server-setup/

[utterances-bot]

Server Setup with traefik and docker-compose | blog.kilian.io

https://blog.kilian.io/server-setup/

[mouzzampk2014-zz]

Hi, I am looking for a Traefik guide for a long time. I need little guidance with volumes, I am not sure how I am going to create the files? Like in root or home/user/ or if I just put it same way

• /var/run/docker.sock:/var/run/docker.sock
• ./traefik.toml:/traefik.toml
• ~/data/traefik/acme.json:/acme.json then how I am going to access it later? I am very new to Ubuntu so definitely I am missing some points :)

[kiliankoe]

Hi @mouzzampk2014!

The syntax here is to specify the location on the host system, a colon and the location in the container. You can choose to put these wherever you want on the host as long as you keep the container location, because that's how traefik is configured.

In my case I have a repo set up containing configs and docker-compose files for several services, so that's where I also store the traefik.toml. Other data and data that is more volatile is stored in ~/data. Actually, I should probably be storing traefik's certificate data in the services repo as well 🙈

[mouzzampk2014-zz]

Hi Kilian,

Thank you so much for quick response. Basically I am running DockSTARTer and everything from compose file to environment file done by the developer. And my compose, environment files are in compose folder /home/user/docker/compose and configuration files are in /home/user/docker/config. So if I am using the below volumes I am not sure where ./ and ~/ are the locations :)

As an example my letsencrypt folder is /home/user/docker/config/letsencrypt (I also attached the image) and thank you :) volumes:

• /var/run/docker.sock:/var/run/docker.sock
• ./traefik.toml:/traefik.toml
• ~/data/traefik/acme.json:/acme.json

On Sun, 3 Mar 2019 at 23:28, Kilian Koeltzsch notifications@github.com wrote:

Hi @mouzzampk2014 https://github.com/mouzzampk2014!

The syntax here is to specify the location on the host system, a colon and the location in the container. You can choose to put these wherever you want on the host as long as you keep the container location, because that's how traefik is configured.

In my case I have a repo set up containing configs and docker-compose files for several services, so that's where I also store the traefik.toml. Other data and data that is more volatile is stored in ~/data. Actually, I should probably be storing traefik's certificate data in the services repo as well 🙈

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kiliankoe/blog/issues/4#issuecomment-469076759, or mute the thread https://github.com/notifications/unsubscribe-auth/AqfBrb_lXzcMkKaTJUfAWu8fjsao3EM3ks5vTFqsgaJpZM4bbTck .

-- Hassan Arshad 07951439409

[kiliankoe]

. means the current directory, whereas ~ is your user's home directory. So ~/data/ refers to /home/data/.

[mouzzampk2014-zz]

Hi,

Thank you :)

I am little confused I managed to run traefik container but when I go to https://traefik.mydomain.com, takes me to Organizr page (I already have letsencrypt setup with nginx for same domain on different machine). Any idea? :)

On Mon, 4 Mar 2019 at 04:09, Kilian Koeltzsch notifications@github.com wrote:

. means the current directory, whereas ~ is your user's home directory. So ~/data/ refers to /home/data/.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kiliankoe/blog/issues/4#issuecomment-469111926, or mute the thread https://github.com/notifications/unsubscribe-auth/AqfBrUWVCH505GIE0vxCm-KPwstUAgzEks5vTJxqgaJpZM4bbTck .

-- Hassan Arshad 07951439409

[kiliankoe]

Sorry, I don't know your specific setup to be able to help with that.

[mludi]

Hi Kilian, you have to specify the ports in quotes, for example,

    ports:
      - "2221:22"

if there is only one mapping.

[kiliankoe]

Hey matz 👋

You actually don't have to put the ports in quotes, but you definitely should, since Yaml is weird and will interpret port mappings below 60 with colons as sexagesimal numbers instead. I definitely should've done it here for good measure as well and will update the post, thanks 😊

(via https://twitter.com/chrisbranch/status/1094581030147768320)

[mludi]

Yeah, weird. It gave me on your gitea example a port mapping error without the quotes 😆 Maybe something with docker-compose on Ubuntu 18. Thanks anyway for the article :-)

[kiliankoe]

Huh, interesting 🤔 Thanks for trying it out 🙈

[mouzzampk2014-zz]

Hi, ports 80, 443 and 8080 already reserved for NAS, what I need to do open different ports on my router? Thank you

[mouzzampk2014-zz]

And I also followed the guide and traefik not working

[kiliankoe]

Sorry, @mouzzampk2014, I really can't help you configure your specific router settings. Depending on what you're trying to achieve you can also just pick other ports instead of those defaults. You might have more luck figuring out those issues in a support forum for your router manufacturer?

[s-ol]

Hey, I've been using this traefik setup for some time and it has been serving me very well!

There is two small additions I would propose:

• pin the traefik version so you don't accidentally break it if they change some compatibility: e.g. in my case traefik:1.5-alpine, because I think alpine is awesome

• make the docker.sock volume readonly!

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  this should lower the attack surface dramatically.

[kiliankoe]

Hi @s-ol, those are great points. Thanks for the tips! I'll add them to the post as soon as I can 👍

I'd also recommend the use of something like watchtower or similar to stay on top of updates, specifically for traefik. Versions before 1.7 had a very unfortunate bug 😕

[s-ol]

@kiliankoe yeah, it's kind of tricky - you would hope every image version would keep getting security updates but thats not really how project-level versioning works out these days.

That specific issue doesn't affect me because I don't expose the API endpoint.

[RochMoreau]

Hi ! Thanks for the interesting post, I have a question though, how do you ssh into your Gitea instance. Basically, how do you git clone with ssh ?

[kiliankoe]

Hi @Weyx, Cloning via SSH also allows you to specify a custom SSH port, it will look something like this: ssh://git@host:port/user/repo.git. If you specify this in the Gitea config it will display it in the relevant spots as well. This port is directly exposed on the host forwarding to the container.

[thepenguinthatwants]

I have never used gitea before but quite interested in using drone and gitea together.

Right now there are problems with 2221 as its already mapped so I changed it from ports:

• "2221:22"

to 22:22

so how should this actually work now? I tried my own site git.example.xyz but I only get Gateway Timeout.

[kiliankoe]

Hi @thepenguinthatwants, what you've done with that is mapped your host's SSH port to the SSH port of the container. This will likely only work if nothing on your host is already using that port. You'll probably have more luck choosing another non-default port besides 2221 and not 22.

[thepenguinthatwants]

Hi!

I have actually changed the ssh port to another port and using this port doesnt cause any problems.

The difference is also that instead of using docker network create web I let the docker-compose up create it itself. Not sure how it differ with manual adding.

networks: web: external: true

I havent used external: true

So I am wondering if that is the reason as I normally keep everything on the same docker-compose.yml file.

[kiliankoe]

Docker's networking doesn't influence the port mappings. The reason I use the external network is so that I can directly define which services are visible to traefik and therefore touch the outside world without anything being accidentally accessible. Definitely not necessary, but nice for configuration.

[torhaala]

Hey, I've been using this traefik setup for some time and it has been serving me very well!

There is two small additions I would propose:

* pin the traefik version so you don't accidentally break it if they change some compatibility:
  e.g. in my case `traefik:1.5-alpine`, because I think alpine is awesome

* make the `docker.sock` volume readonly!
  ```
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
  ```

  this should lower the attack surface dramatically.

I dont think the 'ro' flag works exactly the way you think for the docker socket - It actually only prevents you from renaming or deleting the file (socket), you can however still write to the socket (and thus potentially enable root access on the host..).

Have a look at the docker-socket-proxy container (https://github.com/Tecnativa/docker-socket-proxy) - It allows you to instead access the socket from Traefik over tcp, where the socket-container is only accessible to the containers that need it and some restrictions can be set to which parts of the API is accessible (e.g. no need to be able to create new containers to just read which are running..). This is not perfect, but far better than mounting the docker socket (full host access) to a container exposed to the internet. Some more information on this can be found at https://docs.traefik.io/configuration/backends/docker/#security-considerations

TraefikEE did something along those lines by splitting the container into one for data handling (exposed to internet) and another for control (internal with socket access).

[kiliankoe]

Thanks for the insight, @torhaala! Very interesting to know how the read-only permission works here. I'll definitely add looking in the links you posted to my todo list, seems like a worthwhile effort.

[Llewellynvdm]

Here is an update for Gitea with Traefik 2.5

version: '3'

services:
  traefik:
    container_name: traefik
    image: "traefik:latest"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --log.level=ERROR
      - --certificatesresolvers.yourresolver.acme.httpchallenge=true
      - --certificatesresolvers.yourresolver.acme.email=your@email.com
      - --certificatesresolvers.yourresolver.acme.storage=/acme.json
      - --certificatesresolvers.yourresolver.acme.httpchallenge.entrypoint=web
      - --providers.file.directory=/conf
      - --providers.file.watch=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/username/traefik/conf:/conf"
      - "/home/username/traefik/acme.json:/acme.json"
      - "/home/username/traefik/errors:/errors"
    labels:
      # settings for all containers
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    networks:
      - traefik

  git:
    image: gitea/gitea:latest
    container_name: gitea
    restart: always
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__database__DB_TYPE=mysql
      - GITEA__database__HOST=db:3306
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=xxxxxxxxxxxxxxx
    volumes:
      - /home/username/gitea/data:/data
    ports:
#      - "3000:3000"
      - "2222:22"
    depends_on:
      - db
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.git.rule=Host(`gitea.yourdomain.tld`)"
      - "traefik.http.routers.git.entrypoints=websecure"
      - "traefik.http.services.git.loadbalancer.server.port=3000"
      - "traefik.http.routers.git.service=git"
      - "traefik.http.routers.git.tls.certresolver=yourresolver"
    networks:
      - traefik
  db:
    image: mysql:8
    container_name: gitea_db
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=yxyxyxyxyxyxyxyxyxyxyxyxyxyxy
      - MYSQL_USER=gitea
      - MYSQL_PASSWORD=xxxxxxxxxxxxxxx
      - MYSQL_DATABASE=gitea
    volumes:
      - /home/username/gitea/mariadb:/var/lib/mysql
    networks:
      - traefik

networks:
  traefik:
    external:
      name: traefik_webgateway