This project uses CloudFlare as the DNS provider, Let's Encrypt for TLS certificates, and the dns-01 challenge. All fully supported by Traefik's and Espo is totally oblivious of any of it. It just runs in the background. Do note that if your line of business/industry/regulations require also internal network traffic to be encrypted, this solution is not enough. But it's 95 % there.
Code:
services:
traefik:
image: traefik:v3.4.1
environment:
- TZ
- CF_API_EMAIL
- CF_DNS_API_TOKEN
command:
- "--providers.docker"
- "--providers.docker.exposedByDefault=false"
- "--providers.file.directory=/dynamic"
- "--api=true"
- "--api.dashboard=true"
- "--ping"
- "--accesslog=true"
- "--log.level=INFO"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=$LETSENCRYPT_EMAIL"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=$DNS_PROVIDER"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik:/dynamic:ro
- traefik:/letsencrypt
ports:
- "80:80"
- "443:443"
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
timeout: 30s
interval: 30s
retries: 5
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.rule=Host(`$DOMAIN`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.dashboard.middlewares=secure-headers@file,dash-auth@file"
db:
image: postgres:18.0-alpine3.22
security_opt:
- no-new-privileges:true
volumes:
- postgres:/var/lib/postgresql/data:rw
- ./db/01-init.sh:/docker-entrypoint-initdb.d/01-init.sh:r
environment:
- TZ
- PGTZ
- POSTGRES_USER
- POSTGRES_PASSWORD
- ESPOCRM_DATABASE_USER
- ESPOCRM_DATABASE_PASSWORD
- ESPOCRM_DATABASE_NAME
healthcheck:
test: ["CMD-SHELL", "pg_isready -q -d $${POSTGRES_DB} -u $${POSTGRES_USER}"]
interval: 1m30s
timeout: 30s
retries: 5
start_period: 30s
espo:
image: espocrm/espocrm:9.1.5-apache
volumes:
- espo:/var/www/html
- ./espo/custom:/var/www/html/custom
- ./espo/application:/var/www/html/application
- ./espo/install:/var/www/html/application/install
environment:
- TZ
- ESPOCRM_TIME_ZONE
- ESPOCRM_WEEK_START
- ESPOCRM_DATABASE_PLATFORM
- ESPOCRM_DATABASE_HOST
- ESPOCRM_DATABASE_USER
- ESPOCRM_DATABASE_PASSWORD
- ESPOCRM_DATABASE_NAME
- ESPOCRM_ADMIN_USERNAME
- ESPOCRM_ADMIN_PASSWORD
- ESPOCRM_SITE_URL
- ESPOCRM_CONFIG_CRYPT_KEY
- ESPOCRM_CONFIG_LOGGER_LEVEL
- ESPOCRM_CONFIG_LOGGER_DATABASE_HANDLER
depends_on:
- traefik
- db
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.services.espo.loadbalancer.server.port=80"
- "traefik.http.routers.espo.rule=Host(`$DOMAIN`)"
- "traefik.http.routers.espo.tls=true"
- "traefik.http.routers.espo.tls.domains[0].main=$DOMAIN"
- "traefik.http.routers.espo.tls.certresolver=letsencrypt"
- "traefik.http.routers.espo.middlewares=secure-headers@file"
Leave a comment: