Add extended Traefik example #55
Conversation
|
Putting on hold in favor of some more testing. |
|
I'm planning on adding MTA-STSv1 and enforce SSL Cipher Suite preferences in a future PR as well. |
|
Was testing this version. I already used socketproxy and traefik and didn't really understand the TLS part of anonaddy so this was perfect for me. Worked great (at least until issue #104 showed up again for me). I did have to modify a portion of the anonaddy.env file: Needed to be changed to: as that is the way certdumper exported the files for me. |
|
@youngT2 Thanks for mentioning that. I can rebase and update or maybe split it up into different PRs with further additions (CrowdSec support with Traefik bouncer, watchtower config, restricted cipher suites etc.). |
|
I also wanted to ask what is the purpose of the ports line in the socketproxy? Is it just to obscure the port from the system basically? |
|
Reading the certdumper documentation a bit closer. Looks like if you include the
|
Because I share a docker network with multiple stacks I just wanted to make sure the proxy port won't collide with any other socket proxy I might declare. So I remapped it to an arbitrary high value. You can ignore that and just map 2375:2375 fine I guess.
Oh I didn't notice that. I'll make sure to adjust that for the updated PR. Thanks for the notice! :) |
Flash1232
force-pushed
the
feature-tls-traefik
branch
from
491c224 to
9b43a78
Compare
Flash1232
force-pushed
the
feature-tls-traefik
branch
from
9b43a78 to
3175a0d
Compare
|
This PR has been adjusted to the latest developments and further extended with CrowdSec for SPAM and abuse protection as well as Watchtower for automatic image updates (can be configured per container). @crazy-max This example heavily reflects my own setup and is therefore somewhat up to debate. If you don't like some aspects of it I could remove them or alternatively split them up into further PRs or examples. Also, please let me know if there is anything I could improve. I did not bother to update and test more recent major releases of the Redis and MariaDB containers (for all examples consequently) which I could do for another PR when I get to it. |
|
I have some question regarding your configuration: In Furthermore, in my server, I already have a set of docker-compose files, including one for Traefik. Nevertheless, I wonder if the following services in your file can be generalized to others (and thus taken out of this file, with a network created outside of the file):
|
As far as I remember, it is indeed a service embedded inside the anonaddy service.
You can very well just define external networks elsewhere and distribute your configuration according to your existing setup by making those services take these other networks. |
|
how to add MTA-STSv1 and DANE record ? Can someone guide me. as by default i couldn't find the path of MTA-STSv1. |
Here is a tweaked Traefik example that automatically dumps the ACME certs used by traefik for use by Postfix SMTP(D) TLS including watch & restart of AnonAddy upon renewal. It also provides a feature complete config of AnonAddy (DKIM, DMARC, PGP signing, SMTP(D) TLS) for reference. It also employs Tecnativa's Docker socket proxy for enhanced security.