version: "3.7"########################### NETWORKSnetworks: t2_proxy:

1. version: "3.7"
2.  
3. ########################### NETWORKS
4. networks:
5.   t2_proxy:
6.     external:
7.       name: t2_proxy
8.   default:
9.     driver: bridge
10.  
11. ########################### SERVICES
12. services:
13. # All services / apps go below this line
14.  
15. # Traefik 2 - Reverse Proxy
16.   traefik:
17.     container_name: traefik
18.     image: traefik:2.2.1 # the chevrotin tag refers to v2.2.x but introduced a breaking change in 2.2.2
19.     restart: unless-stopped
20.     command: # CLI arguments
21.       - --global.checkNewVersion=true
22.       - --global.sendAnonymousUsage=true
23.       - --entryPoints.http.address=:80
24.       - --entryPoints.https.address=:443
25.         # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
26.       - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
27.       - --entryPoints.traefik.address=:8080
28.       - --api=true
29.       - --api.insecure=true
30.       - --api.dashboard=true
31.       #- --ping=true
32.       #- --pilot.token=$TRAEFIK_PILOT_TOKEN
33.       # - --serversTransport.insecureSkipVerify=true
34.       - --log=true
35.       - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
36.       - --accessLog=true
37.       - --accessLog.filePath=/traefik.log
38.       - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
39.       - --accessLog.filters.statusCodes=400-499
40.       - --providers.docker=true
41.       - --providers.docker.endpoint=unix:///var/run/docker.sock
42.       #- --providers.docker.endpoint=tcp://socket-proxy:2375
43.       - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
44.       - --providers.docker.exposedByDefault=false
45.       - --entrypoints.https.http.tls.certresolver=dns-cloudflare
46.       - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
47.       - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
48.       - --providers.docker.network=t2_proxy
49.       - --providers.docker.swarmMode=false
50.       - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
51. #      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
52.       - --providers.file.watch=true # Only works on top level files in the rules folder
53.       - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
54.       - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
55.       - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
56.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
57.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
58.       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
59.     networks:
60.       t2_proxy:
61.         ipv4_address: 192.168.90.254 # You can specify a static IP
62. #    networks:
63. #      - t2_proxy
64.     security_opt:
65.      - no-new-privileges:true
66.     ports:
67.       - target: 80
68.         published: 80
69.         protocol: tcp
70.         mode: host
71.       - target: 443
72.         published: 443
73.         protocol: tcp
74.         mode: host
75.       - target: 8080
76.         published: 8080
77.         protocol: tcp
78.         mode: host
79.     volumes:
80.      - $DOCKERDIR/traefik2/rules:/rules
81.       - /var/run/docker.sock:/var/run/docker.sock:ro
82.       - $DOCKERDIR/traefik2/acme/acme.json:/acme.json
83.       - $DOCKERDIR/traefik2/traefik.log:/traefik.log
84.       - $DOCKERDIR/shared:/shared
85.     environment:
86.      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
87.       - CF_API_KEY=$CLOUDFLARE_API_KEY
88.     labels:
89.      - "traefik.enable=true"
90.       # HTTP-to-HTTPS Redirect
91.       - "traefik.http.routers.http-catchall.entrypoints=http"
92.       - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
93.       - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
94.       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
95.       # HTTP Routers
96.       - "traefik.http.routers.traefik-rtr.entrypoints=https"
97.       - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
98.       #- "traefik.http.routers.traefik-rtr.tls=true"
99.       #- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
100.       #- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
101.       #- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
102. #      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
103. #      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
104.       ## Services - API
105.       - "traefik.http.routers.traefik-rtr.service=api@internal"
106.       ## Healthcheck/ping
107.       #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME`) && Path(`/ping`)"
108.       #- "traefik.http.routers.ping.tls=true"
109.       #- "traefik.http.routers.ping.service=ping@internal"
110.       ## Middlewares
111.       - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
112.