| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docker_notes:docker-dokuwiki [2023-05-30 Tue wk22 19:32] – [ssl certificates] baumkp | docker_notes:docker-dokuwiki [2023-05-30 Tue wk22 19:53] – baumkp |
|---|
| {{tag>linux docker traefik godaddy dokuwiki nextcloud container}} | {{tag>linux docker traefik godaddy dokuwiki nextcloud container}} |
| ======Docker Containers====== | |
| |
| =====Reverse Proxy Server===== | |
| I seem to have gotten the Traefik reverse proxy working according to Techno Tim [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] ([[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl|github reference_files for traefik-portainer-ssl]]) | |
| |
| Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence. | ======Dokuwiki====== |
| - Sometimes the source information or link are; changed, lost or removed. | =====Main Dokuwiki Page===== |
| - These note reference my current specific installation. | |
| | |
| =====Proxy network to connect them all===== | |
| These containers all talk via a docker bridge network named proxy, ''docker network create proxy'' | |
| ====Traefik==== | |
| <code bash [enable_line_numbers="true"]> | |
| cd /home/docker_store | |
| sudo mkdir traefik | |
| sudo chown baumkp:baumkp traefik | |
| cd traefik | |
| mkdir data | |
| cd data | |
| touch acme.json | |
| chmod 600 acme.json | |
| touch traefik.yml | |
| cd ..</code> | |
| My traefik.yml locatation: ''/home/docker_store/traefik/data/traefik.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here]].\\ | |
| | |
| ===create docker network=== | |
| <code bash [enable_line_numbers="true"]>docker network create proxy</code> | |
| <code bash [enable_line_numbers="true"]>touch docker-compose.yml | |
| touch provider.env</code> | |
| My docker-compose.yml location: ''/home/docker_store/traefik/docker-compose.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]]\\ | |
| //<fc #ff0000><fs small>**Note** my docker compose file has some changes from the TechnoTim one, in particular the use of the Godaddy DNS chanlenge API instead of the the Cloudflare one used by TechnoTim.</fs></fc>//\\ | |
| \\ | |
| ===Generate and Install Godaddy DNS Challenge Data=== | |
| Sadly Godaddy does not make it as transparent as it should be to access their DNS challenge API. Perhaps because they are focused on their commercial certificate product. It is accessed from their developer portal [[https://developer.godaddy.com/|Godaddy Developer Portal]], from here the API keys can be made. These keys then need to be copied into ''/home/docker_store/traefik/data/provider.env'': | |
| <code [enable_line_numbers="true">GODADDY_API_KEY=[Your API_KEY key from Godaddy API] | |
| GODADDY_API_SECRET=[Your API_SECRET key from Godaddy API]</code> | |
| \\ | |
| ===Generate and install Basic Authentication Password=== | |
| <code bash [enable_line_numbers="true"]>sudo apt update | |
| sudo apt install apache2-utils</code> | |
| <code bash [enable_line_numbers="true"]>echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g</code> | |
| NOTE: Replace <USER> with your username and <PASSWORD> with your password to be hashed. | |
| | |
| Paste the output in your docker-compose.yml in line (traefik.http.middlewares.traefik-auth.basicauth.users=<USER>:<HASHED-PASSWORD>) | |
| \\ | |
| \\ | |
| <code bash [enable_line_numbers="true"]>cd data | |
| touch config.yml</code> | |
| <code bash [enable_line_numbers="true"]>docker-compose up -d</code> | |
| ====Portainer==== | |
| <code bash [enable_line_numbers="true"]>cd /home/docker_store | |
| sudo mkdir portainer | |
| sudo chown baumkp:baumkp portainer | |
| cd portainer | |
| touch docker-compose.yml | |
| mkdir data</code> | |
| My docker-compose.yml location: ''/home/docker_store/portainer/docker-compose.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/portainer|here.]]\\ | |
| <code bash [enable_line_numbers="true"]>docker-compose up -d</code> | |
| | |
| ====Traefik Routes Config==== | |
| <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data | |
| nvim config.yml</code> | |
| My config.yml location: ''/home/docker_store/traefik/data/config.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]], also look at **Portainer's** instructions here: [[https://docs.portainer.io/advanced/reverse-proxy/traefik|Deploying Portainer behind Traefik Proxy]]\\ | |
| <code bash [enable_line_numbers="true"]>docker-compose up -d --force-recreate</code>\\ | |
| Folder Structure: | |
| <code>./traefik | |
| ├── data | |
| │ ├── acme.json | |
| │ ├── config.yml | |
| │ ├── provided.env.yml | |
| │ └── traefik.yml | |
| └── docker-compose.yml</code> | |
| ====whitelisting==== | |
| Todo: look at whitelisting in more detail | |
| * ''/home/docker_store/traefik/data/config.yml'' has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following: | |
| * Can this be defined for each container setup in config.yml? Looks likely. | |
| * Can this be reliably setup for public access of certain containers? | |
| * Ensure **no** public access to portainer and traefik dashboards? | |
| * See reddit dicussion [[https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?]], which indicates this is so, however it notes a possible issue with VPN access. | |
| ====References==== | |
| *Traefik | |
| * [[https://hub.docker.com/_/traefik|Traefix]] | |
| * [[https://doc.traefik.io/traefik/https/acme/|traefik proxy & Lets Encrypt]] | |
| * Smarthome Beginner [[https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/|Ultimate Traefik Docker Compose Guide [2022] with LetsEncrypt]] | |
| * Christian Lempa [[https://github.com/ChristianLempa/boilerplates/tree/main/docker-compose/traefik|boilerplates/docker-compose/traefik/]] | |
| * Techno Tim [[https://github.com/techno-tim/techno-tim.github.io/blob/master/reference_files/traefik-portainer-ssl/traefik/docker-compose.yml| | |
| techno-tim.github.io/reference_files/traefik-portainer-ssl/traefik/docker-compose.yml]] / [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] | |
| * [[https://github.com/traefik/traefik/issues/6686| (Traefik v2.2) Unable to obtain ACME certificate with DNS challenge using Go Daddy]] | |
| * [[https://stackoverflow.com/questions/61234489/cannot-get-wildcard-certificate-with-traefik-v2-and-godaddy|Cannot get wildcard certificate with traefik v2 and godaddy]] | |
| * [[https://forums.docker.com/t/traefik-acme-with-godaddy-as-provider/56743|Traefik - ACME with GoDaddy as provider]] | |
| | |
| *Traefik whitelists | |
| | |
| *Nginx Proxy Manager | |
| * Nginxproxymanager.com [[https://nginxproxymanager.com/advanced-config/#best-practice-use-a-docker-network|Best Practice: Use a Docker network]] | |
| | |
| ====ssl certificates==== | |
| *''openssl x509 -in (path to certificate and certificate filename) -text -noout'' | |
| *''openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates'' | |
| *[[https://www.techrepublic.com/article/how-to-utilize-openssl-in-linux-to-check-ssl-certificate-details/|How to utilize openssl in Linux to check SSL certificate details]] | |
| | |
| | |
| | |
| =====Dokuwiki===== | |
| ====Main Dokuwiki Page==== | |
| The main dokuwiki page [[tech_notes:home_server|dokuwiki_setup]]. | The main dokuwiki page [[tech_notes:home_server|dokuwiki_setup]]. |
| ====Dokuwiki Container==== | =====Dokuwiki Container===== |
| This use the the [[https://www.linuxserver.io/|linuxserver.io]] image from dockerhub, [[https://hub.docker.com/r/linuxserver/dokuwiki/#!|linuxserver/dokuwiki]]. The Linuxserver.io documents can be found here[[https://docs.linuxserver.io/|doc.linuxserver.io]].\\ | This use the the [[https://www.linuxserver.io/|linuxserver.io]] image from dockerhub, [[https://hub.docker.com/r/linuxserver/dokuwiki/#!|linuxserver/dokuwiki]]. The Linuxserver.io documents can be found here[[https://docs.linuxserver.io/|doc.linuxserver.io]].\\ |
| Defines web_data volume: | Defines web_data volume: |
| *Christain Lempa [[https://github.com/ChristianLempa/boilerplates/blob/main/docker-compose/nextcloud/nextcloud.yaml| boilerplates/docker-compose/nextcloud/nextcloud.yaml]] | *Christain Lempa [[https://github.com/ChristianLempa/boilerplates/blob/main/docker-compose/nextcloud/nextcloud.yaml| boilerplates/docker-compose/nextcloud/nextcloud.yaml]] |
| |
| =====Deluge===== | |
| A torrent application with a web based server. I will probably need to fully build this one myself as I use a VPN with fire wall that only allows communication on LAN or using firewall tunnel for WAN. | |
| |
| =====Other Possible Apps/Images===== | =====Other Possible Apps/Images===== |