Ognir/docker-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

STABLE: Reconstrucción integral de infraestructura, limpieza de middlewares obsoletos y blindaje de Traefik

Browse Source
This commit is contained in:
Ognir
2026-01-06 00:57:00 +01:00
parent 3c5976e37f
commit 7a496b235c
5 changed files with 63 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
traefik/docker-compose.yml
View File

@@ -1,9 +1,18 @@
# ==============================================================================
# TRAEFIK V3 - INFRAESTRUCTURA COMPLETA (OGNIRNAS)
# OGNIRNAS - INFRAESTRUCTURA CORE: TRAEFIK V3 & DOCKER-SOCKET-PROXY
# ==============================================================================
# Última revisión: 2026-01-06
# Propietario: Ognir (UID 1032 / GID 100)
# Objetivo: Reverse Proxy con autenticación reforzada y aislamiento del socket.
# ==============================================================================
version: "3.9"
services:
# ----------------------------------------------------------------------------
# SERVICE: traefik-socket-proxy
# Capa de seguridad que evita el acceso directo de Traefik al socket de Docker.
# ----------------------------------------------------------------------------
traefik-socket-proxy:
image: tecnativa/docker-socket-proxy:latest
container_name: traefik-socket-proxy
@@ -18,45 +27,54 @@ services:
- SERVICES=1
- VERSION=1
- EVENTS=1
- CONNECT_TIMEOUT=30
- SERVER_TIMEOUT=30
- CLIENT_TIMEOUT=30
# ----------------------------------------------------------------------------
# SERVICE: traefik (v3.0)
# Orquestador principal. Gestiona TLS y Dashboard seguro.
# ----------------------------------------------------------------------------
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
user: "1032:100"
user: "1032:100" # Ejecución bajo el usuario Ognir para permisos de archivos
depends_on:
traefik-socket-proxy:
condition: service_started
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
- "traefik.http.routers.traefik-dash.entrypoints=websecure"
- "traefik.http.routers.traefik-dash.tls=true"
- "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-dash.service=api@internal"
# Mantenemos el middleware pero asegúrate de limpiar caché del navegador
- "traefik.http.routers.traefik-dash.middlewares=seguridad-general@file"
- "traefik.docker.network=services-internal-net"
networks:
proxy-macvlan-net:
ipv4_address: 192.168.178.25
services-internal-net:
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/ping"]
interval: 30s
timeout: 10s
retries: 3
start_period: 20s
ipv4_address: 192.168.178.25 # IP estática en red local
services-internal-net: {}
volumes:
- /volume1/docker/configs/traefik:/etc/traefik:ro
- /volume1/docker/data/traefik:/letsencrypt
- /volume1/docker/data/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=services-internal-net"
# --- CONFIGURACIÓN DEL ROUTER (DASHBOARD) ---
- "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
- "traefik.http.routers.traefik-dash.entrypoints=websecure"
- "traefik.http.routers.traefik-dash.tls=true"
- "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
# --- SERVICIO INTERNO (API V3) ---
- "traefik.http.routers.traefik-dash.service=api@internal"
# --- MIDDLEWARES (ORDEN PRIORITARIO: LOGIN > SEGURIDAD) ---
# Colocamos auth-dashboard primero para asegurar que el prompt salte antes
# de aplicar las cabeceras de seguridad que podrían bloquearlo en caché.
- "traefik.http.routers.traefik-dash.middlewares=auth-dashboard@file,security-headers@file"
command:
- "--configFile=/etc/traefik/traefik.yml"
# ------------------------------------------------------------------------------
# REDES EXTERNAS PRE-EXISTENTES
# ------------------------------------------------------------------------------
networks:
proxy-macvlan-net:
external: true