97 lines
3.5 KiB
Markdown
97 lines
3.5 KiB
Markdown
# Web Service Proxy (Traefik)
|
||
|
||
A simple, efficient web server that can handle SSL/TLS setup via Let's Encrypt for all of your services. Traefik uses labels on containers for configuration needs and helps with more dynamic setup of services.
|
||
|
||
## Inspiration / Sources
|
||
|
||
- [https://docs.traefik.io/](https://docs.traefik.io/)
|
||
- [https://github.com/containous/traefik](https://github.com/containous/traefik)
|
||
|
||
## Docker (AND OTHER!) Integration(s)
|
||
|
||
Traefik supports docker "out of the box" as well as a number of other similar setups (Docker swarm, k8s). This should help with remixes for users with clusters of small arm boards.
|
||
|
||
## Adjust firewall to allow web services on internal network(s)
|
||
|
||
``` bash
|
||
|
||
firewall-cmd --permanent --zone=internal --add-service http --add-service https
|
||
firewall-cmd --permanent --zone=trusted --add-service http --add-service https
|
||
firewall-cmd --reload
|
||
|
||
```
|
||
|
||
## Adjust firewall to allow web services on external network(s)
|
||
|
||
You can skip this if you won't be using web services from the internet.
|
||
|
||
``` bash
|
||
|
||
firewall-cmd --permanent --zone=public --add-service http --add-service https
|
||
firewall-cmd --reload
|
||
|
||
```
|
||
|
||
## Install / Update / Run Script
|
||
|
||
Setup a generic script that'll auto update Traefik and launch it. You should only run this script at first launch and/or when you're looking for updates.
|
||
|
||
``` bash
|
||
|
||
mkdir -p /var/traefik/acme
|
||
touch /var/traefik/acme/acme.json
|
||
chmod 600 /var/traefik/acme/acme.json
|
||
|
||
cat > /root/traefik.sh << EOF
|
||
#!/bin/bash
|
||
|
||
ARCH=\`arch\`
|
||
if [ \$ARCH == "aarch64" ]
|
||
then
|
||
ARCH="arm64v8"
|
||
else
|
||
ARCH="arm32v7"
|
||
fi
|
||
|
||
docker pull registry.lollipopcloud.solutions/\$ARCH/traefik:latest
|
||
|
||
docker stop traefik
|
||
docker rm traefik
|
||
|
||
##########
|
||
change -e ACME_DNS_PROVIDER to match one from https://docs.traefik.io/configuration/acme/#provider if using DNS ACME challenges
|
||
add -e options for each variable for your chosen dns provider
|
||
don’t include CF_API vars in portainer template
|
||
need to create /var/traefik/acme/acme.json with 600 perms ahead of container run
|
||
change --logLevel=DEBUG via -e? if so: set to ERROR by default
|
||
label docs for templates: https://docs.traefik.io/configuration/backends/docker/#labels-overriding-default-behavior
|
||
##########
|
||
|
||
docker run -it \\
|
||
-e TZ=UTC \\
|
||
-e DEBUG=1 \\
|
||
-e ACME_EMAIL="user@domain.tld" \\
|
||
-e ACME_DNS_PROVIDER="--acme.dnschallenge.provider=cloudflare" \\
|
||
-e CF_API_EMAIL="user@domain.tld" \\
|
||
-e CF_API_KEY=big_string \\
|
||
-v /var/traefik:/etc/traefik \\
|
||
-v /var/run/docker.sock:/var/run/docker.sock \\
|
||
registry.lollipopcloud.solutions/\$ARCH/traefik:latest \\
|
||
--api --docker --logLevel=DEBUG --defaultentrypoints=http,https --entrypoints="Name:http address::80 Redirect.EntryPoint:https" --entrypoints="Name:https address::443 TLS" --acme=true --acme.acmelogging=true --acme.storage=/etc/traefik/acme/acme.json --acme.tlsconfig=true --acme.entrypoint=https --acme.httpchallenge.entrypoint=http --acme.email=$ACME_EMAIL --acme.onhostrule=true --acme.httpchallenge=true $ACME_DNS_PROVIDER
|
||
|
||
EOF
|
||
|
||
chmod a+x /root/traefik.sh
|
||
|
||
```
|
||
|
||
## Run Traefik
|
||
|
||
Simply execute ```/root/traefik.sh``` to update/run.
|
||
|
||
## Configuration (Optional)
|
||
|
||
See [https://docs.traefik.io/](https://docs.traefik.io/) for additional details. You shouldn't need any additional configuration. Most of traefik is configured via the command line using the above approach.
|
||
|
||
Traefik is *very* powerful and flexible though. If you're looking for more advanced options the documentation is a great start. Be warned: it's very technical and dense.
|