Per eind 2021 wordt Traefik 1.x niet meer ondersteund. Daarom  nu alvast de overstap naar Traefik 2.x

Docker Compose voor de Traefik 2 container

In 2.3.5 werkt de opzet met losse rule bestanden anders. De opzet zoals deze werkt met 2.2 werkt niet met 2.3.5. Vandaar op dit moment nog 2.2 in gebruik.

version: "3.6"
services:
  traefikv2:
    container_name: traefikv2
    image: traefik:v2.2
    restart: always
    ports:
      - 80:80
      - 443:443
      - 5656:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefikv2/traefik.toml:/traefik.toml
      - ${USERDIR}/docker/traefikv2/acme.json:/acme.json
      - ${USERDIR}/docker/traefikv2/rules:/rules
      - ${USERDIR}/docker/shared/.htpasswd:/.htpasswd:ro
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.traefik-redirect.redirectscheme.scheme=https
      - traefik.http.routers.traefik-redirect.entrypoints=web
      - traefik.http.routers.traefik-redirect.middlewares=traefik-redirect
      - traefik.http.routers.traefik-redirect.rule=Host(`traefik.domeinnaam.nl`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.rule=Host(`traefik.domeinnaam.nl`)
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.middlewares=auth
      - traefik.http.middlewares.auth.basicauth.usersfile=.htpasswd
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
      #- traefik.http.services.traefik.loadbalancer.server.port=5656

traefik.toml

[api]
  dashboard = true
  insecure = true

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    watch = true
    exposedbydefault = false
  [providers.file]
    directory = "/rules"

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[serversTransport]
  insecureSkipVerify = true    

[certificatesResolvers.letsencrypt.acme]
  email = "gebruiker@gmail.com"
  storage = "acme.json"
  [certificatesResolvers.letsencrypt.acme.httpChallenge]
    entryPoint = "web"

In bovenstaande traefik.toml is dit deel specifiek noodzakelijk voor de UniFi controller:

[serversTransport]
  insecureSkipVerify = true   

middleware-chains.toml

[http.middlewares]
  [http.middlewares.chain-no-auth]
    [http.middlewares.chain-no-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers"]

  [http.middlewares.chain-basic-auth]
    [http.middlewares.chain-basic-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth"]

middlewares.toml

[http.middlewares]
  [http.middlewares.middlewares-basic-auth]
    [http.middlewares.middlewares-basic-auth.basicAuth]
      realm = "Traefik2 Basic Auth"
      usersFile = ".htpasswd" 

      [http.middlewares.middlewares-rate-limit]
        [http.middlewares.middlewares-rate-limit.rateLimit]
          average = 100
          burst = 50

          [http.middlewares.middlewares-secure-headers]
            [http.middlewares.middlewares-secure-headers.headers]
              accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
              accessControlMaxAge = 100
              hostsProxyHeaders = ["X-Forwarded-Host"]
              sslRedirect = true
              stsSeconds = 63072000
              stsIncludeSubdomains = true
              stsPreload = true
              forceSTSHeader = true
              customFrameOptionsValue = "allow-from https:domeinnaam.nl"
              browserXssFilter = true
              referrerPolicy = "same-origin"
              featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
              [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
                X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
                server = ""

Rule bestand voor docker containers die in host draaien of bijvoorbeeld Octoprint wat op een losse Raspberry Pi draait.

[http]
 [http.middlewares]
   [http.middlewares.nas-redirect.redirectScheme]
       scheme = "https"

 [http.routers.nas-redirect]
   entrypoints = ["web"]
   rule = "Host(`nas.domeinnaam.nl`)"
   middlewares = ["nas-redirect"]
   service = "nas"

 [http.routers.nas]
   entrypoints = ["websecure"]
   rule = "Host(`nas.domeinnaam.nl`)"
   service = "nas"
   [http.routers.nas.tls]
       certResolver = "letsencrypt"

 [http.services]
   [http.services.nas.loadbalancer]
     [[http.services.nas.loadBalancer.servers]]
       url = "http://192.168.178.22:5000"
[http]
 [http.middlewares]
   [http.middlewares.octoprint-redirect.redirectScheme]
       scheme = "https"

 [http.routers.octoprint-redirect]
   entrypoints = ["web"]
   rule = "Host(`octoprint.domeinnaam.nl`)"
   middlewares = ["octoprint-redirect"]
   service = "octoprint"

 [http.routers.octoprint]
   entrypoints = ["websecure"]
   rule = "Host(`octoprint.domeinnaam.nl`)"
   service = "octoprint"
   [http.routers.octoprint.tls]
       certResolver = "letsencrypt"

 [http.services]
   [http.services.octoprint.loadbalancer]
     [[http.services.octoprint.loadBalancer.servers]]
       url = "http://192.168.178.58/"

Unifi Controller

  unifi-controller:
    image: linuxserver/unifi-controller
    container_name: unifi-controller
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ${USERDIR}/docker/unifi:/config
    ports:
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 8081:8081
      - 8443:8443
      - 8843:8843
      - 8880:8880
      - 6789:6789
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.unifi.rule=Host(`unifi.domeinnaam.nl`)
      - traefik.http.routers.unifi.entrypoints=websecure
      - traefik.http.routers.unifi.tls=true
      - traefik.http.routers.unifi.tls.certresolver=letsencrypt
      - traefik.http.services.unifi.loadbalancer.server.scheme=https
      - traefik.http.services.unifi.loadbalancer.server.port=8443