Okay, my blog is up and running. It runs in a Docker-Container on one of my raspberry-pi's in the lumber room. To make the blog felixwiedman.de accessible from the WWW, I configured Dyn-DNS. For testing I configured a simple port-forwarding rule on my router to the raspberry-pi host.

At this moment I am not comfortable with this setup for the following reasons:

  1. I can not host several subdomains for my other services (Grafana, k8s-Dashbaord, ..)
  2. I don't want manually issue certificates for all mine domains

traefik

To solve these problems I chose traefik because it is very easy to setup! Traefik comes with Docker and Kubernetes support. For my usecase I installed traefik on my docker-host.

1. docker network

For security reasons, I created a new docker network named "web". Only services on my docker-host which are supposed to face the internet, are located here.

docker network create web

2. docker-compose.yaml

I wrote a docker-compose.yaml for traefik, to have a better overview about the configuration itselfs.

version: '2'

services:
  traefik:
    image: traefik:1.7.7
    restart: always
    ports:
      - 80:80 
      - 443:443
      - 8080:8080
    networks:
      - web
    volumes:
    # traefik needs the docker socket, to explore new container on your docker-host
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    container_name: traefik
networks:
  web:
    external: true

3. traefik.toml & Let's Encrypt

The traefik.toml is the configuration file of your traefik. Each '[KEYWORD]' in the brackets enables it feature. I wrote this toml on the base of the official documentation. traefik documentation

# print only error messages 
debug = false

logLevel = "ERROR"

# allow ingress trafic on port 80 and 443
# redirect trafic from port 80 to 443
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

# retry request when network errors apear; default 3 times
[retry]

# enable traefik dashboard on port 8080
[api]

# enable traefik to discover new container by their traefik-labels on your docker host
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "your-domainn-ame.com"
watch = true
exposedByDefault = false

# enable the acme to issue Let's Encrypt SSL-Certificates
[acme]
email = "foo@your-domain-name.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
  [acme.httpChallenge]
    entryPoint = "http"

4. acme.json

To store your issued Let's Encrypt SSL-Certificats on your Host, you have to create a new file "acme.json" and set the right permissions.

sudo touch /opt/traefik/acme.json && sudo chmod 600 /opt/traefik/acme.json

Route & issue SSL-Certificats

To create a new routing rule and automatic issue SSL-Certificates, you have to pass your Docker-Container some traefik-labels. Those lables will be discovered by traefik and trigger traefik to re-configure it.

version: "2"
services:
  ghost:
    image: ghost:2.10.0
    container_name: ghost-blog-felixwiedmann
    restart: always
    # put the container in the traefik network
    networks:
     - web
    expose: 
      - 2368
    environment: 
      - url=https://felixwiedmann.de
    volumes: 
      - "/opt/ghost/data:/var/lib/ghost/content"
    labels:
        # 1. set the docker network
        # 2. Allow traefik to use this container
        # 3. Pass the right hostname which will route all requests with the host header "felixwiedmann.de" to this service
        # Host is also used to issue a SSL-Certificate for the given domain-name
        # 4. Set a port to acces your service
      - "traefik.docker.network=web"
      - "traefik.enable=true"
      - "traefik.basic.frontend.rule=Host:felixwiedmann.de"
      - "traefik.basic.port=9000"
      - "traefik.basic.protocol=http"

networks:
  web:
    external: true

conclusion

With traefik I am now able to expose several services over different domains with ssl. It was easy as pie to setup traefik with this configuration and I can recommend to everyone to give traefik a chance between apache and nginx.

happy hacking