docker-compose.traefik.yml

services:

  traefik:
    image: traefik:2.10
    restart: always
    depends_on:
      - front
    command:
      - --log.level=INFO
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      # Listen to http (80)
      - --entrypoints.http.address=:80
      # Redirect all HTTP traffic to https (443)
      - --entrypoints.http.http.redirections.entryPoint.to=https
      - --entrypoints.http.http.redirections.entryPoint.scheme=https
      # Listen to https (443)
      - --entryPoints.https.address=:443
      - --entrypoints.https.http.tls=true
      # ACME
      - --certificatesresolvers.primary.acme.email=${TRAEFIK_ACME_EMAIL}
      - --certificatesresolvers.primary.acme.storage=acme.json
      - --certificatesresolvers.primary.acme.httpchallenge=true
      - --certificatesresolvers.primary.acme.httpchallenge.entrypoint=http
    ports:
      - "${TRAEFIK_HTTP_PORT}:80"
      - "${TRAEFIK_HTTPS_PORT}:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme/acme.json:/acme.json
    networks:
      - seat-frontend
    logging:
      driver: "json-file"
      options:
        max-size: "10Mb"
        max-file: "5"

  front:
    networks:
      - seat-frontend
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_seat-frontend"
      - "traefik.http.routers.seat.entrypoints=https"
      - "traefik.http.routers.seat.service=seat-front"
      - "traefik.http.routers.seat.middlewares=seat-security@docker"
      - "traefik.http.routers.seat.rule=Host(`${SEAT_DOMAIN}`)"
      - "traefik.http.routers.seat.tls.certResolver=primary"
      - "traefik.http.middlewares.seat-security.headers.browserxssfilter=false"
      - "traefik.http.middlewares.seat-security.headers.contentSecurityPolicy=default-src 'none'; connect-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.bunny.net https://snoopy.crypta.tech; img-src 'self' data: https://images.evetech.net https://img.shields.io; font-src 'self' https://fonts.gstatic.com https://fonts.bunny.net; manifest-src 'self'"
      - "traefik.http.middlewares.seat-security.headers.contentTypeNoSniff=true"
      - "traefik.http.middlewares.seat-security.headers.customBrowserXSSValue=0"
      - "traefik.http.middlewares.seat-security.headers.customresponseheaders.Server="
      - "traefik.http.middlewares.seat-security.headers.customresponseheaders.X-Powered-By="
      - "traefik.http.middlewares.seat-security.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
      - "traefik.http.middlewares.seat-security.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.seat-security.headers.framedeny=true"
      - "traefik.http.middlewares.seat-security.headers.permissionsPolicy=accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), web-share=(), xr-spatial-tracking=()"
      - "traefik.http.middlewares.seat-security.headers.referrerPolicy=same-origin"
      - "traefik.http.middlewares.seat-security.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.seat-security.headers.stsPreload=true"
      - "traefik.http.middlewares.seat-security.headers.stsSeconds=63072000"
      - "traefik.http.services.seat-front.loadbalancer.server.port=8080"

networks:
  seat-frontend: