Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker_notes:docker-reverse-proxy [2024-01-12 Fri wk02 21:15] – [whitelisting] baumkpdocker_notes:docker-reverse-proxy [2025-01-07 Tue wk02 09:00] (current) – [Cloudsec] baumkp
Line 1: Line 1:
-{{tag>linux docker traefik "reverse proxy" proxy ssl certificate portainer cloudsec}} +{{tag>linux docker traefik "reverse proxy" proxy openssl ssl certificate portainer cloudsec}} 
-======Reverse Proxy Server====== +======Reverse Proxy Server - Traefik====== 
-I seem to have gotten the Traefik reverse proxy working according to Techno Tim [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] ([[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl|github reference_files for traefik-portainer-ssl]]) +I seem to have gotten the Traefik reverse proxy working according to Techno Tim [[https://docs.technotim.live/posts/traefik-portainer-ssl/|Put Wildcard Certificates and SSL on EVERYTHING]] ([[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl|github reference_files for traefik-portainer-ssl]]).  Also see [[https://www.youtube.com/watch?v=IBlZgrwc1T8&t=990s|Jim's Garage Your Traefik Isn't Secure]] ([[https://github.com/JamesTurland/JimsGarage/tree/main/Traefik-Secure|JimsGarage/Traefik-Secure/]]
  
 Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence.  Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence. 
Line 31: Line 31:
  \\  \\
 ====Generate and Install Godaddy DNS Challenge Data==== ====Generate and Install Godaddy DNS Challenge Data====
 +Godaddy changed their policies circa April 2024 that basically does not give small users access to their developers API system.  Sadly and unprofessionally they did this without informing users of the policy.  I only found out when my proxy server issued messages of certificate update failure, as the API DNS challenge stopped working.  I checked the internet and it was indicated that Godaddy had changed their policies, however I found it difficult to believe that Godaddy would change their policy without contacting me, after all I am a paying customer!  After raising a ticket on the matter, I was sent an email explaining the policy change.  I immediately moved my domain DNS server to Hurricane Electronics.  I needed to change the DNS verification process to suit that used by Hurricane Electronics.  
 +
 +My domain is still registered via Godaddy, I expect that I will look at moving to another registry when the registration comes due.  I do not wish to support Godaddy going forward with my business. <color #ff7f27>**Godaddy SUCKS!**</color>
 +
 +++++Old, tl;dr;|
 Sadly Godaddy does not make it as transparent as it should be to access their DNS challenge API. Perhaps because they are focused on their commercial certificate product. It is accessed from their developer portal [[https://developer.godaddy.com/|Godaddy Developer Portal]], from here the API keys can be made.  These keys then need to be copied into ''/home/docker_store/traefik/data/provider.env'': Sadly Godaddy does not make it as transparent as it should be to access their DNS challenge API. Perhaps because they are focused on their commercial certificate product. It is accessed from their developer portal [[https://developer.godaddy.com/|Godaddy Developer Portal]], from here the API keys can be made.  These keys then need to be copied into ''/home/docker_store/traefik/data/provider.env'':
 <code [enable_line_numbers="true">GODADDY_API_KEY=[Your API_KEY key from Godaddy API] <code [enable_line_numbers="true">GODADDY_API_KEY=[Your API_KEY key from Godaddy API]
 GODADDY_API_SECRET=[Your API_SECRET key from Godaddy API]</code> GODADDY_API_SECRET=[Your API_SECRET key from Godaddy API]</code>
- \\+++++
 ====Generate and install Basic Authentication Password==== ====Generate and install Basic Authentication Password====
 <code bash [enable_line_numbers="true"]>sudo apt update <code bash [enable_line_numbers="true"]>sudo apt update
Line 48: Line 53:
 <code bash [enable_line_numbers="true"]>docker-compose up -d</code> <code bash [enable_line_numbers="true"]>docker-compose up -d</code>
 =====Portainer===== =====Portainer=====
 +  *[[https://www.portainer.io/|portainer]]
 <code bash [enable_line_numbers="true"]>cd /home/docker_store <code bash [enable_line_numbers="true"]>cd /home/docker_store
 sudo mkdir portainer sudo mkdir portainer
Line 58: Line 64:
  
 =====Traefik Routes Config===== =====Traefik Routes Config=====
 +
 +====Using labels in docker config files====
 +
 +[[https://doc.traefik.io/traefik/routing/providers/docker/|Traefik & Docker]]
 +===Typical labels in Docker Compose===
 +
 +<code yml>labels:
 +      # Enable Traefik for this service
 +      - "traefik.enable=true"
 +      # Tell Traefik to specifically use the network "proxy", specifically declared
 +      - "traefik.docker.network=proxy"
 +      # Make Traefik use this domain in HTTP
 +      - "traefik.http.routers.container_name.entrypoints=http"
 +      - "traefik.http.routers.container_name.rule=Host(`linkwarden.local.kptree.net`)"
 +      - "traefik.http.middlewares.container_name-https-redirect.redirectscheme.scheme=https"
 +      # Middleware to redirect HTTP to HTTPS
 +      - "traefik.http.routers.container_name.middlewares=linkwarden-https-redirect"
 +      # Make Traefik use this domain in HTTPS
 +      - "traefik.http.routers.container_name-secure.entrypoints=https"
 +      - "traefik.http.routers.container_name-secure.rule=Host(`linkwarden.local.kptree.net`)"
 +      - "traefik.http.routers.container_name-secure.tls=true"
 +      # Specify the specific resolver to use 
 +      #- "traefik.http.routers.container_name-secure.tls.certresolver=hurricane"
 +      - "traefik.http.routers.container_name-secure.service=linkwarden"
 +      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
 +      # Define the port inside of the Docker service to use
 +      - "traefik.http.services.container_name.loadbalancer.server.port=3000" # make sure the loadbalancer is the last line!! </code>
 +
 +When the docker compose ''loadbalancer.server.port'' label is used an external port does not needed to be defined as Traefik can directly access the defined ''docker.network'' This simplifies the need to share host ports!
 +
 +  *Traefik: 
 +     *[[https://community.traefik.io/t/understanding-difference-between-labels-in-a-container-vs-defining-in-the-config-yml/16246|Understanding difference between labels in a container vs defining in the config.yml]]
 +     *[[https://doc.traefik.io/traefik/providers/docker/|Traefik & Docker]]
 +     *[[https://docs.docker.com/engine/manage-resources/labels/|Docker object labels]]
 +     *[[https://doc.traefik.io/traefik/v3.2/reference/dynamic-configuration/docker/|Docker Configuration Reference]]
 +     *[[https://doc.traefik.io/traefik/middlewares/http/headers/|Headers]]
 +     *[[https://doc.traefik.io/traefik/middlewares/overview/|Middlewares]]
 +     *[[https://doc.traefik.io/traefik/middlewares/http/redirectscheme/|RedirectScheme]]
 +     *[[https://community.traefik.io/t/how-to-configure-traefik-2-with-tls-traefik-2-tls-101/3928|How to configure Traefik 2 with TLS - Traefik 2 & TLS 101]]
 +  *[[https://requestly.com/blog/what-are-x-forwarded-headers-and-why-it-is-used/|What are X-forwarded Headers, and why it is used?]]
 +  *[[https://www.geeksforgeeks.org/http-headers-x-forwarded-proto/|HTTP headers | X-Forwarded-Proto]]
 +====Using config.yml====
 <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data
 nvim config.yml</code> nvim config.yml</code>
Line 67: Line 115:
 │   ├── acme.json         | This is the Lets Encrypt RSA key file downloaded by Traefik │   ├── acme.json         | This is the Lets Encrypt RSA key file downloaded by Traefik
 │   ├── config │   ├── config
-|     ├── http.yml      | This is the dynamic configuration file for http +|     ├── http.yml      | This is the dynamic configuration file for http (want to separate into 2 smaller files, basic and main services) 
-|     └── tcp.yml       | This is the dynamic configuration file for tcp+|     └── tcp.yml       | This is the dynamic configuration file for tcp (not using at the moment, starttls is not supported by Traefik at this time)
 │   ├── provider.env      | This has the key file for DNS wildcard challenge on LetsEncrypt  │   ├── provider.env      | This has the key file for DNS wildcard challenge on LetsEncrypt 
 │   ├── traefik.yml       | This is the main traefik static configuration file  │   ├── traefik.yml       | This is the main traefik static configuration file 
 │   └── traefik.log       | This is the main traefik log file (permanent, but does not show up on the Docker error log) │   └── traefik.log       | This is the main traefik log file (permanent, but does not show up on the Docker error log)
 └── docker-compose.yml</code> └── docker-compose.yml</code>
 +
 +  *Traefik:
 +    *[[https://doc.traefik.io/traefik/v3.2/reference/dynamic-configuration/file/|File Configuration Reference]]
 =====whitelisting===== =====whitelisting=====
-The Traefik middleware ++ipWhitelist|+The Traefik middleware ipWhitelist only allows the define ip address(es) to be forwarded.  All other address will have 403 forbidden returned. 
 +++++ipWhitelist|
     <code>default-whitelist:|     <code>default-whitelist:|
       ipWhiteList:       ipWhiteList:
Line 80: Line 132:
         - "10.0.0.0/8"         - "10.0.0.0/8"
         - "192.168.0.0/16"         - "192.168.0.0/16"
-        - "172.16.0.0/12"</code) +        - "172.16.0.0/12"</code> 
-+++++++ 
 + 
 +=====BasicAuth===== 
 +For any internal service I expose to the public internet that are either not full services with own password, e.g. dokuwiki, nextcloud and mail server, but I do not want general public access I would like to add basic password protection.  This is built into the web server applications such as Apache and presumably Nginx, but Traefik also has some functionality.
  
-Todo: look at whitelisting in more detail +The middleware [[https://doc.traefik.io/traefik/middlewares/http/basicauth/|BasicAuth]] seems to define this functionality.  If I setup Gotifythat does not have an iOS client I can then use a public access webpage with password protection to check notifications.  Unfortunately this is not activein that it does not actively alert of new messages that presumably an app would do, but would probably meet my needs.
-  * ''/home/docker_store/traefik/data/config/http.yml'' has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following: +
-    * Can this be defined for each container setup in config.yml? Looks likely. +
-    * Can this be reliably setup for public access of certain containers? +
-    * Ensure **no** public access to portainer and traefik dashboards? +
-  * See reddit dicussion [[https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?]], which indicates this is sohowever it notes a possible issue with VPN access.+
  
 =====SSL Services===== =====SSL Services=====
Line 119: Line 169:
     * Nginxproxymanager.com [[https://nginxproxymanager.com/advanced-config/#best-practice-use-a-docker-network|Best Practice: Use a Docker network]]     * Nginxproxymanager.com [[https://nginxproxymanager.com/advanced-config/#best-practice-use-a-docker-network|Best Practice: Use a Docker network]]
  
-====ssl certificates====+====ssl certificates / openssl====
   *''openssl x509 -in (path to certificate and certificate filename) -text -noout''   *''openssl x509 -in (path to certificate and certificate filename) -text -noout''
   *''openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates''   *''openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates''
Line 180: Line 230:
  
  
-<- docker_notes:docker|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next ->+<- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:security|Next ->