Differences

This shows you the differences between two versions of the page.

--- docker_notes:docker-reverse-proxy [2023-09-21 Thu wk38 19:47] – [Traefik Routes Config] baumkp
+++ docker_notes:docker-reverse-proxy [2024-04-28 Sun wk17 11:11] (current) – [Cloudsec] baumkp
@@ Line 48: / Line 48: @@
 <code bash [enable_line_numbers="true"]>docker-compose up -d</code>
 =====Portainer=====
+  *[[https://www.portainer.io/|portainer]]
 <code bash [enable_line_numbers="true"]>cd /home/docker_store
 sudo mkdir portainer
@@ Line 60: / Line 61: @@
 <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data
 nvim config.yml</code>
-My config.yml location: ''/home/docker_store/traefik/data/config.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]], also look at **Portainer's** instructions here: [[https://docs.portainer.io/advanced/reverse-proxy/traefik|Deploying Portainer behind Traefik Proxy]]\\
+I have broken down the Traefik router dynamic configuration file, My config.yml into 2 configuration files. One for the http/https specific router configuration and the other for the tcp router configuration, I do not use any UDP router configurations to date. I placed these files in the sub-directory: ''/home/docker_store/traefik/data/config''. Traefik has been setup to look at all configuration files in this sub-directory and to dynamically update changes on the run. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]], also look at **Portainer's** instructions here: [[https://docs.portainer.io/advanced/reverse-proxy/traefik|Deploying Portainer behind Traefik Proxy]]\\
 <code bash [enable_line_numbers="true"]>docker-compose up -d --force-recreate</code>\\
 Folder Structure:
@@ Line 67: / Line 68: @@
 │   ├── acme.json         | This is the Lets Encrypt RSA key file downloaded by Traefik
 │   ├── config
-|   |   ├── http.yml      | This is the dynamic configuration file for http
+|   |   ├── http.yml      | This is the dynamic configuration file for http (want to separate into 2 smaller files, basic and main services)
-|   |   └── tcp.yml       | This is the dynamic configuration file for tcp
+|   |   └── tcp.yml       | This is the dynamic configuration file for tcp (not using at the moment, starttls is not supported by Traefik at this time)
 │   ├── provider.env      | This has the key file for DNS wildcard challenge on LetsEncrypt
 │   ├── traefik.yml       | This is the main traefik static configuration file
@@ Line 74: / Line 75: @@
 └── docker-compose.yml</code>
 =====whitelisting=====
-Todo: look at whitelisting in more detail
+The Traefik middleware ipWhitelist only allows the define ip address(es) to be forwarded.  All other address will have 403 forbidden returned.
-  * ''/home/docker_store/traefik/data/config.yml'' has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following:
+++++ipWhitelist|
-    * Can this be defined for each container setup in config.yml? Looks likely.
+    <code>default-whitelist:|
-    * Can this be reliably setup for public access of certain containers?
+      ipWhiteList:
-    * Ensure **no** public access to portainer and traefik dashboards?
+        sourceRange:
-  * See reddit dicussion [[https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?]], which indicates this is so, however it notes a possible issue with VPN access.
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"</code>
+++++
+=====BasicAuth=====
+For any internal service I expose to the public internet that are either not full services with own password, e.g. dokuwiki, nextcloud and mail server, but I do not want general public access I would like to add basic password protection.  This is built into the web server applications such as Apache and presumably Nginx, but Traefik also has some functionality.
+The middleware [[https://doc.traefik.io/traefik/middlewares/http/basicauth/|BasicAuth]] seems to define this functionality.  If I setup Gotify, that does not have an iOS client I can then use a public access webpage with password protection to check notifications.  Unfortunately this is not active, in that it does not actively alert of new messages that presumably an app would do, but would probably meet my needs.
 =====SSL Services=====
 For TCP and HTTPS services behind the Traefik router that require TLS the Traefik router must be specified to pass through the TLS, that is not terminate the SSL connection.
+=====Entrypoints=====
+The Standard entry point port normally defined are HTTP (port 80 and perhaps 8080) and HTTPS (port 443).  If you are using other services then additional entry points need to be defined, as required for each service / port.  Mail servers are an example that requires use of specialised TCP entrypoints. Often these entry points also needed to be passed to the server without handling (termination) of SSL connections. //Do not forget to expose the used ports in the Docker / Docker Compose file.//
 ====References====
@@ Line 168: / Line 180: @@
-<- docker_notes:docker|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next ->
+<- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next ->