#!/bin/bash RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3) ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3) main() { Traefik-etc-certs-selfsigned Traefik-etc-services Traefik-etc-config Traefik-etc-iptable Traefik-bin-update-traefik Traefik-service } Traefik-etc-certs-selfsigned() { mkdir -p /etc/traefik/certs openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650 } Traefik-etc-services() { mkdir -p /etc/traefik/services Traefik-etc-services-shared Traefik-etc-services-default } Traefik-etc-services-shared() { cat >> /etc/traefik/services/_shared.yaml << "EOF" tls: stores: default: defaultCertificate: certFile: "/etc/traefik/certs/self.crt" keyFile: "/etc/traefik/certs/self.key" options: default: minVersion: "VersionTLS12" # sniStrict: true cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 mintls13: minVersion: "VersionTLS13" http: middlewares: to-https: redirectScheme: scheme: "https" permanent: true to-no-www: redirectRegex: regex: "^https://www.(.*)" replacement: "https://${1}" permanent: true hsts-min: headers: sslRedirect: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true hsts_light: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true hsts: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true referrerPolicy: "origin-when-cross-origin" hsts-strict: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true contentSecurityPolicy: "script-src 'self'" referrerPolicy: "origin-when-cross-origin" services: dummy: loadBalancer: servers: - url: "https://127.0.0.1:2" # matomo: # loadBalancer: # servers: # - url: "https://x.x.x.x:xxx" EOF } Traefik-etc-services-default() { cat >> /etc/traefik/services/_default.yaml << "EOF" http: routers: _default: entryPoints: - http rule: "PathPrefix(`/`)" # priority: 100 # service: _default-matomo service: _default _default-secure: entryPoints: - https rule: "PathPrefix(`/`)" # priority: 100 # service: _default-matomo service: _default tls: acmev2-staging services: # _default-matomo: # mirroring: # service: _default # maxBodySize: 1024 # mirrors: # - name: matomo # percent: 100 _default: loadBalancer: servers: - url: https://127.0.0.1:2 EOF } Traefik-etc-config() { cat >> /etc/traefik/traefik.yaml << "EOF" entryPoints: http: address: ":80" https: address: ":443" traefik: address: ":8099" api: dashboard: true insecure: true serversTransport: insecureSkipVerify: true providers: file: directory: "/etc/traefik/services/" watch: true certificatesResolvers: acmev2: acme: email: "X{ACCOUNT}" caserver: "https://acme-v02.api.letsencrypt.org/directory" storage: "/etc/traefik/certs/acmev2.json" keyType: "EC384" tlsChallenge: {} acmev2-staging: acme: email: "X{ACCOUNT}" caserver: "https://acme-staging-v02.api.letsencrypt.org/directory" storage: "/etc/traefik/certs/acmev2-staging.json" keyType: "EC384" tlsChallenge: {} EOF sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml } Traefik-etc-iptable() { if [ -f "/etc/iptables/rules.v4" ]; then sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4 iptables-restore /etc/iptables/rules.v4 fi } Traefik-bin-update-traefik() { cat >> /usr/local/bin/update-traefik << "EOF" #/bin/bash getcurrentversion() { if [ -f /var/opt/traefik/version ]; then cat /var/opt/traefik/version else echo "0" fi } getlatestversion() { if ! GITHUBTAGNAME=$(curl -sL "https://api.github.com/repos/traefik/traefik/releases/latest" | jq -r ".tag_name"); then echo "Error in Github API" return 1 fi if [ "${GITHUBTAGNAME}" == "" ]; then echo "Error in Github API" return 1 fi local -r GITHUBVERSION=${GITHUBTAGNAME//[[:alpha:]-]/} if [ "${GITHUBVERSION}" == "" ]; then echo "Error in Github API" return 1 fi echo "${GITHUBVERSION}" } update() { VERSION=${1} mkdir -p /tmp/traefik cd /tmp/traefik wget https://github.com/traefik/traefik/releases/download/v${VERSION}/traefik_v${VERSION}_linux_amd64.tar.gz tar -xf traefik_v${VERSION}_linux_amd64.tar.gz systemctl stop traefik cp traefik /usr/local/bin systemctl start traefik if [ ! -d /var/opt/traefik ]; then mkdir -p /var/opt/traefik fi echo "${VERSION}" > /var/opt/traefik/version rm -R /tmp/traefik } CURVER=$(getcurrentversion) LATESTVER=$(getlatestversion) if [ "${CURVER}" != "${LATESTVER}" ]; then echo "${CURVER} -> ${LATESTVER}" update "${LATESTVER}" fi EOF chmod 755 /usr/local/bin/update-traefik update-traefik ${RELEASE} } Traefik-service() { cat >> /etc/systemd/system/traefik.service << "EOF" [Unit] Description=Traefik After=network.target auditd.service [Service] ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml ExecReload=/bin/killall traefik KillMode=process Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable traefik systemctl restart traefik } main