jeroenhe/Dockerfile

## docker-compose.yml
version: "2.4"
services:
  traefik:
    build: .
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    networks: ["proxy"]
    ports:
      - "443:443"
    environment:
      - "AWS_HOSTED_ZONE_ID="
      - "AWS_ACCESS_KEY_ID="
      - "AWS_SECRET_ACCESS_KEY="
    volumes:
      - type: volume
        source: traefik_letsencrypt
        target: /letsencrypt
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
    labels:
      - traefik.enable=false
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"
  unifi:
    image: linuxserver/unifi-controller:6.0.41-ls90
    container_name: unifi
    hostname: unifi
    restart: always
    networks: ["proxy"]
    ports:
      # https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
      # Port used for STUN.
      - "3478:3478/udp"
      # Port used for device and controller communication.
      - "8080:8080"
      # - "8081:8081"
      # Port used for controller GUI/API as seen in a web browser
      # - "8443:8443"
      # Port used for HTTPS portal redirection.
      # - "8843:8843"
      # Port used for HTTP portal redirection.
      # - "8880:8880"
      # Port used for device discovery
      - "10001:10001/udp"
    environment:
      - PGID=65539
      - PUID=1055
      - TZ=Europe/Amsterdam
    volumes:
      - type: volume
        source: unifi_data
        target: /usr/lib/unifi/data
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080"]
      interval: 30s
      timeout: 10s
      retries: 5
    labels:
      - com.centurylinklabs.watchtower.enable=false
      - traefik.enable=true
      - traefik.http.routers.unifi.entrypoints=websecure
      - traefik.http.routers.unifi.rule=Host(`unificontroller.mydomain.io`)
      - traefik.http.routers.unifi.tls=true
      - traefik.http.routers.unifi.tls.certresolver=myresolver
      - traefik.http.routers.unifi.tls.domains[0].main=unificontroller.mydomain.io
      - traefik.http.routers.unifi.tls.domains[0].sans=unificontroller.mydomain.io
      - traefik.http.routers.unifi.service=unifi
      - traefik.http.routers.unifi.middlewares=unifiHeaders@file
      - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.services.unifi.loadbalancer.server.port=8443
      - traefik.http.services.unifi.loadbalancer.server.scheme=https
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"
    mem_limit: 1500M

networks:
  proxy:

volumes:
  traefik_letsencrypt:
  unifi_data:


## Dockerfile
FROM traefik:v2.3.2

COPY traefik.yml /etc/traefik/traefik.yml
RUN mkdir /etc/traefik/conf
COPY tls.yml /etc/traefik/conf
COPY http.yml /etc/traefik/conf

## http.yml
http:
  middlewares:
    unifiHeaders:
      headers:
        customRequestHeaders:
          Authorization: "" # Removes

## tls.yml
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

## traefik.yml

# https://gist.github.com/containeroo-gists/0e79fb145252611ee1bb0da2c31f243d
# https://gist.github.com/containeroo-gists/27666fe7d32199f40c01b20f49cc0454
global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik/conf

# API and dashboard configuration
api:
  dashboard: false

log:
  level: INFO

accessLog:
  filters:
    statusCodes:
      - "400-600"
    # default format: <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
    retryAttempts: true
    minDuration: "200ms"

certificatesResolvers:
  myresolver:
    acme:
      # Using the Let's Encrypt staging server
      #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      #caServer: https://acme-v02.api.letsencrypt.org/directory
      email: webmaster@mydomain.io
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: route53
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# https://community.traefik.io/t/insecureskipverify-explanation/2195
# Required for traefik --> Unifi Controller (:8443)
serversTransport:
  insecureSkipVerify: true
	version: "2.4"
	services:
	traefik:
	build: .
	container_name: traefik
	hostname: traefik
	restart: unless-stopped
	networks: ["proxy"]
	ports:
	- "443:443"
	environment:
	- "AWS_HOSTED_ZONE_ID="
	- "AWS_ACCESS_KEY_ID="
	- "AWS_SECRET_ACCESS_KEY="
	volumes:
	- type: volume
	source: traefik_letsencrypt
	target: /letsencrypt
	- type: bind
	source: /var/run/docker.sock
	target: /var/run/docker.sock
	labels:
	- traefik.enable=false
	logging:
	driver: "json-file"
	options:
	max-size: "10m"
	max-file: "2"
	unifi:
	image: linuxserver/unifi-controller:6.0.41-ls90
	container_name: unifi
	hostname: unifi
	restart: always
	networks: ["proxy"]
	ports:
	# https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
	# Port used for STUN.
	- "3478:3478/udp"
	# Port used for device and controller communication.
	- "8080:8080"
	# - "8081:8081"
	# Port used for controller GUI/API as seen in a web browser
	# - "8443:8443"
	# Port used for HTTPS portal redirection.
	# - "8843:8843"
	# Port used for HTTP portal redirection.
	# - "8880:8880"
	# Port used for device discovery
	- "10001:10001/udp"
	environment:
	- PGID=65539
	- PUID=1055
	- TZ=Europe/Amsterdam
	volumes:
	- type: volume
	source: unifi_data
	target: /usr/lib/unifi/data
	healthcheck:
	test: ["CMD", "curl", "-f", "http://localhost:8080"]
	interval: 30s
	timeout: 10s
	retries: 5
	labels:
	- com.centurylinklabs.watchtower.enable=false
	- traefik.enable=true
	- traefik.http.routers.unifi.entrypoints=websecure
	- traefik.http.routers.unifi.rule=Host(`unificontroller.mydomain.io`)
	- traefik.http.routers.unifi.tls=true
	- traefik.http.routers.unifi.tls.certresolver=myresolver
	- traefik.http.routers.unifi.tls.domains[0].main=unificontroller.mydomain.io
	- traefik.http.routers.unifi.tls.domains[0].sans=unificontroller.mydomain.io
	- traefik.http.routers.unifi.service=unifi
	- traefik.http.routers.unifi.middlewares=unifiHeaders@file
	- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
	- traefik.http.services.unifi.loadbalancer.server.port=8443
	- traefik.http.services.unifi.loadbalancer.server.scheme=https
	logging:
	driver: "json-file"
	options:
	max-size: "10m"
	max-file: "2"
	mem_limit: 1500M

	networks:
	proxy:

	volumes:
	traefik_letsencrypt:
	unifi_data:
	FROM traefik:v2.3.2

	COPY traefik.yml /etc/traefik/traefik.yml
	RUN mkdir /etc/traefik/conf
	COPY tls.yml /etc/traefik/conf
	COPY http.yml /etc/traefik/conf
	http:
	middlewares:
	unifiHeaders:
	headers:
	customRequestHeaders:
	Authorization: "" # Removes
	tls:
	options:
	default:
	minVersion: VersionTLS12
	cipherSuites:
	- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
	- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
	- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
	- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
	- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
	- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

	# https://gist.github.com/containeroo-gists/0e79fb145252611ee1bb0da2c31f243d
	# https://gist.github.com/containeroo-gists/27666fe7d32199f40c01b20f49cc0454
	global:
	checkNewVersion: false
	sendAnonymousUsage: false

	entryPoints:
	websecure:
	address: ":443"

	providers:
	docker:
	exposedByDefault: false
	file:
	directory: /etc/traefik/conf

	# API and dashboard configuration
	api:
	dashboard: false

	log:
	level: INFO

	accessLog:
	filters:
	statusCodes:
	- "400-600"
	# default format: <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
	retryAttempts: true
	minDuration: "200ms"

	certificatesResolvers:
	myresolver:
	acme:
	# Using the Let's Encrypt staging server
	#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
	#caServer: https://acme-v02.api.letsencrypt.org/directory
	email: webmaster@mydomain.io
	storage: /letsencrypt/acme.json
	dnsChallenge:
	provider: route53
	delayBeforeCheck: 0
	resolvers:
	- "1.1.1.1:53"
	- "8.8.8.8:53"

	# https://community.traefik.io/t/insecureskipverify-explanation/2195
	# Required for traefik --> Unifi Controller (:8443)
	serversTransport:
	insecureSkipVerify: true