-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathtraefik.toml
103 lines (82 loc) · 2.76 KB
/
traefik.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
##
# Traefik config file.
#
# Defines:
# - what ports / protos we listen on
# - authentication for services exposed via those ports
# - how to manage LetsEncrypt
#
# See: https://docs.traefik.io/
#
##
# Not strictly needed, but is quite helpful for identifying problems on startup
debug = true
# Info is fine as the load on this service is low, so the logs dont have a whole lot
# of mostly useless info messages in them. Tweak as needed / if logs become too
# full of "things are fine" messages
logLevel = "INFO"
defaultEntryPoints = ["https","http"]
# Define the "frontends" that listen for traffic
[entryPoints]
# Basic HTTP ingress
[entryPoints.http]
address = ":80"
# immediately redirect to https
[entryPoints.http.redirect]
entryPoint = "https"
# Must use TLS 1.2+ for HTTPS
[entryPoints.https]
address = ":443"
# Require a user and a password for anything exposed over HTTPS
# You can use the `htpasswd` tool to modify the file to suit your needs
##
# This file can be replaced; current setup is this file is generated by
# bootstrap.sh.
# TODO; link in the docs for alternative auth tools
[entryPoints.https.auth.basic]
usersFile = ".htpasswd"
[entryPoints.https.tls]
# TODO: suport 1.3, too
# TODO: does android 9 use tls 1.3 for DoT? if yes, force...
minVersion = "VersionTLS12"
# TODO: other strong ciphers...
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[frontends]
# TODO: confirm that this is actually set, properly
[frontends.headers]
STSSeconds=315360000
STSIncludeSubdomains=true
STSPreload=false
[retry]
# this is our connection to the docker socket
# TODO: further testing: this may not be strictly necessary for traefik in this config
##
[docker]
endpoint = "unix:///var/run/docker.sock"
# The domain that points to this instance of traefik
domain = "your.domain.here"
watch = true
exposedByDefault = false
[acme]
# See: https://docs.traefik.io/configuration/acme/
##
# We do not want to (attempt) to get a certificate for each host on the front-end, by default
# We'll use labels to explicitly set the hosts that we want via labels
onHostRule = false
# the stating server lets us get certs w/o hitting quota
#caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "your.email.here"
storage = "acme.json"
entryPoint = "https"
# Lets Encrypt uses HTTP for their ACME chalenge
# The whole idea behind LE is you dont currently have SSL
# so we need to allow ONLY the acme chalenge in over HTTP
# This effectively negates the "redirect all http to https" config above
[acme.httpChallenge]
entryPoint = "http"
# TODO: link to docs
# The domains we'd like the cert to be fore
[[acme.domains]]
main = "your.domain.here"