Closed ModischFabrications closed 1 year ago
Use Traefik to renew Let's Encrypt Certificate. Once per domain, so 1x for whole vps.modisch.me, paths can be ignored.
DNS Challenge technically works with namecheap, but will probably be screwed over with the multiple subhosts behind modisch.me and needs API access to namecheap, because it doesn't handle DNS-Challenges natively like Cloudflare or any other major domain provider.
https://doc.traefik.io/traefik/https/acme/#httpchallenge seems a lot easier, try that one.
Traefik hints:
example.com
) is needed to assign to specific domains/traefik
) can be used to match paths exactly (/cutsolver , but not /cutsolver/api)Okay, seems like traefik isn't that simple:
https://doc.traefik.io/traefik/middlewares/http/stripprefix/:
- "traefik.http.middlewares.app-stripprefix.stripprefix.forceslash=false"
- "traefik.http.middlewares.app-stripprefix.stripprefix.prefixes=/app"
- "traefik.http.routers.app.middlewares=app-stripprefix"
HTTPS redirect might also be useful, but that one should probably be defined on the entrypoints:
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
Would also be nice to have a dashboard on a secure channel, might need to add auth for that. Extract a whole lot of vars into an env file to make that easier, could also extract email and domain
Be aware that forces HTTPS redirect will mess with HTTP-Challenges, might need to do that selectively, if needed:
https://danielbkr.net/traefik-v2-how-to-configure-https-redirection-and-lets-encrypt/
All hrefs need to have ./* instead of / to properly redirect behind proxies. Traefik should set some headers to enable rerouting for more complex apps, but initial experiments haven't been that successful with the frontend resources. Fixes from fd2e50e9324dd6ad4cbabfbe733c049d58525a4b might help.
Forcing trailing slashes is also necessary to resolve those links, but seems to be on by default.
Seems to work, https://vps.modisch.me/cutsolver/ is online and linked, just need to fix git lfs for the frontend. Postfixing /cutsolver with another slash would also be nice, but I can't get that to work.
Got it! I replaced only the checkout of the first step, not the second.
https://github.com/ModischFabrications/CutSolverFrontend/blob/master/docker-compose-deploy.yml is what you are looking for.
Done!
Create a sample deployment using the frontend, traefik and more.
https://www.smarthomebeginner.com/traefik-docker-security-best-practices/