VPS Proof of Concept for Docker and Traefik

Basic Auth

This will be used to password protect applications as needed.

Use the htpasswd utility included in the apache2-utils package to create an encrypted password.

sudo apt-get install apache2-utils

Generate the password with htpasswd. For example, user admin and password secret.

htpasswd -nb admin secret

Copy the output, it will be added to the traefik.toml file created in the next step. For example, copy:

admin:$apr1$m7bjJGAs$yoFBU4EmPy0wAQuKccomQ/

Traefik

Use Docker Compose to setup Traefik reverse proxy and load balancer as a docker container. Within the home directory, create a new directory named docker for the configuration files. Create another directory for docker/traefik files.

cd ~/
mkdir docker
mkdir docker/traefik

Create a traefik/traefik.toml to configure entry points and the web provider for access to the dashboard interface.

nano docker/traefik/traefik.toml
traefik.toml
defaultEntryPoints = ["http", "https"]

[web]
address = ":8080"
  [web.auth.basic]
  users = ["admin:$apr1$m7bjJGAs$yoFBU4EmPy0wAQuKccomQ/"]

[entryPoints]

[entryPoints.http]
address = ":80"
[entryPoints.https.redirect]
entryPoint = "http"

# [entryPoints.https]
# address = ":443"

# [entryPoints.https.tls]

# [acme]
# email = "myemail@example.com"
# storage = "acme.json"
# entryPoint = "https"
# onDemand = false
# OnHostRule = true
  • Traefik has built in support for the free Let’s Encrypt SSL certificate retrieval service. A server with a public domain is needed for the service to validate. The traefik.toml file example above contains a commented stub for reference.

Dockerfile

Create a traefik/dockerfile to add the traefik.toml to the image.

nano docker/traefik/dockerfile
dockerfile
FROM traefik
ADD traefik.toml .
EXPOSE 80
EXPOSE 8080
# EXPOSE 443

Create a traefik/docker-compose.yml file to configure Traefik services and networks.

docker-compose.yml
version: '2'

services:
  proxy:
    build: .
    restart: always
    command: --docker --logLevel=DEBUG
    networks:
      - webgateway
    ports:
      - "80:80"
#      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

networks:
  webgateway:
    driver: bridge

Update CSF firewall configuration to allow traffic on the password protected port 8080.

sudo nano /etc/csf/csf.conf

Append 8080 to the list of TCP ports. For example,

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8080"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,8080"

Use docker-compose to create the Docker container and run the traefik application.

docker-compose -f ~/docker/traefik/docker-compose.yml up -d

Testing

Navigate to the VM in a browser using the IP address over port 8080 to login to the Traefik dashboard. For example, http://172.30.0.10:8080 which redirects to http://172.30.0.10:8080/dashboard/#/

Create a whoami/docker-compose.yml file to configure another container application labeled whoami. The image for this container uses a tiny Go webserver that prints system information and HTTP request to output.

mkdir ~/docker/whoami

nano ~/docker/whoami/docker-compose.yml
docker-compose.yml
version: '2'

services:
  app:
    image: emilevauge/whoami
    networks:
      - web
    labels:
      - "traefik.backend=whoami"
      - "traefik.frontend.rule=PathPrefixStrip: /whoami" # IP/whoami/
      # - "traefik.frontend.rule=Host:vm.ubuntuserver.whoami.com"

networks:
  web:
    external:
      name: traefik_webgateway

Access the application in a browser using the VM IP address. For example, http://172.30.0.10. To use a domain name, add 172.30.0.10 vm.ubuntuserver.whoami.com to your computers hosts file. Then remove the comment for the Host frontend rule in the whoami/docker-compose.yml.

When you’re done testing everything and ready to enable the firewall, disable the testing flag.

sudo nano /etc/csf/csf.conf

Set TESTING = "0" and reload.

sudo csf -r

Resources

Published by

Jim Frenette

Web Developer - views here are my own except those taken from people more clever than me.

Loading Disqus Comments ...
Loading Facebook Comments ...