ до acme.json.
- Basic Auth: можна підключити окремо для Dashboard або для сервісів (як у Karma).
- traefik.docker.network=shared_traefik — важливий для сервісів із декількома мережами, щоб Traefik знав, по якій мережі проксувати.