michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a96bd41326678374f6db079422ed86a4e6d8564c
michaelschiemer/deployment/stacks/traefik/docker-compose.yml
Michael Schiemer 06bad20123 fix: Explicitly exclude ACME challenge path from HTTPS redirect 
- Add explicit exclusion of /.well-known/acme-challenge from catch-all redirect
- Ensures ACME challenges are never redirected to HTTPS
- Traefik handles ACME challenges automatically, but explicit exclusion is safer
2025-11-08 18:46:27 +01:00

74 lines
2.9 KiB
YAML
Raw Blame History

services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
# Use bridge network mode for reliable service discovery
# Service discovery works correctly with Docker labels in bridge mode
ports:
- "80:80"
- "443:443"
- "2222:2222" # Gitea SSH
networks:
- traefik-public
environment:
- TZ=Europe/Berlin
command:
# Load static configuration file
- "--configFile=/traefik.yml"
# Increase timeouts for slow backends like Gitea
- "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=300s"
- "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=300s"
- "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=360s"
volumes:
# Docker socket for service discovery
- /var/run/docker.sock:/var/run/docker.sock:ro
# Static configuration
- ./traefik.yml:/traefik.yml:ro
# Dynamic configuration
- ./dynamic:/dynamic:ro
# SSL certificates
- ./acme.json:/acme.json
# Logs
- ./logs:/logs
labels:
# Enable Traefik for itself
- "traefik.enable=true"
# Dashboard - BasicAuth protected
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
# BasicAuth for dashboard
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$Of2wG3O5$$y8X1vEoIp9vpvx64mIalk/"
# Note: ACME challenges are handled automatically by Traefik
# when httpChallenge.entryPoint: web is set in traefik.yml
# No explicit router needed - Traefik handles /.well-known/acme-challenge automatically
# Global redirect to HTTPS (lower priority, matches everything else)
# ACME challenges are excluded from redirect automatically by Traefik
# Explicitly exclude ACME challenge path to be safe
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`) && !PathPrefix(`/.well-known/acme-challenge`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.routers.http-catchall.priority=1"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
networks:
traefik-public:
external: true
Reference in New Issue View Git Blame Copy Permalink