brain initiation

20230607154727-traefik_docker.org

@@ -0,0 +1,144 @@
+:PROPERTIES:
+:ID:       90e3b8a2-b523-4044-af6f-fd4a559b2d7f
+:END:
+#+title:  traefik_docker
+#+filetags: :docker:
+
+Traefik is a reverse proxy for hosting various applications on [[id:80666401-173e-4828-9c29-552dab716946][dns]] entries.  It is run as a [[id:df046fd7-1f82-4e12-9065-56d222f56408][docker]] container on the communikation [[id:80a4104e-af18-4d90-a45e-2c92b51e8c0c][server w10]].  To host a container in reverse proxy mode, the *tags* feature of docker containers.  These tags have to be added to a container to uphost it.  Those tags declare which type of hosting is wanted and what service/router is to be used.  The traefik container needs access to [[id:f4bb4857-2112-4e10-a22e-6da1436ce7b7][port]] 80, 443 for hosting and port 8080 for the dashboard.
+
+* how to run traefik
+- create a ~traefik~ folder using ~mkdir~
+- create a ~treafik.yml~ file using ~touch traefik.yml~
+- insert the code as shown under the _traefik.yml_ heading into the ~traefik.yml~ file
+- crate a compose file or a stack using poertainer
+- insert the code as shown under the _docker-compose_ heading into the stack or the compse file
+- create a ~certs~ ([[id:e28dfeaa-876b-4255-a25e-dcc0c909d08a][certificate]]) folder inside your ~traefik~ folder
+- link all the folders into the docker compose or stack file as bind volumes (if you created the ~traefik~ folder in ~/home/<user>/~ than you just need to add in your user name)
+- add your email to the ~traefik.yml~ file
+- run the compose file
+- add the flags to your application container as shown under the heading _flags_
+- fill in the needed data
+- run the application container and check the logs
+- make sure the application and the proxy are in the same network
+- check the dashboard at port 8080 for more information
+  
+* traefik.yml file
+This file should be stored in the traefik home folder as specified in the.
+#+begin_src bash
+ global:
+  checkNewVersion: true
+  sendAnonymousUsage: false  # true by default
+
+# (Optional) Log information
+# ---
+# log:
+#  level: ERROR  # DEBUG, INFO, WARNING, ERROR, CRITICAL
+#   format: common  # common, json, logfmt
+#   filePath: /var/log/traefik/traefik.log
+
+# (Optional) Accesslog
+# ---
+# accesslog:
+  # format: common  # common, json, logfmt
+  # filePath: /var/log/traefik/access.log
+
+# (Optional) Enable API and Dashboard
+# ---
+api:
+  dashboard: true  # true by default
+  insecure: true  # Don't do this in production!
+
+# Entry Points configuration
+# ---
+entryPoints:
+  web:
+    address: :80
+    # (Optional) Redirect to HTTPS
+    # ---
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+
+  websecure:
+    address: :443
+
+# Configure your CertificateResolver here...
+# ---
+certificatesResolvers:
+   staging:
+     acme:
+       email: <email>
+       storage: /etc/traefik/certs/acme.json
+       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+       httpChallenge:
+         entryPoint: web
+
+   production:
+     acme:
+       email: <email>
+       storage: /etc/traefik/certs/acme.json
+       caServer: "https://acme-v02.api.letsencrypt.org/directory"
+       httpChallenge:
+         entryPoint: web
+
+# (Optional) Overwrite Default Certificates
+# tls:
+#   stores:
+#     default:
+#       defaultCertificate:
+#         certFile: /etc/traefik/certs/cert.pem
+#         keyFile: /etc/traefik/certs/cert-key.pem
+# (Optional) Disable TLS version 1.0 and 1.1
+#   options:
+#     default:
+#       minVersion: VersionTLS12
+
+providers:
+  docker:
+    exposedByDefault: false  # Default is true
+  file:
+    # watch for dynamic configuration changes
+    directory: /etc/traefik
+    watch: true  
+#+end_src
+For more informationm on the secure [[id:bd5b34ba-aa98-4808-b97b-2376aa7b8866][protocol]]: [[id:872ee33b-8361-40c7-9d88-69b3afe5ade2][TLS]] and [[id:95c8982d-e104-43a2-9bb2-fd7e1c3204f2][SSL]]
+* Networks
+To host a service, this service has to be in the same [[id:9d04fac3-89ae-4a96-b326-9ae7e2c22118][docker-network]] as the the traefik proxy.  It doesn't matter if the service container is added to the traefik network or vice versa.  The default approach is to add all services to the ~traefik-relay~ network.  The Services themselfes can have other network for their supportive containers.  Those secondary containers should not be added to the traefik network, because this network is exposed to the internet.
+
+* Compose file
+This is the compose file that has to be run either manually or via the [[id:4afb1f41-983a-4b54-9828-a1e3788eb28b][portainer-docker]].
+#+begin_src bash
+ volumes:
+  traefik_ssl_certs:
+      driver: local
+
+services:
+  traefik:
+    image: traefik:v2.5
+    container_name: madrigal_traefik
+    ports:
+      - 80:80
+      - 443:443
+      - 8080:8080  # (optional) expose the dashboard !don't use in production!
+    volumes:
+      - /home/<user>/traefik:/etc/traefik
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_ssl_certs:/ssl-certs
+    restart: unless-stopped 
+#+end_src
+
+* Typical flags for containers
+Typical flags for hosting a container (under the labels section in a [[id:fcbfabfa-4a8c-4826-8b57-5dce05965c76][docker-compose]] file.
+#+begin_src bash
+ labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.<application router>.entrypoints=<entrypoint-s>" # as described in the traefik.yml (default web and/or websecure)
+      - "traefik.http.routers.<application router>.rule=Host(`<subdomain.domain-name.ending>`)"
+      - "traefik.http.routers.<application router>.tls=true" #if tls is wanted
+      - "traefik.http.routers.<application router>.tls.certresolver=<cert stage>" #as described in the traefik.yml file (default staging or production)
+      - "traefik.http.routers.<application router>.service=<name of service>"
+      - "traefik.http.services.<application router>.loadbalancer.server.port=<application port>"
+      - "traefik.docker.network=<traefik_relay network>"
+#+end_src