Use Traefik to proxy Edge agent traffic on :8000 to portainer

traefik/README.md

@@ -2,6 +2,8 @@
 
 This setup comes up with the [Traefik](https://github.com/containous/traefik) v2.2.8 reverse proxy to access the Portainer instance via a virtual host, has support for SSL certificates using Let's Encrypt and automatic redirection from http to https.
 
+## Default configuration
+
 The default configuration will make Portainer frontend available via the `portainer.yourdomain.com` domain. If you wish to change this, update the `traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)` label for the Portainer service in the `docker-compose.yml` file.
 
 If you're going to use Edge agents. When you set up the endpoint from Portainer Configuration, you need to change the Portainer Server URL setting to match with the label specified for Edge. In this sample, the URL specified for the Edge service is `traefik.http.routers.frontend.rule=Host(`edge.yourdomain.com`)`.
@@ -17,3 +19,16 @@ docker-compose up -d
 And then access Portainer by hitting [http://portainer.yourdomain.com](http://portainer.yourdomain.com) with a web browser.
 
 **NOTE**: Your machine must be able to resolve `portainer.yourdomain.com` (or your own domain if you updated it).
+
+## Proxy Edge Agent configuration
+
+This configuration extends the default configuration to use Traefik as a proxy for Edge Agent on port 8000.
+
+Set the endpoint Portainer Server URL setting to match with the label specified for Edge. In this sample, the URL specified for the Edge service is `traefik.http.routers.frontend.rule=Host(`edge.yourdomain.com`)`.
+
+
+Deploy this stack on any Docker node:
+
+```
+docker-compose -f docker-compose-proxy-edge.yml up -d
+```

traefik/docker-compose-proxy-edge.yml

@@ -0,0 +1,61 @@
+version: "3.3"
+
+services:
+  traefik:
+    container_name: traefik
+    image: "traefik:v2.3"
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.edgeagent.address=:8000
+      - --providers.docker
+      - --log.level=DEBUG
+      - --certificatesresolvers.leresolver.acme.httpchallenge=true
+      - --certificatesresolvers.leresolver.acme.email=your-email #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. 
+      - --certificatesresolvers.leresolver.acme.storage=./acme.json
+      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8000:8000"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./acme.json:/acme.json"
+    labels:
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+  portainer:
+    image: portainer/portainer-ce:2.0.0
+    command: -H unix:///var/run/docker.sock
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+    labels:
+      # Frontend
+      - "traefik.enable=true"
+      - "traefik.http.routers.frontend.rule=Host(`portainer.yourdomain.com`)"
+      - "traefik.http.routers.frontend.entrypoints=websecure"
+      - "traefik.http.services.frontend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.frontend.service=frontend"
+      - "traefik.http.routers.frontend.tls.certresolver=leresolver"
+
+      # Edge
+      - "traefik.http.routers.edge.rule=Host(`edge.yourdomain.com`)"
+      - "traefik.http.routers.edge.entrypoints=websecure"
+      - "traefik.http.services.edge.loadbalancer.server.port=8000"
+      - "traefik.http.routers.edge.service=edge"
+      - "traefik.http.routers.edge.tls.certresolver=leresolver"
+
+      # Edge agent service routed by Traefik
+      - "traefik.tcp.routers.edgeagent.rule=Host(`edge.yourdomain.com`)"
+      - "traefik.tcp.routers.edgeagent.entrypoints=edgeagent"
+      - "traefik.tcp.services.edgeagent.loadbalancer.server.port=8000"
+
+
+
+volumes:
+  portainer_data:

traefik/docker-compose.yml

@@ -3,10 +3,11 @@ version: "3.3"
 services:
   traefik:
     container_name: traefik
-    image: "traefik:v2.2.8"
+    image: "traefik:v2.3"
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
+      - --entrypoints.edgeagent.address=:8000
       - --providers.docker
       - --log.level=DEBUG
       - --certificatesresolvers.leresolver.acme.httpchallenge=true
@@ -16,6 +17,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
+      - "8000:8000"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./acme.json:/acme.json"
@@ -48,6 +50,12 @@ services:
       - "traefik.http.routers.edge.service=edge"
       - "traefik.http.routers.edge.tls.certresolver=leresolver"
 
+      # Edge agent service routed by Traefik
+      - "traefik.tcp.routers.edgeagent.rule=Host(`edge.yourdomain.com`)"
+      - "traefik.tcp.routers.edgeagent.entrypoints=edgeagent"
+      - "traefik.tcp.services.edgeagent.loadbalancer.server.port=8000"
+
+
 
 volumes:
   portainer_data: