Site update
This commit is contained in:
parent
7a023a0b98
commit
60de6575e1
262
content/blog/setup-trafik.md
Normal file
262
content/blog/setup-trafik.md
Normal file
@ -0,0 +1,262 @@
|
||||
+++
|
||||
title = 'Setup Trafik'
|
||||
date = 2024-01-19T09:33:47+01:00
|
||||
draft = false
|
||||
+++
|
||||
|
||||
Do you use docker? Do you use nginx or apachi to proxy the container? Fear not you won't be needing them anymore once you are done with this tutorial.
|
||||
|
||||
Traefik is a simple docker centric proxy manager that is amazing and allows you to easilly proxy you docker container's with just a couple of label's.
|
||||
|
||||
<!---more--->
|
||||
|
||||
# Setting up Traefik
|
||||
|
||||
In this part we will setup traefik, with the dashboard enabled and secured with https and a password.
|
||||
|
||||
Create a directory where you will keep traefik configuration files and the docker compose. Inside it we will save all the configuration files.
|
||||
|
||||
## docker-compose.yml
|
||||
|
||||
```yml
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.5
|
||||
container_name: traefik
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- ./traefik.toml:/traefik.toml
|
||||
- ./traefik_dynamic.toml:/traefik_dynamic.toml
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./acme.json:/acme.json
|
||||
networks:
|
||||
- web
|
||||
labels:
|
||||
- traefik.enable=false
|
||||
restart: unless-stopped
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
||||
```
|
||||
|
||||
What we are doing here is binding the needed configuration files, the docker socket so traefik can listen to it and automatically proxy the services, and the acme.json which will keep our ssl certificates.
|
||||
|
||||
We are also forcing it to use the latest available stable image to make sure there are no bugs, and disabling proxying the traefik image itself io the lables to make sure it isn't exposed by any means.
|
||||
|
||||
We are also making it so it can restart itself unless we specifically stop it, and binding it to port 80 and 443 because those are the default http and https port's that every browser uses when connecting.
|
||||
|
||||
## traefik.toml
|
||||
|
||||
```toml
|
||||
[entryPoints]
|
||||
[entryPoints.web]
|
||||
address = ":80"
|
||||
[entryPoints.web.http.redirections.entryPoint]
|
||||
to = "websecure"
|
||||
scheme = "https"
|
||||
|
||||
[entryPoints.websecure]
|
||||
address = ":443"
|
||||
|
||||
[api]
|
||||
dashboard = true
|
||||
insecure = false
|
||||
|
||||
[certificatesResolvers.lets-encrypt.acme]
|
||||
email = "name@domain.tld"
|
||||
storage = "acme.json"
|
||||
[certificatesResolvers.lets-encrypt.acme.tlsChallenge]
|
||||
|
||||
[providers.docker]
|
||||
watch = true
|
||||
network = "web"
|
||||
|
||||
[providers.file]
|
||||
filename = "traefik_dynamic.toml"
|
||||
watch = true
|
||||
```
|
||||
|
||||
In the entryPoint's we are defining the http and https port's and forcing http to redirect to https.
|
||||
|
||||
In the api section we are enabling the dashboard, but disallowing insecure access to it.
|
||||
|
||||
In the rest of the config we are defining the mail and storage for tls certificates, and enabled docker provider binded to a web network, and enabled the file provider for the dashboard setup.
|
||||
|
||||
## traefik_dynamic.toml
|
||||
|
||||
```toml
|
||||
[http.middlewares.simpleAuth.basicAuth]
|
||||
users = [
|
||||
"somebody:$apr1$whatever"
|
||||
]
|
||||
|
||||
[http.routers.api]
|
||||
rule = "Host(`monitor.domain.tld`)"
|
||||
entrypoints = ["websecure"]
|
||||
middlewares = ["simpleAuth"]
|
||||
service = "api@internal"
|
||||
[http.routers.api.tls]
|
||||
certResolver = "lets-encrypt"
|
||||
```
|
||||
|
||||
Here we are defining the basic auth credentials and routing the monitor domain to the dashboard with basic auth credentials and https.
|
||||
|
||||
Make sure to subsitute the string in qutes for users with what you get generated with httpasswd command: `htpasswd -nb somebody secure_password`.
|
||||
|
||||
## acme.toml
|
||||
|
||||
To create `acme.toml` run this command `touch acme.toml && chmod 600 acme.toml` and we are done.
|
||||
|
||||
## docker web network
|
||||
|
||||
You might have seen the networks part in the docker compose, we need to create it to make other docker container's in different docker compose files be accessible to traefik so it can proxy to them.
|
||||
|
||||
To create it we just need to run `docker network create web` and we are done.
|
||||
|
||||
---
|
||||
|
||||
After all this is done, we can just run `docker compose up -d` and if everyting was setup correctly, running `docker compose logs -f` shouldn't show any error's.
|
||||
|
||||
# Using trafik to proxy to docker container's
|
||||
|
||||
Now I'm going to explain to you how to use traefik to proxy to docker container's by using labels. For that I will be using ntfy docker image as an example.
|
||||
|
||||
> docker-compose.yml
|
||||
|
||||
```yml
|
||||
version: "2.3"
|
||||
|
||||
services:
|
||||
ntfy:
|
||||
image: binwiederhier/ntfy
|
||||
container_name: ntfy
|
||||
command:
|
||||
- serve
|
||||
volumes:
|
||||
- ./cache:/var/cache/ntfy
|
||||
- ./ntfy:/etc/ntfy
|
||||
- ./users:/var/lib/ntfy
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
|
||||
interval: 60s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
start_period: 40s
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- web
|
||||
labels:
|
||||
- traefik.http.routers.ntfy.rule=Host(`ntfy.domain.tld`)
|
||||
- traefik.http.routers.ntfy.tls=true
|
||||
- traefik.http.routers.ntfy.entrypoints=websecure
|
||||
- traefik.http.routers.ntfy.tls.certresolver=lets-encrypt
|
||||
- traefik.port=80
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
||||
```
|
||||
|
||||
The important part's of this docker compose are the following:
|
||||
|
||||
- ## No exposing port's
|
||||
|
||||
As you can see, with traefik you don't need to expose port's from the container making it a lot more secure as it can directly proxy to them from itself using the web network.
|
||||
|
||||
- ## labels
|
||||
|
||||
In labels we are defining the host domain we wan't to proxy to our container, we are also enabled tls and with entrypoint's making the container only acessible from https, making it impossible to be accessible with http no matter what.
|
||||
|
||||
We are also defining the certresolver to be lets-encrypt and setting the port from the container that traefik need's to proxy to 80, this port can be differen't depending on what you wan't to proxy.
|
||||
|
||||
- ## networks
|
||||
|
||||
We are also defining the web external network that is ussed so traefik can access to the container and proxy to it.
|
||||
|
||||
---
|
||||
|
||||
After you have accustomed the config to what you need, you can just `docker compose up -d`, go to your traefik monitor and after some time you will see ntfy addedd to reverse proxying with tls certficate and only accessible from https.
|
||||
|
||||
# Disabling traefik
|
||||
|
||||
Next I will be talkling about how to disable traefik for container's because you don't want it to work for container's you don't want accessible over the network.
|
||||
|
||||
## Disabling for one service docker-compose
|
||||
|
||||
As the main example, I have a watchtower instance that I don't wan't proxied to the outside world. To do that we just add `traefik.enable=false` to the labels and trafik will stop being naughty.
|
||||
|
||||
> example
|
||||
```yaml
|
||||
...
|
||||
labels:
|
||||
- traefik.enable=false
|
||||
...
|
||||
```
|
||||
|
||||
Take note that for this kind of docker-compose files, networks part IS NOT NEEDED, just create the docker compose file as you would usually without having the networks part.
|
||||
|
||||
## Disabling for more complex docker-compose
|
||||
|
||||
Now here comes the more tricky part, disabling it for only specific docker containers, and making it so traefik can't access them from it's network. To accomplish that we will use the `traefik.enable=false` label once again, and make use of multiple networks to make sure traefik can only access the web interfaces and keep other containers secure like databases and only accessible to the web interfaces.
|
||||
|
||||
> example docker-compose.yml
|
||||
|
||||
```yaml
|
||||
version: "3"
|
||||
|
||||
networks:
|
||||
web:
|
||||
external: true
|
||||
internal:
|
||||
external: false
|
||||
|
||||
services:
|
||||
blog:
|
||||
image: wordpress:4.9.8-apache
|
||||
environment:
|
||||
WORDPRESS_DB_PASSWORD:
|
||||
labels:
|
||||
- traefik.http.routers.blog.rule=Host(`blog.domain.tld`)
|
||||
- traefik.http.routers.blog.tls=true
|
||||
- traefik.http.routers.blog.tls.certresolver=lets-encrypt
|
||||
- traefik.port=80
|
||||
networks:
|
||||
- internal
|
||||
- web
|
||||
depends_on:
|
||||
- mysql
|
||||
|
||||
mysql:
|
||||
image: mysql:5.7
|
||||
environment:
|
||||
MYSQL_ROOT_PASSWORD:
|
||||
networks:
|
||||
- internal
|
||||
labels:
|
||||
- traefik.enable=false
|
||||
|
||||
adminer:
|
||||
image: adminer:4.6.3-standalone
|
||||
labels:
|
||||
labels:
|
||||
- traefik.http.routers.adminer.rule=Host(`db-admin.domain.tld`)
|
||||
- traefik.http.routers.adminer.tls=true
|
||||
- traefik.http.routers.adminer.tls.certresolver=lets-encrypt
|
||||
- traefik.port=8080
|
||||
networks:
|
||||
- internal
|
||||
- web
|
||||
depends_on:
|
||||
- mysql
|
||||
```
|
||||
|
||||
Here we can see what I was talking about in action, take note I took this docker compose file from this digital ocean [blog post](https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04#step-3-registering-containers-with-traefik) that explain's it a lot better I could which you can use as a reference if you didn't understand something about what I was talking about.
|
||||
|
||||
# Conclusing
|
||||
|
||||
I hope that you were able to setup traefik, or if not and were just reading to see what it's all about I hope you had a good read and might have decided to try out traefik in the future.
|
@ -40,6 +40,9 @@
|
||||
|
||||
<section class="list">
|
||||
|
||||
<a href="/blog/setup-trafik/">
|
||||
19-01-2024 || Setup Trafik</a><br />
|
||||
|
||||
<a href="/blog/using-mblaze/">
|
||||
07-01-2024 || Using Mblaze</a><br />
|
||||
|
||||
|
@ -6,11 +6,229 @@
|
||||
<description>Recent content in Blog on Crony Akatsuki's Website</description>
|
||||
<generator>Hugo -- gohugo.io</generator>
|
||||
<language>en-us</language>
|
||||
<lastBuildDate>Sun, 07 Jan 2024 12:15:21 +0100</lastBuildDate>
|
||||
<lastBuildDate>Fri, 19 Jan 2024 09:33:47 +0100</lastBuildDate>
|
||||
|
||||
<atom:link href="https://cronyakatsuki.xyz/blog/index.xml" rel="self" type="application/rss+xml" />
|
||||
|
||||
|
||||
<item>
|
||||
<title>Setup Trafik</title>
|
||||
<link>https://cronyakatsuki.xyz/blog/setup-trafik/</link>
|
||||
<pubDate>19-01-2024</pubDate>
|
||||
|
||||
<guid>https://cronyakatsuki.xyz/blog/setup-trafik/</guid>
|
||||
<description><p>Do you use docker? Do you use nginx or apachi to proxy the container? Fear not you won&rsquo;t be needing them anymore once you are done with this tutorial.</p>
|
||||
<p>Traefik is a simple docker centric proxy manager that is amazing and allows you to easilly proxy you docker container&rsquo;s with just a couple of label&rsquo;s.</p>
|
||||
<!-- raw HTML omitted -->
|
||||
<h1 id="setting-up-traefik">Setting up Traefik</h1>
|
||||
<p>In this part we will setup traefik, with the dashboard enabled and secured with https and a password.</p>
|
||||
<p>Create a directory where you will keep traefik configuration files and the docker compose. Inside it we will save all the configuration files.</p>
|
||||
<h2 id="docker-composeyml">docker-compose.yml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">&#39;3&#39;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">traefik</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: traefik:v2.5
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">container_name</span>: traefik
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ports</span>:
|
||||
</span></span><span style="display:flex;"><span> - <span style="color:#ef9f76">80</span>:<span style="color:#ef9f76">80</span>
|
||||
</span></span><span style="display:flex;"><span> - <span style="color:#ef9f76">443</span>:<span style="color:#ef9f76">443</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">volumes</span>:
|
||||
</span></span><span style="display:flex;"><span> - ./traefik.toml:/traefik.toml
|
||||
</span></span><span style="display:flex;"><span> - ./traefik_dynamic.toml:/traefik_dynamic.toml
|
||||
</span></span><span style="display:flex;"><span> - /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
</span></span><span style="display:flex;"><span> - ./acme.json:/acme.json
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">restart</span>: unless-stopped
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>What we are doing here is binding the needed configuration files, the docker socket so traefik can listen to it and automatically proxy the services, and the acme.json which will keep our ssl certificates.</p>
|
||||
<p>We are also forcing it to use the latest available stable image to make sure there are no bugs, and disabling proxying the traefik image itself io the lables to make sure it isn&rsquo;t exposed by any means.</p>
|
||||
<p>We are also making it so it can restart itself unless we specifically stop it, and binding it to port 80 and 443 because those are the default http and https port&rsquo;s that every browser uses when connecting.</p>
|
||||
<h2 id="traefiktoml">traefik.toml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[entryPoints]
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.web]
|
||||
</span></span><span style="display:flex;"><span> address = <span style="color:#a6d189">&#34;:80&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.web.http.redirections.entryPoint]
|
||||
</span></span><span style="display:flex;"><span> to = <span style="color:#a6d189">&#34;websecure&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> scheme = <span style="color:#a6d189">&#34;https&#34;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.websecure]
|
||||
</span></span><span style="display:flex;"><span> address = <span style="color:#a6d189">&#34;:443&#34;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[api]
|
||||
</span></span><span style="display:flex;"><span> dashboard = <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> insecure = <span style="color:#ef9f76">false</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[certificatesResolvers.lets-encrypt.acme]
|
||||
</span></span><span style="display:flex;"><span> email = <span style="color:#a6d189">&#34;name@domain.tld&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> storage = <span style="color:#a6d189">&#34;acme.json&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> [certificatesResolvers.lets-encrypt.acme.tlsChallenge]
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[providers.docker]
|
||||
</span></span><span style="display:flex;"><span> watch = <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> network = <span style="color:#a6d189">&#34;web&#34;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[providers.file]
|
||||
</span></span><span style="display:flex;"><span> filename = <span style="color:#a6d189">&#34;traefik_dynamic.toml&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> watch = <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>In the entryPoint&rsquo;s we are defining the http and https port&rsquo;s and forcing http to redirect to https.</p>
|
||||
<p>In the api section we are enabling the dashboard, but disallowing insecure access to it.</p>
|
||||
<p>In the rest of the config we are defining the mail and storage for tls certificates, and enabled docker provider binded to a web network, and enabled the file provider for the dashboard setup.</p>
|
||||
<h2 id="traefik_dynamictoml">traefik_dynamic.toml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[http.middlewares.simpleAuth.basicAuth]
|
||||
</span></span><span style="display:flex;"><span> users = [
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#a6d189">&#34;somebody:$apr1$whatever&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[http.routers.api]
|
||||
</span></span><span style="display:flex;"><span> rule = <span style="color:#a6d189">&#34;Host(`monitor.domain.tld`)&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> entrypoints = [<span style="color:#a6d189">&#34;websecure&#34;</span>]
|
||||
</span></span><span style="display:flex;"><span> middlewares = [<span style="color:#a6d189">&#34;simpleAuth&#34;</span>]
|
||||
</span></span><span style="display:flex;"><span> service = <span style="color:#a6d189">&#34;api@internal&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> [http.routers.api.tls]
|
||||
</span></span><span style="display:flex;"><span> certResolver = <span style="color:#a6d189">&#34;lets-encrypt&#34;</span>
|
||||
</span></span></code></pre></div><p>Here we are defining the basic auth credentials and routing the monitor domain to the dashboard with basic auth credentials and https.</p>
|
||||
<p>Make sure to subsitute the string in qutes for users with what you get generated with httpasswd command: <code>htpasswd -nb somebody secure_password</code>.</p>
|
||||
<h2 id="acmetoml">acme.toml</h2>
|
||||
<p>To create <code>acme.toml</code> run this command <code>touch acme.toml &amp;&amp; chmod 600 acme.toml</code> and we are done.</p>
|
||||
<h2 id="docker-web-network">docker web network</h2>
|
||||
<p>You might have seen the networks part in the docker compose, we need to create it to make other docker container&rsquo;s in different docker compose files be accessible to traefik so it can proxy to them.</p>
|
||||
<p>To create it we just need to run <code>docker network create web</code> and we are done.</p>
|
||||
<hr>
|
||||
<p>After all this is done, we can just run <code>docker compose up -d</code> and if everyting was setup correctly, running <code>docker compose logs -f</code> shouldn&rsquo;t show any error&rsquo;s.</p>
|
||||
<h1 id="using-trafik-to-proxy-to-docker-containers">Using trafik to proxy to docker container&rsquo;s</h1>
|
||||
<p>Now I&rsquo;m going to explain to you how to use traefik to proxy to docker container&rsquo;s by using labels. For that I will be using ntfy docker image as an example.</p>
|
||||
<blockquote>
|
||||
<p>docker-compose.yml</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">&#34;2.3&#34;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ntfy</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: binwiederhier/ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">container_name</span>: ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">command</span>:
|
||||
</span></span><span style="display:flex;"><span> - serve
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">volumes</span>:
|
||||
</span></span><span style="display:flex;"><span> - ./cache:/var/cache/ntfy
|
||||
</span></span><span style="display:flex;"><span> - ./ntfy:/etc/ntfy
|
||||
</span></span><span style="display:flex;"><span> - ./users:/var/lib/ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">healthcheck</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">test</span>: [<span style="color:#a6d189">&#34;CMD-SHELL&#34;</span>, <span style="color:#a6d189">&#34;wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo &#39;\&#34;healthy\&#34;\\s*:\\s*true&#39; || exit 1&#34;</span>]
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">interval</span>: 60s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">timeout</span>: 10s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">retries</span>: <span style="color:#ef9f76">3</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">start_period</span>: 40s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">restart</span>: unless-stopped
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.rule=Host(`ntfy.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.entrypoints=websecure
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=80
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>The important part&rsquo;s of this docker compose are the following:</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="no-exposing-ports">No exposing port&rsquo;s</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>As you can see, with traefik you don&rsquo;t need to expose port&rsquo;s from the container making it a lot more secure as it can directly proxy to them from itself using the web network.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="labels">labels</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>In labels we are defining the host domain we wan&rsquo;t to proxy to our container, we are also enabled tls and with entrypoint&rsquo;s making the container only acessible from https, making it impossible to be accessible with http no matter what.</p>
|
||||
<p>We are also defining the certresolver to be lets-encrypt and setting the port from the container that traefik need&rsquo;s to proxy to 80, this port can be differen&rsquo;t depending on what you wan&rsquo;t to proxy.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="networks">networks</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>We are also defining the web external network that is ussed so traefik can access to the container and proxy to it.</p>
|
||||
<hr>
|
||||
<p>After you have accustomed the config to what you need, you can just <code>docker compose up -d</code>, go to your traefik monitor and after some time you will see ntfy addedd to reverse proxying with tls certficate and only accessible from https.</p>
|
||||
<h1 id="disabling-traefik">Disabling traefik</h1>
|
||||
<p>Next I will be talkling about how to disable traefik for container&rsquo;s because you don&rsquo;t want it to work for container&rsquo;s you don&rsquo;t want accessible over the network.</p>
|
||||
<h2 id="disabling-for-one-service-docker-compose">Disabling for one service docker-compose</h2>
|
||||
<p>As the main example, I have a watchtower instance that I don&rsquo;t wan&rsquo;t proxied to the outside world. To do that we just add <code>traefik.enable=false</code> to the labels and trafik will stop being naughty.</p>
|
||||
<blockquote>
|
||||
<p>example</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ef9f76">...</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ef9f76">...</span>
|
||||
</span></span></code></pre></div><p>Take note that for this kind of docker-compose files, networks part IS NOT NEEDED, just create the docker compose file as you would usually without having the networks part.</p>
|
||||
<h2 id="disabling-for-more-complex-docker-compose">Disabling for more complex docker-compose</h2>
|
||||
<p>Now here comes the more tricky part, disabling it for only specific docker containers, and making it so traefik can&rsquo;t access them from it&rsquo;s network. To accomplish that we will use the <code>traefik.enable=false</code> label once again, and make use of multiple networks to make sure traefik can only access the web interfaces and keep other containers secure like databases and only accessible to the web interfaces.</p>
|
||||
<blockquote>
|
||||
<p>example docker-compose.yml</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">&#34;3&#34;</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">internal</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">false</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">blog</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: wordpress:4.9.8-apache
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">environment</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">WORDPRESS_DB_PASSWORD</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.rule=Host(`blog.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=80
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">depends_on</span>:
|
||||
</span></span><span style="display:flex;"><span> - mysql
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">mysql</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: mysql:5.7
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">environment</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">MYSQL_ROOT_PASSWORD</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">adminer</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: adminer:4.6.3-standalone
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.rule=Host(`db-admin.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=8080
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">depends_on</span>:
|
||||
</span></span><span style="display:flex;"><span> - mysql
|
||||
</span></span></code></pre></div><p>Here we can see what I was talking about in action, take note I took this docker compose file from this digital ocean <a href="https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04#step-3-registering-containers-with-traefik">blog post</a> that explain&rsquo;s it a lot better I could which you can use as a reference if you didn&rsquo;t understand something about what I was talking about.</p>
|
||||
<h1 id="conclusing">Conclusing</h1>
|
||||
<p>I hope that you were able to setup traefik, or if not and were just reading to see what it&rsquo;s all about I hope you had a good read and might have decided to try out traefik in the future.</p>
|
||||
</description>
|
||||
</item>
|
||||
|
||||
<item>
|
||||
<title>Using Mblaze</title>
|
||||
<link>https://cronyakatsuki.xyz/blog/using-mblaze/</link>
|
||||
|
306
public/blog/setup-trafik/index.html
Normal file
306
public/blog/setup-trafik/index.html
Normal file
@ -0,0 +1,306 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link href="/css/style.css" rel="stylesheet" />
|
||||
|
||||
<title>Setup Trafik</title>
|
||||
<meta property="og:title" content="Setup Trafik" />
|
||||
<meta property="og:description" content="Do you use docker? Do you use nginx or apachi to proxy the container? Fear not you won’t be needing them anymore once you are done with this tutorial.
|
||||
Traefik is a simple docker centric proxy manager that is amazing and allows you to easilly proxy you docker container’s with just a couple of label’s.
|
||||
Setting up Traefik In this part we will setup traefik, with the dashboard enabled and secured with https and a password." />
|
||||
<meta property="og:type" content="article" />
|
||||
<meta property="og:url" content="https://cronyakatsuki.xyz/blog/setup-trafik/" /><meta property="article:section" content="blog" />
|
||||
<meta property="article:published_time" content="2024-01-19T09:33:47+01:00" />
|
||||
<meta property="article:modified_time" content="2024-01-19T09:33:47+01:00" /><meta property="og:site_name" content="Crony Akatsuki's Website" />
|
||||
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<header>
|
||||
<h1>Crony Akatsuki</h1>
|
||||
<nav>
|
||||
<span><a href="/">Home</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="/about">About</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="/blog">Blog</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="/services">Services</a></span>
|
||||
</nav>
|
||||
</header>
|
||||
|
||||
|
||||
<main>
|
||||
<div id="content">
|
||||
|
||||
<h1>Setup Trafik</h1>
|
||||
|
||||
|
||||
|
||||
<div id="blog-meta">
|
||||
<p id="date">19-01-2024</p>
|
||||
|
||||
|
||||
<hr>
|
||||
</div>
|
||||
|
||||
<p>Do you use docker? Do you use nginx or apachi to proxy the container? Fear not you won’t be needing them anymore once you are done with this tutorial.</p>
|
||||
<p>Traefik is a simple docker centric proxy manager that is amazing and allows you to easilly proxy you docker container’s with just a couple of label’s.</p>
|
||||
<!-- raw HTML omitted -->
|
||||
<h1 id="setting-up-traefik">Setting up Traefik</h1>
|
||||
<p>In this part we will setup traefik, with the dashboard enabled and secured with https and a password.</p>
|
||||
<p>Create a directory where you will keep traefik configuration files and the docker compose. Inside it we will save all the configuration files.</p>
|
||||
<h2 id="docker-composeyml">docker-compose.yml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">'3'</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">traefik</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: traefik:v2.5
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">container_name</span>: traefik
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ports</span>:
|
||||
</span></span><span style="display:flex;"><span> - <span style="color:#ef9f76">80</span>:<span style="color:#ef9f76">80</span>
|
||||
</span></span><span style="display:flex;"><span> - <span style="color:#ef9f76">443</span>:<span style="color:#ef9f76">443</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">volumes</span>:
|
||||
</span></span><span style="display:flex;"><span> - ./traefik.toml:/traefik.toml
|
||||
</span></span><span style="display:flex;"><span> - ./traefik_dynamic.toml:/traefik_dynamic.toml
|
||||
</span></span><span style="display:flex;"><span> - /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
</span></span><span style="display:flex;"><span> - ./acme.json:/acme.json
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">restart</span>: unless-stopped
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>What we are doing here is binding the needed configuration files, the docker socket so traefik can listen to it and automatically proxy the services, and the acme.json which will keep our ssl certificates.</p>
|
||||
<p>We are also forcing it to use the latest available stable image to make sure there are no bugs, and disabling proxying the traefik image itself io the lables to make sure it isn’t exposed by any means.</p>
|
||||
<p>We are also making it so it can restart itself unless we specifically stop it, and binding it to port 80 and 443 because those are the default http and https port’s that every browser uses when connecting.</p>
|
||||
<h2 id="traefiktoml">traefik.toml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[entryPoints]
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.web]
|
||||
</span></span><span style="display:flex;"><span> address = <span style="color:#a6d189">":80"</span>
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.web.http.redirections.entryPoint]
|
||||
</span></span><span style="display:flex;"><span> to = <span style="color:#a6d189">"websecure"</span>
|
||||
</span></span><span style="display:flex;"><span> scheme = <span style="color:#a6d189">"https"</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> [entryPoints.websecure]
|
||||
</span></span><span style="display:flex;"><span> address = <span style="color:#a6d189">":443"</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[api]
|
||||
</span></span><span style="display:flex;"><span> dashboard = <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> insecure = <span style="color:#ef9f76">false</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[certificatesResolvers.lets-encrypt.acme]
|
||||
</span></span><span style="display:flex;"><span> email = <span style="color:#a6d189">"name@domain.tld"</span>
|
||||
</span></span><span style="display:flex;"><span> storage = <span style="color:#a6d189">"acme.json"</span>
|
||||
</span></span><span style="display:flex;"><span> [certificatesResolvers.lets-encrypt.acme.tlsChallenge]
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[providers.docker]
|
||||
</span></span><span style="display:flex;"><span> watch = <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> network = <span style="color:#a6d189">"web"</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[providers.file]
|
||||
</span></span><span style="display:flex;"><span> filename = <span style="color:#a6d189">"traefik_dynamic.toml"</span>
|
||||
</span></span><span style="display:flex;"><span> watch = <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>In the entryPoint’s we are defining the http and https port’s and forcing http to redirect to https.</p>
|
||||
<p>In the api section we are enabling the dashboard, but disallowing insecure access to it.</p>
|
||||
<p>In the rest of the config we are defining the mail and storage for tls certificates, and enabled docker provider binded to a web network, and enabled the file provider for the dashboard setup.</p>
|
||||
<h2 id="traefik_dynamictoml">traefik_dynamic.toml</h2>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[http.middlewares.simpleAuth.basicAuth]
|
||||
</span></span><span style="display:flex;"><span> users = [
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#a6d189">"somebody:$apr1$whatever"</span>
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>[http.routers.api]
|
||||
</span></span><span style="display:flex;"><span> rule = <span style="color:#a6d189">"Host(`monitor.domain.tld`)"</span>
|
||||
</span></span><span style="display:flex;"><span> entrypoints = [<span style="color:#a6d189">"websecure"</span>]
|
||||
</span></span><span style="display:flex;"><span> middlewares = [<span style="color:#a6d189">"simpleAuth"</span>]
|
||||
</span></span><span style="display:flex;"><span> service = <span style="color:#a6d189">"api@internal"</span>
|
||||
</span></span><span style="display:flex;"><span> [http.routers.api.tls]
|
||||
</span></span><span style="display:flex;"><span> certResolver = <span style="color:#a6d189">"lets-encrypt"</span>
|
||||
</span></span></code></pre></div><p>Here we are defining the basic auth credentials and routing the monitor domain to the dashboard with basic auth credentials and https.</p>
|
||||
<p>Make sure to subsitute the string in qutes for users with what you get generated with httpasswd command: <code>htpasswd -nb somebody secure_password</code>.</p>
|
||||
<h2 id="acmetoml">acme.toml</h2>
|
||||
<p>To create <code>acme.toml</code> run this command <code>touch acme.toml && chmod 600 acme.toml</code> and we are done.</p>
|
||||
<h2 id="docker-web-network">docker web network</h2>
|
||||
<p>You might have seen the networks part in the docker compose, we need to create it to make other docker container’s in different docker compose files be accessible to traefik so it can proxy to them.</p>
|
||||
<p>To create it we just need to run <code>docker network create web</code> and we are done.</p>
|
||||
<hr>
|
||||
<p>After all this is done, we can just run <code>docker compose up -d</code> and if everyting was setup correctly, running <code>docker compose logs -f</code> shouldn’t show any error’s.</p>
|
||||
<h1 id="using-trafik-to-proxy-to-docker-containers">Using trafik to proxy to docker container’s</h1>
|
||||
<p>Now I’m going to explain to you how to use traefik to proxy to docker container’s by using labels. For that I will be using ntfy docker image as an example.</p>
|
||||
<blockquote>
|
||||
<p>docker-compose.yml</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">"2.3"</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ntfy</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: binwiederhier/ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">container_name</span>: ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">command</span>:
|
||||
</span></span><span style="display:flex;"><span> - serve
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">volumes</span>:
|
||||
</span></span><span style="display:flex;"><span> - ./cache:/var/cache/ntfy
|
||||
</span></span><span style="display:flex;"><span> - ./ntfy:/etc/ntfy
|
||||
</span></span><span style="display:flex;"><span> - ./users:/var/lib/ntfy
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">healthcheck</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">test</span>: [<span style="color:#a6d189">"CMD-SHELL"</span>, <span style="color:#a6d189">"wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"</span>]
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">interval</span>: 60s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">timeout</span>: 10s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">retries</span>: <span style="color:#ef9f76">3</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">start_period</span>: 40s
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">restart</span>: unless-stopped
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.rule=Host(`ntfy.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.entrypoints=websecure
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.ntfy.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=80
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span></code></pre></div><p>The important part’s of this docker compose are the following:</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="no-exposing-ports">No exposing port’s</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>As you can see, with traefik you don’t need to expose port’s from the container making it a lot more secure as it can directly proxy to them from itself using the web network.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="labels">labels</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>In labels we are defining the host domain we wan’t to proxy to our container, we are also enabled tls and with entrypoint’s making the container only acessible from https, making it impossible to be accessible with http no matter what.</p>
|
||||
<p>We are also defining the certresolver to be lets-encrypt and setting the port from the container that traefik need’s to proxy to 80, this port can be differen’t depending on what you wan’t to proxy.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<h2 id="networks">networks</h2>
|
||||
</li>
|
||||
</ul>
|
||||
<p>We are also defining the web external network that is ussed so traefik can access to the container and proxy to it.</p>
|
||||
<hr>
|
||||
<p>After you have accustomed the config to what you need, you can just <code>docker compose up -d</code>, go to your traefik monitor and after some time you will see ntfy addedd to reverse proxying with tls certficate and only accessible from https.</p>
|
||||
<h1 id="disabling-traefik">Disabling traefik</h1>
|
||||
<p>Next I will be talkling about how to disable traefik for container’s because you don’t want it to work for container’s you don’t want accessible over the network.</p>
|
||||
<h2 id="disabling-for-one-service-docker-compose">Disabling for one service docker-compose</h2>
|
||||
<p>As the main example, I have a watchtower instance that I don’t wan’t proxied to the outside world. To do that we just add <code>traefik.enable=false</code> to the labels and trafik will stop being naughty.</p>
|
||||
<blockquote>
|
||||
<p>example</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ef9f76">...</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ef9f76">...</span>
|
||||
</span></span></code></pre></div><p>Take note that for this kind of docker-compose files, networks part IS NOT NEEDED, just create the docker compose file as you would usually without having the networks part.</p>
|
||||
<h2 id="disabling-for-more-complex-docker-compose">Disabling for more complex docker-compose</h2>
|
||||
<p>Now here comes the more tricky part, disabling it for only specific docker containers, and making it so traefik can’t access them from it’s network. To accomplish that we will use the <code>traefik.enable=false</code> label once again, and make use of multiple networks to make sure traefik can only access the web interfaces and keep other containers secure like databases and only accessible to the web interfaces.</p>
|
||||
<blockquote>
|
||||
<p>example docker-compose.yml</p>
|
||||
</blockquote>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ca9ee6">version</span>: <span style="color:#a6d189">"3"</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">web</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">true</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">internal</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">external</span>: <span style="color:#ef9f76">false</span>
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">services</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">blog</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: wordpress:4.9.8-apache
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">environment</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">WORDPRESS_DB_PASSWORD</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.rule=Host(`blog.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.blog.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=80
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">depends_on</span>:
|
||||
</span></span><span style="display:flex;"><span> - mysql
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">mysql</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: mysql:5.7
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">environment</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">MYSQL_ROOT_PASSWORD</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.enable=false
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">adminer</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">image</span>: adminer:4.6.3-standalone
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">labels</span>:
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.rule=Host(`db-admin.domain.tld`)
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.tls=true
|
||||
</span></span><span style="display:flex;"><span> - traefik.http.routers.adminer.tls.certresolver=lets-encrypt
|
||||
</span></span><span style="display:flex;"><span> - traefik.port=8080
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">networks</span>:
|
||||
</span></span><span style="display:flex;"><span> - internal
|
||||
</span></span><span style="display:flex;"><span> - web
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">depends_on</span>:
|
||||
</span></span><span style="display:flex;"><span> - mysql
|
||||
</span></span></code></pre></div><p>Here we can see what I was talking about in action, take note I took this docker compose file from this digital ocean <a href="https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04#step-3-registering-containers-with-traefik">blog post</a> that explain’s it a lot better I could which you can use as a reference if you didn’t understand something about what I was talking about.</p>
|
||||
<h1 id="conclusing">Conclusing</h1>
|
||||
<p>I hope that you were able to setup traefik, or if not and were just reading to see what it’s all about I hope you had a good read and might have decided to try out traefik in the future.</p>
|
||||
</div>
|
||||
</main>
|
||||
<footer>
|
||||
<div id="links">
|
||||
<span><a href="https://code.cronyakatsuki.xyz">Code</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://steamcommunity.com/id/CronyAkatsuki/">Steam</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://osu.ppy.sh/users/18953565">Osu!</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://anilist.co/user/CronyAkatsuki/">Anilist</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://youtube.com/channel/UClFdlNlUipHG5Kit8GbFz5Q">Gaming Channel</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://uptime.cronyakatsuki.xyz/status/public">Services Status</a></span>
|
||||
<span>|</span>
|
||||
<span><a href="https://lemmy.cronyakatsuki.xyz/u/crony">Lemmy</a></span>
|
||||
</div>
|
||||
<div id="banners">
|
||||
<a rel="noreferrer" href="/" target="_blank"><img src="/88x31.png"
|
||||
alt="Me" title="Me" /></a>
|
||||
<a rel="noreferrer" href="https://kernel.org" target="_blank"><img src="https://cyber.dabamos.de/88x31/linux_powered.gif"
|
||||
alt="linux kernel" title="Best kernel in the world" /></a>
|
||||
<a rel="noreferrer" href="https://debian.org" target="_blank"><img src="https://cyber.dabamos.de/88x31/debian.gif"
|
||||
alt="debian" title="This website run's on debian" /></a>
|
||||
<a rel="noreferrer" href="https://bitwarden.com" target="_blank"><img src="https://cyber.dabamos.de/88x31/bitwarden.gif"
|
||||
alt="Bitwarden" title="Bitwarden/Vaultwarden for the win" /></a>
|
||||
<a rel="noreferrer" target="_blank"><img src="https://cyber.dabamos.de/88x31/free.gif"
|
||||
alt="foss" title="Foss is the way" /></a>
|
||||
<a rel="noreferrer" href="https://neovim.io" target="_blank"><img src="/assets/badges/neovim.gif"
|
||||
alt="Neovim" title="Written in neovim" /></a>
|
||||
<a rel="noreferrer" href="https://landchad.net" target="_blank"><img src="https://landchad.net/pix/landchad.gif"
|
||||
alt="LandChad" title="Get A Website!" /></a>
|
||||
<a rel="noreferrer" href="https://poggerer.xyz" target="_blank"><img src="https://poggerer.xyz/88x31.png"
|
||||
alt="Tulg" title="Tulg" /></a>
|
||||
<a rel="noreferrer" href="https://arthurmelton.com" target="_blank"><img src="https://arthurmelton.com/88x31.png"
|
||||
alt="AMTitan" title="AMTitan" /></a>
|
||||
<a rel="noreferrer" href="https://aadi.net.in" target="_blank"><img src="https://aadi.net.in/88x31.png"
|
||||
alt="Aadi" title="Aadi" /></a>
|
||||
<a rel="noreferrer" href="https://bear.oops.wtf/" target="_blank"><img src="https://bear.oops.wtf/download/88x31.png"
|
||||
alt="Bear" title="Bear" /></a>
|
||||
</div>
|
||||
</footer>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -3,10 +3,13 @@
|
||||
xmlns:xhtml="http://www.w3.org/1999/xhtml">
|
||||
<url>
|
||||
<loc>https://cronyakatsuki.xyz/blog/</loc>
|
||||
<lastmod>2024-01-07T12:15:21+01:00</lastmod>
|
||||
<lastmod>2024-01-19T09:33:47+01:00</lastmod>
|
||||
</url><url>
|
||||
<loc>https://cronyakatsuki.xyz/</loc>
|
||||
<lastmod>2024-01-07T12:15:21+01:00</lastmod>
|
||||
<lastmod>2024-01-19T09:33:47+01:00</lastmod>
|
||||
</url><url>
|
||||
<loc>https://cronyakatsuki.xyz/blog/setup-trafik/</loc>
|
||||
<lastmod>2024-01-19T09:33:47+01:00</lastmod>
|
||||
</url><url>
|
||||
<loc>https://cronyakatsuki.xyz/tags/linux/</loc>
|
||||
<lastmod>2024-01-07T12:15:21+01:00</lastmod>
|
||||
|
Loading…
Reference in New Issue
Block a user