This is an old revision of the document!
Docker Containers
Reverse Proxy Server
I seem to have gotten the Traefik reverse proxy working according to Techno Tim Put Wildcard Certificates and SSL on EVERYTHING (github reference_files for traefik-portainer-ssl)
Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence.
- Sometimes the source information or link are; changed, lost or removed.
- These note reference my current specific installation.
Proxy network to connect them all
These containers all talk via a docker bridge network named proxy, docker network create proxy
Traefik
cd /home/docker_store sudo mkdir traefik sudo chown baumkp:baumkp traefik cd traefik mkdir data cd data touch acme.json chmod 600 acme.json touch traefik.yml cd ..
My traefik.yml locatation: /home/docker_store/traefik/data/traefik.yml
. The current TechnoTim one here.
create docker network
docker network create proxy
touch docker-compose.yml touch provider.env
My docker-compose.yml location: /home/docker_store/traefik/docker-compose.yml
. The current TechnoTim one here.
Note my docker compose file has some changes from the TechnoTim one, in particular the use of the Godaddy DNS chanlenge API instead of the the Cloudflare one used by TechnoTim.
Generate and Install Godaddy DNS Challenge Data
Sadly Godaddy does not make it as transparent as it should be to access their DNS challenge API. Perhaps because they are focused on their commercial certificate product. It is accessed from their developer portal Godaddy Developer Portal, from here the API keys can be made. These keys then need to be copied into /home/docker_store/traefik/data/provider.env
:
GODADDY_API_KEY=[Your API_KEY key from Godaddy API] GODADDY_API_SECRET=[Your API_SECRET key from Godaddy API]
Generate and install Basic Authentication Password
sudo apt update sudo apt install apache2-utils
echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g
NOTE: Replace <USER> with your username and <PASSWORD> with your password to be hashed.
Paste the output in your docker-compose.yml in line (traefik.http.middlewares.traefik-auth.basicauth.users=<USER>:<HASHED-PASSWORD>)
cd data touch config.yml
docker-compose up -d
Portainer
cd /home/docker_store sudo mkdir portainer sudo chown baumkp:baumkp portainer cd portainer touch docker-compose.yml mkdir data
My docker-compose.yml location: /home/docker_store/portainer/docker-compose.yml
. The current TechnoTim one here.
docker-compose up -d
Traefik Routes Config
cd /home/docker_store/traefik/data nvim config.yml
My config.yml location: /home/docker_store/traefik/data/config.yml
. The current TechnoTim one here., also look at Portainer's instructions here: Deploying Portainer behind Traefik Proxy
docker-compose up -d --force-recreate
Folder Structure:
./traefik ├── data │ ├── acme.json │ ├── config.yml │ ├── provided.env.yml │ └── traefik.yml └── docker-compose.yml
whitelisting
Todo: look at whitelisting in more detail
/home/docker_store/traefik/data/config.yml
has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following:- Can this be defined for each container setup in config.yml? Looks likely.
- Can this be reliably setup for public access of certain containers?
- Ensure no public access to portainer and traefik dashboards?
- See reddit dicussion https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?, which indicates this is so, however it notes a possible issue with VPN access.
References
- Traefik
- Smarthome Beginner Ultimate Traefik Docker Compose Guide [2022] with LetsEncrypt
- Christian Lempa boilerplates/docker-compose/traefik/
- Traefik whitelists
- Nginx Proxy Manager
- Nginxproxymanager.com Best Practice: Use a Docker network
ssl certificates
openssl x509 -in (path to certificate and certificate filename) -text -noout
openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates
Export Traefik certificates
- Need to install the jq package
#!/bin/bash # Requirements: you will need to install jq and maybe openssl # creates a directory for all of your certificates mkdir -p certificates/ # reads the acme.json file, please put this file in the same directory as your script json=$(cat acme.json) export_cer_key () { echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .certificate' | base64 -d > certificates/$1.cer echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .key' | base64 -d > certificates/$1.key } export_pfx () { openssl pkcs12 -export -out certificates/$domain.pfx -inkey certificates/$domain.key -in certificates/$domain.cer -passout pass: } read -p "Do you want to export as .pfx file as well [y]?" REPLY # iterates through all of your domains for domain in $(echo $json | jq -r '.[].Certificates[].domain.main') do if [[ $REPLY =~ ^[Yy]$ ]] then export_cer_key "$domain" export_pfx "$domain" else export_cer_key "$domain" fi done
There is also How to export certificates from Traefik certificate store in python.
Dokuwiki
Main Dokuwiki Page
The main dokuwiki page dokuwiki_setup.
Dokuwiki Container
This use the the linuxserver.io image from dockerhub, linuxserver/dokuwiki. The Linuxserver.io documents can be found heredoc.linuxserver.io.
Defines web_data volume:
#Not USED docker volume create --driver local \ --opt type=none \ --opt device="/home/docker_store/cloud.kptree.net/data" \ --opt o=bind cloud_data
version: "2.1" services: dokuwiki: image: lscr.io/linuxserver/dokuwiki:latest container_name: dokuwiki environment: - PUID=1000 - PGID=1000 - TZ=Australia/Perth volumes: - /home/docker_store/wiki.kptree.net/config:/config ports: - 8081:80 # - 443:443 #optional restart: unless-stopped
Todo:
- Need to create a local LAN only functional back-up of the wiki in my back-up server so I have a backup in case the main wiki with my configuration notes becomes unavailable.
Some of the following nuances may help when transferring Dokuwiki servers:
- The dokuwiki image uses the following permanent volume storage, in config/dokuwiki:
- conf (basically copy everything from existing to here)
- data (basically copy everything from existing to here)
- inc → /app/www/public/inc (symlink back to container, no point changing)
- lib (basically copy everything from existing to here)
- vendor → /app/www/public/vendor (symlink back to container, no point changing)
The DokuWiki page How to backup DokuWiki? has the basic information to backup a Dokuwiki.
After setting up the internal indexes could be messed up. The plugin SearchIndex Manager can be used to recreate these indexes.
Nextcloud Container
Nextcloud publishes their own Docker container of Nextcloud. Linuxserver.io, as well as some others also have Nextcloud containers on Docker Hub.
Nextcloud needs a number of services to run; the main Nextcloud server, a database and Redis. In addition, there needs to be a proxy server or similar to forward on common domain requests to sub-domains as well as handling certificates, however this is required for all the various services and can be considered separately.
Refer to Nextcloud's Maintenace section on instructions to backup, restore and migrate Nextcloud. Also as I am using the official Nextcloud container it has additional instructions to https://github.com/docker-library/docs/blob/master/nextcloud/README.md#migrating-an-existing-installation:migrate Nextcloud to Docker.
- uid: www-data / 33, gid: www-data / 33. This seems to be Debian standard. Alpine linux seems to use 82 for www-data. Just stick with uid/gid as per the image supplied, 82 for Alpine and ignore the names.
docker exec -u www-data nextcloud-app-1 php /var/www/html/cron.php
runs the cron.phpdocker exec -u www-data nextcloud-app-1 php occ maintenance:mode –off|on
to turn maintenance mode off or on from the containers host shell
RedirectRegex
I get a redirect error in Nextcloud that I have not been able to track down to date. Does not seem much info in this on the net, and the little there is also indicates a problem without and easy solution. Nextcloud main support looks Apache web server based with little Nginx support and even less Traefik support. Some resources related to this:
- Traefik:
Installing and Using MariaDB via Docker
logging
backup
NGINX configuration
cron
docker-compose exec -u www-data nextcloud php cron.php
to run cron in Nextcloud Docker
https://help.nextcloud.com/t/nextcloud-docker-container-best-way-to-run-cron-job/157734
Calibre
Calibre
This Docker container is based linuxserver/calibre, Docker hub linuxserver/calibre, Calibre ebook management
The image is based upon current Ubuntu Long term release.
Calibre-web
This Docker container is based linuxserver/calibre-web., Docker hub linuxserver/calibre-web, Calibre-web wiki
The image is based upon current Ubuntu long term release.
References
- Matthias Schoettle Notes on traefik v2, Nextcloud, etc.
- Nextcloud Docs:
- The Maintenance section covers migrating to another server as well as backup, restore and upgrading.
- smarthome beginner's Nextcloud Docker with Traefik Reverse Proxy for Beginners
- linuxserver.io Install Nextcloud (LinuxServer.io)
- Christain Lempa boilerplates/docker-compose/nextcloud/nextcloud.yaml
Other Possible Apps/Images
- Diun is a tool to notify if docker images have been updated. (Reportedly better than automatic updates such as watchtower.)
- heindall a dashboard application. Low priority…..