docs/Docker & Kubernetes/Docker/Docker Compose/Traefik.md

**Purpose**: Deploy a Traefik Reverse Proxy

```jsx title="docker-compose.yml"
version: "3.3"
services:
  traefik:
    image: "traefik:latest"
    restart: always
    container_name: "traefik-bunny-lab-io"
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
    labels:
      - "traefik.http.routers.traefik-proxy.middlewares=my-buffering"
      - "traefik.http.middlewares.my-buffering.buffering.maxRequestBodyBytes=104857600"
      - "traefik.http.middlewares.my-buffering.buffering.maxResponseBodyBytes=104857600"
      - "traefik.http.middlewares.my-buffering.buffering.memRequestBodyBytes=2097152"
      - "traefik.http.middlewares.my-buffering.buffering.memResponseBodyBytes=2097152"
      - "traefik.http.middlewares.my-buffering.buffering.retryExpression=IsNetworkError() && Attempts() <= 2"
    command:
      # Globals
      - "--log.level=ERROR"
      - "--api.insecure=true"
      - "--global.sendAnonymousUsage=false"
      # Docker
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      # File Provider
      - "--providers.file.directory=/etc/traefik/dynamic"
      - "--providers.file.watch=true"

      # Entrypoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect HTTP to HTTPS
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect HTTP to HTTPS
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true" # Redirect HTTP to HTTPS
      # LetsEncrypt
###      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.email=nicole.rappe@bunny-lab.io"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

      # Keycloak plugin configuration
      - "--experimental.plugins.keycloakopenid.moduleName=github.com/Gwojda/keycloakopenid"
      - "--experimental.plugins.keycloakopenid.version=v0.1.34"
      
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/srv/containers/traefik/letsencrypt:/letsencrypt"
      - "/srv/containers/traefik/config:/etc/traefik"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/srv/containers/traefik/cloudflare:/cloudflare"
    networks:
        docker_network:
          ipv4_address: 192.168.5.29
    environment:
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
    extra_hosts:
      - "mail.bunny-lab.io:192.168.3.13"
      - "rmm.bunny-lab.io:192.168.3.22" # Tactical RMM
      - "api.bunny-lab.io:192.168.3.22" # Tactical RMM
      - "mesh.bunny-lab.io:192.168.3.22" # Tactical RMM

networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

```

```jsx title=".env"
CF_API_EMAIL=nicole.rappe@bunny-lab.io
CF_API_KEY=REDACTED-CLOUDFLARE-DOMAIN-API-KEY
```

!!! info
    There is a distinction between the "Global API Key" and a "Token API Key".  The main difference being that the "Global API Key" can change anything in Cloudflare, while the "Token API Key" can only change what it was granted delegated permissions to.