Okay, my blog is up and running. It runs in a Docker-Container on one of my raspberry-pi's in the lumber room. To make the blog felixwiedman.de accessible from the WWW, I configured Dyn-DNS. For testing I configured a simple port-forwarding rule on my router to the raspberry-pi host.
At this moment I am not comfortable with this setup for the following reasons:
- I can not host several subdomains for my other services (Grafana, k8s-Dashbaord, ..)
- I don't want manually issue certificates for all mine domains
To solve these problems I chose traefik because it is very easy to setup! Traefik comes with Docker and Kubernetes support. For my usecase I installed traefik on my docker-host.
1. docker network
For security reasons, I created a new docker network named "web". Only services on my docker-host which are supposed to face the internet, are located here.
docker network create web
I wrote a docker-compose.yaml for traefik, to have a better overview about the configuration itselfs.
version: '2' services: traefik: image: traefik:1.7.7 restart: always ports: - 80:80 - 443:443 - 8080:8080 networks: - web volumes: # traefik needs the docker socket, to explore new container on your docker-host - /var/run/docker.sock:/var/run/docker.sock - /opt/traefik/traefik.toml:/traefik.toml - /opt/traefik/acme.json:/acme.json container_name: traefik networks: web: external: true
3. traefik.toml & Let's Encrypt
The traefik.toml is the configuration file of your traefik. Each '[KEYWORD]' in the brackets enables it feature. I wrote this toml on the base of the official documentation. traefik documentation
# print only error messages debug = false logLevel = "ERROR" # allow ingress trafic on port 80 and 443 # redirect trafic from port 80 to 443 defaultEntryPoints = ["https","http"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] # retry request when network errors apear; default 3 times [retry] # enable traefik dashboard on port 8080 [api] # enable traefik to discover new container by their traefik-labels on your docker host [docker] endpoint = "unix:///var/run/docker.sock" domain = "your-domainn-ame.com" watch = true exposedByDefault = false # enable the acme to issue Let's Encrypt SSL-Certificates [acme] email = "firstname.lastname@example.org" storage = "acme.json" entryPoint = "https" onHostRule = true [acme.httpChallenge] entryPoint = "http"
To store your issued Let's Encrypt SSL-Certificats on your Host, you have to create a new file "acme.json" and set the right permissions.
sudo touch /opt/traefik/acme.json && sudo chmod 600 /opt/traefik/acme.json
Route & issue SSL-Certificats
To create a new routing rule and automatic issue SSL-Certificates, you have to pass your Docker-Container some traefik-labels. Those lables will be discovered by traefik and trigger traefik to re-configure it.
version: "2" services: ghost: image: ghost:2.10.0 container_name: ghost-blog-felixwiedmann restart: always # put the container in the traefik network networks: - web expose: - 2368 environment: - url=https://felixwiedmann.de volumes: - "/opt/ghost/data:/var/lib/ghost/content" labels: # 1. set the docker network # 2. Allow traefik to use this container # 3. Pass the right hostname which will route all requests with the host header "felixwiedmann.de" to this service # Host is also used to issue a SSL-Certificate for the given domain-name # 4. Set a port to acces your service - "traefik.docker.network=web" - "traefik.enable=true" - "traefik.basic.frontend.rule=Host:felixwiedmann.de" - "traefik.basic.port=9000" - "traefik.basic.protocol=http" networks: web: external: true
With traefik I am now able to expose several services over different domains with ssl. It was easy as pie to setup traefik with this configuration and I can recommend to everyone to give traefik a chance between apache and nginx.