version: '3' services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: proxy: {} metrics: {} vpn: ipv4_address: {{ server.vpn.reverse_proxy_ip }} ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./config/traefik.yml:/traefik.yml:ro - ./config/dynamic_conf.yml:/dynamic_conf.yml:ro - {{ server.work_dir }}/traefik/base/acme.json:/acme.json:rw - {{ server.work_dir }}/traefik/base/access.log:/var/log/traefik/access.log:rw - {{ server.work_dir }}/traefik/base/traefik.log:/var/log/traefik/traefik.log:rw - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro extra_hosts: - host.docker.internal:host-gateway labels: - traefik.enable=true - traefik.http.routers.traefik-secure.entrypoints=https - traefik.http.routers.traefik-secure.rule=Host(`traefik.{{ server.domain }}`) - traefik.http.middlewares.tls-rep.redirectregex.permanent=true - traefik.http.middlewares.tls-header.headers.SSLRedirect=true - traefik.http.middlewares.tls-header.headers.forceSTSHeader=true - traefik.http.middlewares.tls-header.headers.STSSeconds=315360000 - traefik.http.middlewares.tls-header.headers.STSIncludeSubdomains=true - traefik.http.middlewares.tls-header.headers.STSPreload=true - traefik.http.middlewares.tls-header.headers.browserXSSFilter=true - traefik.http.middlewares.tls-header.headers.contentTypeNosniff=true - traefik.http.middlewares.tls-header.headers.frameDeny=true - traefik.http.middlewares.tls-header.headers.customFrameOptionsValue=SAMEORIGIN - traefik.http.middlewares.tls-header.headers.featurePolicy=accelerometer 'none'; ambient-light-sensor 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; usb 'none'; midi 'none'; sync-xhr 'none'; vr 'none' - traefik.http.middlewares.tls-header.headers.referrerPolicy=strict-origin-when-cross-origin - traefik.http.middlewares.tls-chain.chain.middlewares=tls-rep,tls-header - traefik.http.routers.traefik-secure.middlewares=tls-chain,private-network@file - traefik.http.routers.traefik-secure.tls=true - traefik.http.routers.traefik-secure.tls.certresolver=sslResolver - traefik.http.routers.traefik-secure.service=api@internal logging: driver: loki options: loki-url: "http://loki:3100/loki/api/v1/push" networks: metrics: external: true proxy: external: true vpn: external: true