{"id":34984481,"url":"https://github.com/coopcodecommun/traefikv3","last_synced_at":"2026-04-01T20:59:44.343Z","repository":{"id":261812707,"uuid":"885396231","full_name":"CoopCodeCommun/TraefikV3","owner":"CoopCodeCommun","description":null,"archived":false,"fork":false,"pushed_at":"2025-12-03T05:32:40.000Z","size":63,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-06T06:50:59.596Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CoopCodeCommun.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-11-08T14:02:35.000Z","updated_at":"2025-12-03T05:32:43.000Z","dependencies_parsed_at":"2024-11-08T15:47:39.392Z","dependency_job_id":null,"html_url":"https://github.com/CoopCodeCommun/TraefikV3","commit_stats":null,"previous_names":["coopcodecommun/traefikv3"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CoopCodeCommun/TraefikV3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoopCodeCommun%2FTraefikV3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoopCodeCommun%2FTraefikV3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoopCodeCommun%2FTraefikV3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoopCodeCommun%2FTraefikV3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CoopCodeCommun","download_url":"https://codeload.github.com/CoopCodeCommun/TraefikV3/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoopCodeCommun%2FTraefikV3/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31013968,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T02:58:54.984Z","status":"ssl_error","status_checked_at":"2026-03-27T02:58:46.993Z","response_time":164,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-27T01:25:50.672Z","updated_at":"2026-03-27T03:17:19.923Z","avatar_url":"https://github.com/CoopCodeCommun.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# TraefikV3 — Simple guide (Easy to Read)\n\nThis folder contains a ready‑to‑use Traefik v3 setup with CrowdSec.\nIt helps you put a secure reverse proxy in front of your apps.\n\nNote: The `dynamic_host` folder is work in progress. Ignore it for now.\n\n---\n\n## What is inside\n\n- Traefik (reverse proxy) with HTTPS via Let’s Encrypt.\n- CrowdSec (blocks bad IPs; reads Traefik access logs).\n- A small test app (`whoami`).\n- Log rotation for Traefik logs.\n\nMain files:\n- `docker-compose.yml` — starts Traefik, CrowdSec, and logrotate.\n- `traefik.yml` — Traefik static config (entry points, ACME, plugin).\n- `traefik_dynamic.yml` — Traefik dynamic config (CrowdSec middleware).\n- `crowdsec/config/acquis.yaml` — tells CrowdSec where to read logs.\n- `test_conteneur/docker-compose.yml` — demo service with Traefik labels.\n\n---\n\n## Quick start\n\n1) Create the Docker network (Traefik uses it):\n```bash\ndocker network create frontend\n```\n\n2) Prepare Let’s Encrypt storage file and copy dynamic conf :\n```bash\nmkdir -p letsencrypt traefik_logs\ncp traefik_dynamic_exemple.yml traefik_dynamic.yml\n```\n\n3) Start Traefik + CrowdSec:\n```bash\ndocker compose up -d\n```\n\n4) Install the Traefik collection in CrowdSec:\n```bash\ndocker exec -t crowdsec cscli collections install crowdsecurity/traefik\n```\n\n5) Create a CrowdSec bouncer key (copy the printed key):\n```bash\ndocker exec -t crowdsec cscli bouncers add traefik-bouncer\n```\n\n\n6) Put the key in `traefik_dynamic.yml`:\n- Edit `crowdsecLapiKey: \"YOUR_GENERATED_BOUNCER_API_KEY_FROM_CROWDSEC\"`.\n- Save the file.\n- docker compose down \u0026\u0026 docker compose up -d.\n\n\n7) Verify CrowdSec reads the logs:\n```bash\ndocker exec -t crowdsec cscli metrics\n```\n\n---\n\n## How to add a test service (whoami)\n\n1) Set your domain shell variable (replace with your real domain):\n```bash\nexport DOMAIN=example.com\n```\n\n2) Start the test service:\n```bash\ncd test_conteneur\nDOMAIN=$DOMAIN docker compose up -d\n```\n\n3) Check it in a browser:\n- Open: `https://example.com` (replace with your domain)\n- The certificate comes from Let’s Encrypt.\n\n4) See CrowdSec status:\n```bash\ndocker exec -t crowdsec cscli bouncer list\n```\n\n---\n\n## How this works (short)\n\n- Traefik listens on ports 80 (HTTP) and 443 (HTTPS).\n- All HTTP (80) is redirected to HTTPS (443).\n- Let’s Encrypt issues certificates using TLS‑ALPN challenge.\n- Traefik writes access logs in `./traefik_logs`.\n- CrowdSec reads these logs and decides which IPs to block.\n- The Traefik plugin `crowdsec-bouncer-traefik-plugin` applies the block.\n- The middleware is attached globally to `websecure` and can also be added per‑router.\n\n---\n\n## Commands you may need\n\n- Check Metrics and file acquisition:\n```bash\ndocker exec -t crowdsec cscli metrics\n```\n\n- List CrowdSec collections:\n```bash\ndocker exec -t crowdsec cscli collections list\n```\n\n- List decisions (bans):\n```bash\ndocker exec -t crowdsec cscli decisions list\n```\n\n- Manually ban/unban an IP:\n```bash\ndocker exec -t crowdsec cscli decisions add --ip 1.2.3.4\ndocker exec -t crowdsec cscli decisions delete -i 1.2.3.4\n```\n\n- Manually trust an IP:\n#TODO: Check the best option ?\n```bash\n# config : whitlelist uniquement ce qui est lu dans le fichier de log\nnano TraefikV3/crowdsec/config/parsers/s02-enrich/whitelists-custom.yaml\n\n# allowlist : plus générique et englobant\ndocker exec -it crowdsec cscli allowlists create my_allowlist -d 'my allowlist'\ndocker exec -it crowdsec cscli allowlist add my_allowlist 172.18.0.0/24\n```\nsu\n- Check Traefik logs:\n```bash\ntail -f traefik_logs/access.log\n```\n\n- List and inspect alert :\n```bash\ndocker exec -t crowdsec cscli alert list\ndocker exec -t crowdsec cscli alerts inspect -d 56\n```\n\n---\n\n## Configuration notes\n\n- `traefik.yml`\n  - Docker provider enabled. Only containers with `traefik.enable=true` are exposed.\n  - File provider watches `traefik_dynamic.yml`.\n  - Global middleware on `websecure` adds CrowdSec protection by default.\n  - Let’s Encrypt: storage in `./letsencrypt/acme.json`, TLS challenge enabled.\n  - Access logs in JSON, both success and error ranges recorded.\n  - CrowdSec plugin declared in `experimental.plugins`.\n\n- `traefik_dynamic.yml`\n  - Defines `middlewares.crowdsec` using the Traefik CrowdSec bouncer plugin.\n  - Replace the API key with the one you generated.\n  - AppSec is disabled (you can enable it if you run CrowdSec AppSec).\n\n- `docker-compose.yml`\n  - Mounts Docker socket read‑only (good practice).\n  - Persists Let’s Encrypt data and logs to host.\n  - CrowdSec reads Traefik logs and uses the same `frontend` network.\n  - `logrotate` rotates Traefik logs daily and keeps 7 copies.\n\n- `crowdsec/config/acquis.yaml`\n  - Tells CrowdSec to read `/var/log/traefik/access.log` with label `type: traefik`.\n\n- `test_conteneur/docker-compose.yml`\n  - Example labels for router, TLS resolver, and middleware.\n  - Uses `$DOMAIN` for the host rule.\n\n---\n\n## TODO : Security and configuration check (weak points + tips)\n\n- Traefik image tag `traefik:chabichou`:\n  - This is the latest as I write these lines. Check back regularly.\n\n- Public email in config:\n  - `traefik.yml` contains an email for Let’s Encrypt. If this repo is public, consider moving it to an env var.\n\n- Secrets in plain text:\n  - `crowdsecLapiKey` is stored in a file. Consider using an env var or a mounted secret (`${CROWDSEC_LAPI_KEY}`) and reference it in the dynamic file.\n\n- Resource limits and security options:\n  - No CPU/RAM limits are set. You can add `deploy.resources.limits` (Swarm) or `--cpus/--memory` (Compose v2) where needed.\n  - Consider adding `read_only: true` and dropping capabilities where possible, plus healthchecks.\n\n- Network note:\n  - The `frontend` network is marked `external: true`. You must create it before starting services.\n\n- Logs and rotation:\n  - Rotation is present. Make sure `traefik_logs` has enough disk space and correct permissions.\n\n- Plugin pinning:\n  - The CrowdSec plugin is pinned to `v1.4.5`. Keep it updated to the latest stable when you can.\n\n- CrowdSec AppSec:\n  - AppSec is disabled (`crowdsecAppsecEnabled: false`). Enable it only if you deploy the AppSec component and configure it properly.\n\nIf all the above points are fine for your context, the setup is OK.\n\n---\n\n## Troubleshooting\n\n- Certificates are not created:\n  - Check DNS for your domain points to this server.\n  - Ensure port 443 is open and reachable from the Internet.\n  - Read Traefik logs in `traefik_logs/access.log` and Traefik container logs.\n\n- CrowdSec shows no metrics:\n  - Ensure Traefik writes logs to `/var/log/traefik` in the container.\n  - Check that `crowdsec/config/acquis.yaml` points to the correct path.\n\n- 404 or wrong router:\n  - Check your labels (spelling matters).\n  - Confirm the container is on the `frontend` network.\n\n---\n\n## Source\n\n- https://blog.levassb.ovh/post/crowdsec/\n- https://blog.lrvt.de/configuring-crowdsec-with-traefik/\n\n---\n\n\n## Clean up\n```bash\ndocker compose down\ncd test_conteneur \u0026\u0026 docker compose down\n```\n\n---\n\n## License MIT\n\nSee `LICENSE`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoopcodecommun%2Ftraefikv3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoopcodecommun%2Ftraefikv3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoopcodecommun%2Ftraefikv3/lists"}