kemonine
/
lollipopcloud
Archived
1
0
Fork 0
Code Releases Activity
This repository has been archived on 2022-08-05. You can view files and clone it, but cannot push or open issues or pull requests.
lollipopcloud/services/traefik.md

97 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Web Service Proxy (Traefik)
A simple, efficient web server that can handle SSL/TLS setup via Let's Encrypt for all of your services. Traefik uses labels on containers for configuration needs and helps with more dynamic setup of services.
## Inspiration / Sources
- [https://docs.traefik.io/](https://docs.traefik.io/)
- [https://github.com/containous/traefik](https://github.com/containous/traefik)
## Docker (AND OTHER!) Integration(s)
Traefik supports docker "out of the box" as well as a number of other similar setups (Docker swarm, k8s). This should help with remixes for users with clusters of small arm boards.
## Adjust firewall to allow web services on internal network(s)
``` bash
firewall-cmd --permanent --zone=internal --add-service http --add-service https
firewall-cmd --permanent --zone=trusted --add-service http --add-service https
firewall-cmd --reload
```
## Adjust firewall to allow web services on external network(s)
You can skip this if you won't be using web services from the internet.
``` bash
firewall-cmd --permanent --zone=public --add-service http --add-service https
firewall-cmd --reload
```
## Install / Update / Run Script
Setup a generic script that'll auto update Traefik and launch it. You should only run this script at first launch and/or when you're looking for updates.
``` bash
mkdir -p /var/traefik/acme
touch /var/traefik/acme/acme.json
chmod 600 /var/traefik/acme/acme.json
cat > /root/traefik.sh << EOF
#!/bin/bash
ARCH=\`arch\`
if [ \$ARCH == "aarch64" ]
then
ARCH="arm64v8"
else
ARCH="arm32v7"
fi
docker pull registry.lollipopcloud.solutions/\$ARCH/traefik:latest
docker stop traefik
docker rm traefik
##########
change -e ACME_DNS_PROVIDER to match one from https://docs.traefik.io/configuration/acme/#provider if using DNS ACME challenges
add -e options for each variable for your chosen dns provider
dont include CF_API vars in portainer template
need to create /var/traefik/acme/acme.json with 600 perms ahead of container run
change --logLevel=DEBUG via -e? if so: set to ERROR by default
label docs for templates: https://docs.traefik.io/configuration/backends/docker/#labels-overriding-default-behavior
##########
docker run -it \\
-e TZ=UTC \\
-e DEBUG=1 \\
-e ACME_EMAIL="user@domain.tld" \\
-e ACME_DNS_PROVIDER="--acme.dnschallenge.provider=cloudflare" \\
-e CF_API_EMAIL="user@domain.tld" \\
-e CF_API_KEY=big_string \\
-v /var/traefik:/etc/traefik \\
-v /var/run/docker.sock:/var/run/docker.sock \\
registry.lollipopcloud.solutions/\$ARCH/traefik:latest \\
--api --docker --logLevel=DEBUG --defaultentrypoints=http,https --entrypoints="Name:http address::80 Redirect.EntryPoint:https" --entrypoints="Name:https address::443 TLS" --acme=true --acme.acmelogging=true --acme.storage=/etc/traefik/acme/acme.json --acme.tlsconfig=true --acme.entrypoint=https --acme.httpchallenge.entrypoint=http --acme.email=$ACME_EMAIL --acme.onhostrule=true --acme.httpchallenge=true $ACME_DNS_PROVIDER
EOF
chmod a+x /root/traefik.sh
```
## Run Traefik
Simply execute ```/root/traefik.sh``` to update/run.
## Configuration (Optional)
See [https://docs.traefik.io/](https://docs.traefik.io/) for additional details. You shouldn't need any additional configuration. Most of traefik is configured via the command line using the above approach.
Traefik is *very* powerful and flexible though. If you're looking for more advanced options the documentation is a great start. Be warned: it's very technical and dense.
View Git Blame Copy Permalink