docker-compose/proxy/compose.yaml

services:
  traefik:
    image: ${PROXY_DOCKER_IMAGE}
    container_name: ${PROXY_COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    command:
      # API & Dashboard
      - '--api.dashboard=true'
      - '--api.insecure=false'

      # Ping endpoint for healthcheck
      - '--ping=true'

      # Experimental plugins
      - '--experimental.plugins.sablier.modulename=github.com/acouvreur/sablier'
      - '--experimental.plugins.sablier.version=v1.8.0'

      # Logging
      - '--log.level=${PROXY_LOG_LEVEL:-INFO}'
      - '--accesslog=true'

      # Global
      - '--global.sendAnonymousUsage=false'
      - '--global.checkNewVersion=true'

      # Docker Provider
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
      - '--providers.docker.network=${NETWORK_NAME}'

      # File Provider for dynamic configuration
      - '--providers.file.directory=/etc/traefik/dynamic'
      - '--providers.file.watch=true'

      # Entrypoints
      - '--entrypoints.web.address=:${PROXY_PORT_HTTP:-80}'
      - '--entrypoints.web-secure.address=:${PROXY_PORT_HTTPS:-443}'

      # Global HTTP to HTTPS redirect
      - '--entrypoints.web.http.redirections.entryPoint.to=web-secure'
      - '--entrypoints.web.http.redirections.entryPoint.scheme=https'
      - '--entrypoints.web.http.redirections.entryPoint.permanent=true'

      # Security Headers (applied globally)
      - '--entrypoints.web-secure.http.middlewares=security-headers@file'

      # Let's Encrypt
      - '--certificatesresolvers.resolver.acme.tlschallenge=true'
      - '--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}'
      - '--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json'

    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

    environment:
      AUTH_USERS: ${AUTH_USERS}

    networks:
      - compose_network

    ports:
      - "${PROXY_PORT_HTTP:-80}:80"
      - "${PROXY_PORT_HTTPS:-443}:443"

    volumes:
      - letsencrypt_data:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./dynamic:/etc/traefik/dynamic:ro

    labels:
      - 'traefik.enable=true'
      # HTTP to HTTPS redirect
      - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web.middlewares=${PROXY_COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web.rule=Host(`${PROXY_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      # HTTPS router with auth
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${PROXY_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.service=api@internal'
      - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${PROXY_COMPOSE_PROJECT_NAME}-auth'
      - 'traefik.http.services.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080'
      - 'traefik.docker.network=${NETWORK_NAME}'
volumes:
  letsencrypt_data:
    name: ${PROXY_COMPOSE_PROJECT_NAME}_letsencrypt_data