Trace: Reverse Proxy Server

Reverse Proxy Server

Back  
 Next

This is an old revision of the document!

Back  
Start page  
 Next
Back  
 Next

Reverse Proxy Server

I seem to have gotten the Traefik reverse proxy working according to Techno Tim Put Wildcard Certificates and SSL on EVERYTHING (github reference_files for traefik-portainer-ssl)

Below is a basic description of the process that aligns with my configuration files. I do this for 2 reasons, both allowing me independence.

  1. Sometimes the source information or link are; changed, lost or removed.
  2. These note reference my current specific installation.

Proxy network to connect them all

These containers all talk via a docker bridge network named proxy, docker network create proxy

Traefik

  1. cd /home/docker_store
  2. sudo mkdir traefik
  3. sudo chown baumkp:baumkp traefik
  4. cd traefik
  5. mkdir data
  6. cd data
  7. touch acme.json
  8. chmod 600 acme.json
  9. touch traefik.yml
  10. cd ..

My traefik.yml locatation: /home/docker_store/traefik/data/traefik.yml. The current TechnoTim one here.

create docker network

  1. docker network create proxy
  1. touch docker-compose.yml
  2. touch provider.env

My docker-compose.yml location: /home/docker_store/traefik/docker-compose.yml. The current TechnoTim one here.
Note my docker compose file has some changes from the TechnoTim one, in particular the use of the Godaddy DNS chanlenge API instead of the the Cloudflare one used by TechnoTim.

Generate and Install Godaddy DNS Challenge Data

Sadly Godaddy does not make it as transparent as it should be to access their DNS challenge API. Perhaps because they are focused on their commercial certificate product. It is accessed from their developer portal Godaddy Developer Portal, from here the API keys can be made. These keys then need to be copied into /home/docker_store/traefik/data/provider.env: 

GODADDY_API_KEY=[Your API_KEY key from Godaddy API]
GODADDY_API_SECRET=[Your API_SECRET key from Godaddy API]


Generate and install Basic Authentication Password

  1. sudo apt update
  2. sudo apt install apache2-utils
  1. echo $(htpasswd -nb "<USER>" "<PASSWORD>") | sed -e s/\\$/\\$\\$/g

NOTE: Replace <USER> with your username and <PASSWORD> with your password to be hashed.

Paste the output in your docker-compose.yml in line (traefik.http.middlewares.traefik-auth.basicauth.users=<USER>:<HASHED-PASSWORD>) 

  1. cd data
  2. touch config.yml
  1. docker-compose up -d

Portainer

  1. cd /home/docker_store
  2. sudo mkdir portainer
  3. sudo chown baumkp:baumkp portainer
  4. cd portainer
  5. touch docker-compose.yml
  6. mkdir data

My docker-compose.yml location: /home/docker_store/portainer/docker-compose.yml. The current TechnoTim one here.

  1. docker-compose up -d

Traefik Routes Config

  1. cd /home/docker_store/traefik/data
  2. nvim config.yml

My config.yml location: /home/docker_store/traefik/data/config.yml. The current TechnoTim one here., also look at Portainer's instructions here: Deploying Portainer behind Traefik Proxy

  1. docker-compose up -d --force-recreate


Folder Structure: 

./traefik
├── data
│   ├── acme.json
│   ├── config.yml
│   ├── provided.env.yml
│   └── traefik.yml
└── docker-compose.yml

whitelisting

Todo: look at whitelisting in more detail

SSL Services

For TCP and HTTPS services behind the Traefik router that require TLS the Traefik router must be specified to pass through the TLS, that is not terminate the SSL connection.

References

References

  • Traefik whitelists

ssl certificates

Export Traefik certificates

#!/bin/bash
 
# Requirements: you will need to install jq and maybe openssl
 
# creates a directory for all of your certificates
mkdir -p certificates/
 
# reads the acme.json file, please put this file in the same directory as your script
json=$(cat acme.json)
 
export_cer_key () {
    echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .certificate' | base64 -d > certificates/$1.cer
    echo $json | jq -r '.[].Certificates[] | select(.domain.main == "'$1'") | .key' | base64 -d > certificates/$1.key
}
 
export_pfx () {
        openssl pkcs12 -export -out certificates/$domain.pfx -inkey certificates/$domain.key -in certificates/$domain.cer -passout pass: 
}
 
read -p "Do you want to export as .pfx file as well [y]?" REPLY
 
# iterates through all of your domains
for domain in $(echo $json | jq -r '.[].Certificates[].domain.main')
do
    if [[ $REPLY =~ ^[Yy]$ ]]
    then
        export_cer_key "$domain"
        export_pfx "$domain"
    else
        export_cer_key "$domain"
    fi
done

There is also How to export certificates from Traefik certificate store in python.

Cloudsec

AS of writing (June 2023) Crowdsec is still relatively new. The documentation is not that easy to follow. Most the Youtube crowd info uses Traefik to with Crowdsec. I could also consider using nftable that I use as main ingress fire wall Firewall Bouncer.

References:

Crowdsec Bouncer Traefik plugin

Back  
Start page  
 Next
/app/www/public/data/attic/docker_notes/docker-reverse-proxy.1685935339.txt.gz · Last modified: 2023-06-05 Mon wk23 11:22
CC Attribution-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International