Flouse · August 19, 2020 14:17
diff --git a/traefik-docker-socket-proxy.yaml b/traefik-docker-socket-proxy.yaml
 # Accessing the Docker API without any restriction is a security concern: 
 # If Traefik is attacked, then the attacker might get access to the underlying host.
 # 
 # This docker compose file expose the Docker socket over TCP, instead of the default Unix socket file.
 #
 # See also:
 # https://docs.traefik.io/v2.3/providers/docker/#docker-api-access
 # https://liquidat.wordpress.com/2018/12/12/howto-launch-traefik-as-a-docker-container-in-a-secure-way/

 version: '3.8'

 networks:
  dockersocket4traefik_nw:
  internal_nw:

 services:
  # Authorize and filter requests to restrict possible actions with the TecnativaDocker Socket Proxy 
  dockersocket:
    restart: unless-stopped
    image: tecnativa/docker-socket-proxy # https://github.com/Tecnativa/docker-socket-proxy
    # --privileged flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):
    # privileged: true
    environment:
    - CONTAINERS=1
    expose:
    - 2375
    volumes:
    # So that Traefik can listen to the Docker events
    - /var/run/docker.sock:/var/run/docker.sock:z
    networks:
    - dockersocket4traefik_nw

  traefik:
    container_name: traefik
    restart: unless-stopped
    # The official v2 Traefik docker image - https://hub.docker.com/_/traefik
    image: traefik:v2.3
    # Enables the web UI and tells Traefik to listen to docker
    command: "-c /etc/traefik/traefik.toml"
    ports:
    # The HTTP/HTTPS ports
    - "80:80"
    - "443:443"
    # The Web UI (enabled by --api.insecure=true)
    - "127.0.0.1:8088:8080"
    volumes: # https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
    # The z option indicates that the bind mount content is shared among multiple containers.
    # The Z option indicates that the bind mount content is private and unshared.
    - "./traefik.toml:/etc/traefik/traefik.toml:Z"
    - "./acme.json:/acme.json:z"
    - "./dynamic_conf.toml:/etc/traefik/dynamic_conf.toml:ro"
    networks:
    - dockersocket4traefik_nw
    - internal_nw
	# Accessing the Docker API without any restriction is a security concern:
	# If Traefik is attacked, then the attacker might get access to the underlying host.
	#
	# This docker compose file expose the Docker socket over TCP, instead of the default Unix socket file.
	#
	# See also:
	# https://docs.traefik.io/v2.3/providers/docker/#docker-api-access
	# https://liquidat.wordpress.com/2018/12/12/howto-launch-traefik-as-a-docker-container-in-a-secure-way/

	version: '3.8'

	networks:
	dockersocket4traefik_nw:
	internal_nw:

	services:
	# Authorize and filter requests to restrict possible actions with the TecnativaDocker Socket Proxy
	dockersocket:
	restart: unless-stopped
	image: tecnativa/docker-socket-proxy # https://github.com/Tecnativa/docker-socket-proxy
	# --privileged flag is required here because it connects with the docker socket, which is a privileged connection in some SELinux/AppArmor contexts and would get locked otherwise):
	# privileged: true
	environment:
	- CONTAINERS=1
	expose:
	- 2375
	volumes:
	# So that Traefik can listen to the Docker events
	- /var/run/docker.sock:/var/run/docker.sock:z
	networks:
	- dockersocket4traefik_nw

	traefik:
	container_name: traefik
	restart: unless-stopped
	# The official v2 Traefik docker image - https://hub.docker.com/_/traefik
	image: traefik:v2.3
	# Enables the web UI and tells Traefik to listen to docker
	command: "-c /etc/traefik/traefik.toml"
	ports:
	# The HTTP/HTTPS ports
	- "80:80"
	- "443:443"
	# The Web UI (enabled by --api.insecure=true)
	- "127.0.0.1:8088:8080"
	volumes: # https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
	# The z option indicates that the bind mount content is shared among multiple containers.
	# The Z option indicates that the bind mount content is private and unshared.
	- "./traefik.toml:/etc/traefik/traefik.toml:Z"
	- "./acme.json:/acme.json:z"
	- "./dynamic_conf.toml:/etc/traefik/dynamic_conf.toml:ro"
	networks:
	- dockersocket4traefik_nw
	- internal_nw