| Both sides previous revision Previous revision Next revision | Previous revision |
| docker_notes:docker-reverse-proxy [2024-01-12 Fri wk02 21:15] – [whitelisting] baumkp | docker_notes:docker-reverse-proxy [2024-04-28 Sun wk17 11:11] (current) – [Cloudsec] baumkp |
|---|
| <code bash [enable_line_numbers="true"]>docker-compose up -d</code> | <code bash [enable_line_numbers="true"]>docker-compose up -d</code> |
| =====Portainer===== | =====Portainer===== |
| | *[[https://www.portainer.io/|portainer]] |
| <code bash [enable_line_numbers="true"]>cd /home/docker_store | <code bash [enable_line_numbers="true"]>cd /home/docker_store |
| sudo mkdir portainer | sudo mkdir portainer |
| │ ├── acme.json | This is the Lets Encrypt RSA key file downloaded by Traefik | │ ├── acme.json | This is the Lets Encrypt RSA key file downloaded by Traefik |
| │ ├── config | │ ├── config |
| | | ├── http.yml | This is the dynamic configuration file for http | | | ├── http.yml | This is the dynamic configuration file for http (want to separate into 2 smaller files, basic and main services) |
| | | └── tcp.yml | This is the dynamic configuration file for tcp | | | └── tcp.yml | This is the dynamic configuration file for tcp (not using at the moment, starttls is not supported by Traefik at this time) |
| │ ├── provider.env | This has the key file for DNS wildcard challenge on LetsEncrypt | │ ├── provider.env | This has the key file for DNS wildcard challenge on LetsEncrypt |
| │ ├── traefik.yml | This is the main traefik static configuration file | │ ├── traefik.yml | This is the main traefik static configuration file |
| └── docker-compose.yml</code> | └── docker-compose.yml</code> |
| =====whitelisting===== | =====whitelisting===== |
| The Traefik middleware ++ipWhitelist| | The Traefik middleware ipWhitelist only allows the define ip address(es) to be forwarded. All other address will have 403 forbidden returned. |
| | ++++ipWhitelist| |
| <code>default-whitelist:| | <code>default-whitelist:| |
| ipWhiteList: | ipWhiteList: |
| - "192.168.0.0/16" | - "192.168.0.0/16" |
| - "172.16.0.0/12"</code> | - "172.16.0.0/12"</code> |
| ++ | ++++ |
| |
| Todo: look at whitelisting in more detail | =====BasicAuth===== |
| * ''/home/docker_store/traefik/data/config/http.yml'' has traefik middleware whitelisting defined looks defined as default for all containers in config.yml. Need to check following: | For any internal service I expose to the public internet that are either not full services with own password, e.g. dokuwiki, nextcloud and mail server, but I do not want general public access I would like to add basic password protection. This is built into the web server applications such as Apache and presumably Nginx, but Traefik also has some functionality. |
| * Can this be defined for each container setup in config.yml? Looks likely. | |
| * Can this be reliably setup for public access of certain containers? | The middleware [[https://doc.traefik.io/traefik/middlewares/http/basicauth/|BasicAuth]] seems to define this functionality. If I setup Gotify, that does not have an iOS client I can then use a public access webpage with password protection to check notifications. Unfortunately this is not active, in that it does not actively alert of new messages that presumably an app would do, but would probably meet my needs. |
| * Ensure **no** public access to portainer and traefik dashboards? | |
| * See reddit dicussion [[https://www.reddit.com/r/Traefik/comments/qi2435/traefik_v2_mixed_and_both_internal_and_external/Traefik v2 mixed (and both) internal and external?]], which indicates this is so, however it notes a possible issue with VPN access. | |
| |
| =====SSL Services===== | =====SSL Services===== |
| |
| |
| <- docker_notes:docker|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next -> | <- docker_notes:init|Back ^ docker_notes:index|Start page ^ docker_notes:docker-dokuwiki|Next -> |
| |