50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
# Traefik v3 static configuration (ОСК reverse proxy / SNI router)
|
||
# Mounted read-only at /etc/traefik/traefik.yml
|
||
|
||
global:
|
||
checkNewVersion: false
|
||
sendAnonymousUsage: false
|
||
|
||
log:
|
||
level: INFO
|
||
accessLog: {}
|
||
|
||
api:
|
||
dashboard: true # exposed via dynamic/web.yml router (traefik.osk.team) with basic-auth
|
||
|
||
entryPoints:
|
||
web:
|
||
address: ":80"
|
||
http:
|
||
redirections:
|
||
entryPoint:
|
||
to: websecure
|
||
scheme: https
|
||
websecure:
|
||
address: ":443"
|
||
# NOTE: TLS-passthrough TCP routers and TLS-terminating HTTP routers coexist
|
||
# on :443 — Traefik matches specific HostSNI(...) TCP routers first, and
|
||
# everything else falls through to the HTTP routers.
|
||
|
||
providers:
|
||
# Docker labels (for local containers that opt in with traefik.enable=true)
|
||
docker:
|
||
exposedByDefault: false
|
||
network: reverseproxy-nw
|
||
# File provider = all the static routing (SNI passthrough + dashboards)
|
||
file:
|
||
directory: /etc/traefik/dynamic
|
||
watch: true
|
||
|
||
# Let's Encrypt — only for hosts Traefik TERMINATES (dashboards).
|
||
# Passthrough hosts (workfolders/mail/kdcproxy) keep their own backend certs.
|
||
certificatesResolvers:
|
||
le:
|
||
acme:
|
||
email: gamroot@osk.team # <-- CHANGE to a real address
|
||
storage: /acme/acme.json
|
||
httpChallenge:
|
||
entryPoint: web
|
||
# For internal-only dashboards not reachable on :80 from the internet,
|
||
# switch to a dnsChallenge or a default self-signed cert instead.
|