From a74d1a3f0478b1264ebfe9cbbebdca7f16655fb0 Mon Sep 17 00:00:00 2001 From: KemoNine Date: Sat, 16 Feb 2019 19:24:08 +0000 Subject: [PATCH] Add initial traefik docs --- services/traefik.md | 96 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 services/traefik.md diff --git a/services/traefik.md b/services/traefik.md new file mode 100644 index 0000000..e992910 --- /dev/null +++ b/services/traefik.md @@ -0,0 +1,96 @@ +# Web Service Proxy (Traefik) + +A simple, efficient web server that can handle SSL/TLS setup via Let's Encrypt for all of your services. Traefik uses labels on containers for configuration needs and helps with more dynamic setup of services. + +## Inspiration / Sources + +- [https://docs.traefik.io/](https://docs.traefik.io/) +- [https://github.com/containous/traefik](https://github.com/containous/traefik) + +## Docker (AND OTHER!) Integration(s) + +Traefik supports docker "out of the box" as well as a number of other similar setups (Docker swarm, k8s). This should help with remixes for users with clusters of small arm boards. + +## Adjust firewall to allow web services on internal network(s) + +``` bash + +firewall-cmd --permanent --zone=internal --add-service http --add-service https +firewall-cmd --permanent --zone=trusted --add-service http --add-service https +firewall-cmd --reload + +``` + +## Adjust firewall to allow web services on external network(s) + +You can skip this if you won't be using web services from the internet. + +``` bash + +firewall-cmd --permanent --zone=public --add-service http --add-service https +firewall-cmd --reload + +``` + +## Install / Update / Run Script + +Setup a generic script that'll auto update Traefik and launch it. You should only run this script at first launch and/or when you're looking for updates. + +``` bash + +mkdir -p /var/traefik/acme +touch /var/traefik/acme/acme.json +chmod 600 /var/traefik/acme/acme.json + +cat > /root/traefik.sh << EOF +#!/bin/bash + +ARCH=\`arch\` +if [ \$ARCH == "aarch64" ] +then + ARCH="arm64v8" +else + ARCH="arm32v7" +fi + +docker pull registry.lollipopcloud.solutions/\$ARCH/traefik:latest + +docker stop traefik +docker rm traefik + +########## + change -e ACME_DNS_PROVIDER to match one from https://docs.traefik.io/configuration/acme/#provider if using DNS ACME challenges + add -e options for each variable for your chosen dns provider + don’t include CF_API vars in portainer template + need to create /var/traefik/acme/acme.json with 600 perms ahead of container run + change --logLevel=DEBUG via -e? if so: set to ERROR by default + label docs for templates: https://docs.traefik.io/configuration/backends/docker/#labels-overriding-default-behavior +########## + +docker run -it \\ +-e TZ=UTC \\ +-e DEBUG=1 \\ +-e ACME_EMAIL="user@domain.tld" \\ +-e ACME_DNS_PROVIDER="--acme.dnschallenge.provider=cloudflare" \\ +-e CF_API_EMAIL="user@domain.tld" \\ +-e CF_API_KEY=big_string \\ +-v /var/traefik:/etc/traefik \\ +-v /var/run/docker.sock:/var/run/docker.sock \\ +registry.lollipopcloud.solutions/\$ARCH/traefik:latest \\ +--api --docker --logLevel=DEBUG --defaultentrypoints=http,https --entrypoints="Name:http address::80 Redirect.EntryPoint:https" --entrypoints="Name:https address::443 TLS" --acme=true --acme.acmelogging=true --acme.storage=/etc/traefik/acme/acme.json --acme.tlsconfig=true --acme.entrypoint=https --acme.httpchallenge.entrypoint=http --acme.email=$ACME_EMAIL --acme.onhostrule=true --acme.httpchallenge=true $ACME_DNS_PROVIDER + +EOF + +chmod a+x /root/traefik.sh + +``` + +## Run Traefik + +Simply execute ```/root/traefik.sh``` to update/run. + +## Configuration (Optional) + +See [https://docs.traefik.io/](https://docs.traefik.io/) for additional details. You shouldn't need any additional configuration. Most of traefik is configured via the command line using the above approach. + +Traefik is *very* powerful and flexible though. If you're looking for more advanced options the documentation is a great start. Be warned: it's very technical and dense.