Updated Docker Compose example with HTTPS configuration using Traefik (#295)

2020-01-20 01:30:10 +01:00 · 2020-01-20 01:30:10 +01:00 · 6589170cfb
parent c932451cd5
commit 6589170cfb
2 changed files with 82 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -786,6 +786,12 @@ Please see `nginx's HTTPS docs for more details <http://nginx.org/en/docs/http/c
 Getting and keeping your certificates up-to-date can be simplified using,
 for example, using `certbot and letsencrypt <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04>`_.

+Traefik
+~~~~~~~
+
+It is also possible to use `Traefik <https://docs.traefik.io/>`_ to put pypiserver behind HTTPS on port 443, with
+automatic HTTP redirection using Docker Compose. Please see the provided `<docker-compose.yml>`_ example for more information.
+
 Utilizing the API
 -----------------

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -71,3 +71,79 @@ services:
              target: /data/packages
        ports:
            - "8082:8080"
+
+    # ##############################################################################
+    # Authenticated and serve local packages via HTTPS using Traefik
+    # ##############################################################################
+    # This one combines the two configurations above and uses Traefik for HTTPS and
+    # with automatic HTTP redirect.
+    # Remember to change "your.domain.com" and "your@email.com" with your domain
+    # and email address respectively.
+    #
+    # The pypiserver will be available at: https://your.domain.com
+    # The Traefik dashboard will be available at: https://your.domain.com/dashboard/
+    #
+    # A Traefik user can be added using the htpasswd tool:
+    #   htpasswd -sc traefik/usersfile username
+    # ##############################################################################
+
+    pypiserver-https:
+        image: pypiserver/pypiserver:latest
+        volumes:
+            - type: bind
+              source: ./auth
+              target: /data/auth
+            - type: bind
+              source: ./packages
+              target: /data/packages
+        command: -P /data/auth/.htpasswd -a update,download,list /data/packages
+        labels:
+            # Expose container to Traefik
+            - "traefik.enable=true"
+
+            # Configure the route
+            - "traefik.http.routers.flask.rule=Host(`your.domain.com`)"
+            # - "traefik.http.routers.flask.rule=Host(`pypi.docker.localhost`)"
+            - "traefik.http.routers.flask.entrypoints=websecure"
+            - "traefik.http.routers.flask.tls=true"
+            - "traefik.http.routers.flask.tls.certresolver=leresolver"
+    traefik:
+        image: traefik:v2.1
+        volumes:
+            - "/var/run/docker.sock:/var/run/docker.sock:ro"
+            - "./traefik:/etc/traefik:ro"
+            - "./traefik/acme:/etc/traefik/acme"
+        command:
+            - "--entrypoints.web.address=:80"
+            - "--entrypoints.websecure.address=:443"
+            - "--providers.docker=true"
+            - "--providers.docker.exposedbydefault=false"
+            - "--api.dashboard=true"
+            - "--certificatesresolvers.leresolver.acme.email=your@email.com"
+            - "--certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json"
+            - "--certificatesresolvers.leresolver.acme.httpChallenge=true"
+            - "--certificatesresolvers.leresolver.acme.httpChallenge.entrypoint=web"
+        ports:
+            - "80:80"
+            - "443:443"
+        labels:
+            # Expose container to Traefik
+            - "traefik.enable=true"
+
+            # Dashboard
+            - "traefik.http.routers.traefik.rule=Host(`your.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+            # - "traefik.http.routers.traefik.rule=Host(`traefik.docker.localhost`)"
+            - "traefik.http.routers.traefik.entrypoints=websecure"
+            - "traefik.http.routers.traefik.tls=true"
+            - "traefik.http.routers.traefik.tls.certresolver=leresolver"
+            - "traefik.http.routers.traefik.service=api@internal"
+            - "traefik.http.routers.traefik.middlewares=authtraefik"
+            - "traefik.http.middlewares.authtraefik.basicauth.usersfile=/etc/traefik/usersfile"
+
+            # Global redirect to HTTPS
+            - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+            - "traefik.http.routers.http-catchall.entrypoints=web"
+            - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+
+            # Middleware redirect
+            - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"