Both sides previous revision Previous revision Next revision | Previous revision |
docker_notes:docker-reverse-proxy [2023-10-01 Sun wk39 12:19] – [Entrypoints] baumkp | docker_notes:docker-reverse-proxy [2024-04-28 Sun wk17 11:11] (current) – [Cloudsec] baumkp |
---|
<code bash [enable_line_numbers="true"]>docker-compose up -d</code> | <code bash [enable_line_numbers="true"]>docker-compose up -d</code> |
=====Portainer===== | =====Portainer===== |
| *[[https://www.portainer.io/|portainer]] |
<code bash [enable_line_numbers="true"]>cd /home/docker_store | <code bash [enable_line_numbers="true"]>cd /home/docker_store |
sudo mkdir portainer | sudo mkdir portainer |
<code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data | <code bash [enable_line_numbers="true"]>cd /home/docker_store/traefik/data |
nvim config.yml</code> | nvim config.yml</code> |
My config.yml location: ''/home/docker_store/traefik/data/config.yml''. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]], also look at **Portainer's** instructions here: [[https://docs.portainer.io/advanced/reverse-proxy/traefik|Deploying Portainer behind Traefik Proxy]]\\ | I have broken down the Traefik router dynamic configuration file, My config.yml into 2 configuration files. One for the http/https specific router configuration and the other for the tcp router configuration, I do not use any UDP router configurations to date. I placed these files in the sub-directory: ''/home/docker_store/traefik/data/config''. Traefik has been setup to look at all configuration files in this sub-directory and to dynamically update changes on the run. The current TechnoTim one [[https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik-portainer-ssl/traefik|here.]], also look at **Portainer's** instructions here: [[https://docs.portainer.io/advanced/reverse-proxy/traefik|Deploying Portainer behind Traefik Proxy]]\\ |
<code bash [enable_line_numbers="true"]>docker-compose up -d --force-recreate</code>\\ | <code bash [enable_line_numbers="true"]>docker-compose up -d --force-recreate</code>\\ |
Folder Structure: | Folder Structure: |
│ ├── acme.json | This is the Lets Encrypt RSA key file downloaded by Traefik | │ ├── acme.json | This is the Lets Encrypt RSA key file downloaded by Traefik |
│ ├── config | │ ├── config |
| | ├── http.yml | This is the dynamic configuration file for http | | | ├── http.yml | This is the dynamic configuration file for http (want to separate into 2 smaller files, basic and main services) |
| | └── tcp.yml | This is the dynamic configuration file for tcp | | | └── tcp.yml | This is the dynamic configuration file for tcp (not using at the moment, starttls is not supported by Traefik at this time) |
│ ├── provider.env | This has the key file for DNS wildcard challenge on LetsEncrypt | │ ├── provider.env | This has the key file for DNS wildcard challenge on LetsEncrypt |
│ ├── traefik.yml | This is the main traefik static configuration file | │ ├── traefik.yml | This is the main traefik static configuration file |
└── docker-compose.yml</code> | └── docker-compose.yml</code> |
=====whitelisting===== | =====whitelisting===== |
Todo: look at whitelisting in more detail | The Traefik middleware ipWhitelist only allows the define ip address(es) to be forwarded. All other address will have 403 forbidden returned. |
* ''/home/docker_store/traefik/data/config.yml'' has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following: | ++++ipWhitelist| |
* Can this be defined for each container setup in config.yml? Looks likely. | <code>default-whitelist:| |
* Can this be reliably setup for public access of certain containers? | ipWhiteList: |
* Ensure **no** public access to portainer and traefik dashboards? | sourceRange: |
* See reddit dicussion [[https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?]], which indicates this is so, however it notes a possible issue with VPN access. | - "10.0.0.0/8" |
| - "192.168.0.0/16" |
| - "172.16.0.0/12"</code> |
| ++++ |
| |
| =====BasicAuth===== |
| For any internal service I expose to the public internet that are either not full services with own password, e.g. dokuwiki, nextcloud and mail server, but I do not want general public access I would like to add basic password protection. This is built into the web server applications such as Apache and presumably Nginx, but Traefik also has some functionality. |
| |
| The middleware [[https://doc.traefik.io/traefik/middlewares/http/basicauth/|BasicAuth]] seems to define this functionality. If I setup Gotify, that does not have an iOS client I can then use a public access webpage with password protection to check notifications. Unfortunately this is not active, in that it does not actively alert of new messages that presumably an app would do, but would probably meet my needs. |
| |
=====SSL Services===== | =====SSL Services===== |
| |
| |
<- docker_notes:docker|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next -> | <- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next -> |
| |