Changes to support the updated Traefik v2 guide 2022. Fixed a minor b…

…ug in Heimdall.

README.md

@@ -3,7 +3,7 @@
 This is the updated docker-compose repo of all the media, home, and web server apps described in the following guides on our website:
 
 - [Docker Media Server Ubuntu: Compose for 23 Awesome Apps](https://www.smarthomebeginner.com/docker-media-server-2022/)
-- [Docker Media Server with Traefik 2 Reverse Proxy](https://www.smarthomebeginner.com/traefik-2-docker-tutorial/)
+- [Ultimate Traefik Docker Compose Guide [2022] with LetsEncrypt](https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/)
 - [WordPress on Docker with Nginx, Traefik, LE SSL, Security, and Speed](https://www.smarthomebeginner.com/wordpress-on-docker-traefik/)
 - [Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare](https://www.smarthomebeginner.com/synology-docker-media-server/)
 
@@ -46,16 +46,17 @@ Go step-by-step. If you bite too big of a piece, I guarantee you will choke.
 
 ### Obsolete Posts (for educational purposes):
 
-The following posts have been combined and updated for Traefik v2 (linked above):
+The following posts have been updated/replaced by the posts linked above:
 
+- [Docker Media Server with Traefik 2 Reverse Proxy](https://www.smarthomebeginner.com/traefik-2-docker-tutorial/)
 - [Docker Media Server without Reverse Proxy ](https://www.smarthomebeginner.com/docker-home-media-server-2018-basic/)
 - [Docker Media Server with Traefik 1 Reverse Proxy](https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/)
 
 ## Docker, Docker Compose, and Traefik Versions (updated January 23, 2022)
 
-- Docker: 20.10.12
+- Docker: 20.10.13
 - Docker Compose: v2.5.0
-- Traefik: 2.6
+- Traefik: 2.7
 
 <strong>Update (September 13, 2021):</strong> I moved from TOML to YAML for Traefik 2 dynamic configurations. I have included example configuration files for both. However, since I do not use TOML anymore, there may be minor syntax errors or typos.
 

appdata/traefik2/rules/cloudserver/middlewares.yml.example

@@ -26,23 +26,16 @@ http:
         accessControlMaxAge: 100
         hostsProxyHeaders:
           - "X-Forwarded-Host"
-        # sslRedirect: true #replaced with middlewares-https-redirectscheme for v2.5.x
         stsSeconds: 63072000
         stsIncludeSubdomains: true
         stsPreload: true
         forceSTSHeader: true
-        # frameDeny: true #overwritten by customFrameOptionsValue
         customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr.
         contentTypeNosniff: true
         browserXssFilter: true
         # sslForceHost: true # add sslHost to all of the services
         # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}"
         referrerPolicy: "same-origin"
-        # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
-        # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
-        # contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_CLOUD_SERVER"}}:*';object-src 'none';script-src 'none';"
-        # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy
-        # featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
         permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
         customResponseHeaders:
           X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"

docker-compose-t2.yml

@@ -202,8 +202,8 @@ services:
     volumes:
       - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
       # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
-      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
-      - $DOCKERDIR/logs/cloudserver/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
+      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
+      - $DOCKERDIR/logs/cloudserver/traefik.log:/traefik.log # for fail2ban - make sure to create empty file before starting container
     environment:
       - CF_API_EMAIL_FILE=/run/secrets/cf_email
       - CF_API_KEY_FILE=/run/secrets/cf_api_key
@@ -222,17 +222,25 @@ services:
       - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
       # HTTP Routers
-      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
       - "traefik.http.routers.traefik-rtr.entrypoints=https"
       - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
+      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
+      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
+      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
+      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
+      # - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$DOMAINNAME2" # Pulls main cert for second domain
+      # - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$DOMAINNAME2" # Pulls wildcard cert for second domain
       ## Services - API
       - "traefik.http.routers.traefik-rtr.service=api@internal"
       ## Healthcheck/ping
       #- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`) && Path(`/ping`)"
       #- "traefik.http.routers.ping.tls=true"
       #- "traefik.http.routers.ping.service=ping@internal"
       ## Middlewares
+      #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
+      #- "traefik.http.routers.traefik-rtr.middlewares=chain-auth-basic@file" # For Basic HTTP Authentication
       - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
+      #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication
 
   # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
   socket-proxy:
@@ -371,8 +379,9 @@ services:
     <<: *common-keys-core # See EXTENSION FIELDS at the top
     image: lscr.io/linuxserver/heimdall
     container_name: heimdall
-    #ports:
-    #  - "$HEIMDALL_PORT:3000"
+    # ports:
+    #  - "$HEIMDALL_PORT:80" # 80 to 82 already taken by other services
+      # - "444:443" # 443 used by Traefik/Nginx Proxy Manager. Disabled because we will put Heimdall behind proxy.
     volumes:
       - $DOCKERDIR/appdata/heimdall:/config
     environment:
@@ -386,7 +395,7 @@ services:
       - "traefik.http.routers.heimdall-rtr.middlewares=chain-oauth@file"
       ## HTTP Services
       - "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
-      - "traefik.http.services.heimdall-svc.loadbalancer.server.port=3000"
+      - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"
 
   ############################# DATABASE
 

docker-compose.yml

@@ -88,7 +88,7 @@ services:
     # command: -H tcp://socket-proxy:2375 # Use this instead, if you have Socket Proxy enabled.
     networks:
       - npm_proxy
-    ports: # Commented out because we are going to use Nginx Proxy Manager to access portainer WebUI.
+    ports: 
       - "9000:9000"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy and comment this line out, for improved security.