Traefik + Let’sEncrypt + Ghost + MariaDB + WordPress

Damos por descontado que ya hay instalado docker + docker-compose

TRAEFIK
1) Instalar Traefik https://jonnev.se/traefik-with-docker-and-lets-encrypt/

Setup

This is based on the official guide but with a few additions. I will show you how to add the web dashboard and API – protected by Basic Auth – mostly because it’s fun. If you have no use for it or believe it to be unsafe, you can skip that part.

First start with creating a network for your web-facing containers to connect to.

docker network create web

Then we create a directory and the necessary files, as sudo if needed.

sudo su
mkdir -p /opt/traefik
touch /opt/traefik/docker-compose.yml
touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
touch /opt/traefik/traefik.toml

Now let’s add our docker-compose…

mcedit /opt/traefik/docker-compose.yml

version: '2'

services:
  proxy:
    image: traefik:v1.7.12-alpine
    command: --configFile=/traefik.toml
    restart: unless-stopped
    networks:
      - web
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    # REMOVE this section if you don't want the dashboard/API
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:example.com"
      - "traefik.port=8080"

networks:
  web:
    external: true

☝️ Remember to replace example.com in traefik.frontend.rule if you keep the API.

… and the config for Traefik…

mcedit /opt/traefik/traefik.toml
# Change this if needed
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
    address = ":443"
  [entryPoints.https.tls]

# REMOVE this section if you don't want the dashboard/API
[api]
entryPoint = "api"
dashboard = true

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain"
watch = true
# I prefer to expose my containers explicitly
exposedbydefault = false

[acme]
email = "myemail"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"

☝️ Add your domain and email under [docker] and [acme], respectively.

… and we should be good to go!

cd /opt/traefik/
docker-compose up -d

Check the logs (docker-compose logs) and head to your configured domain and you should see something like this (screenshot was taken a few versions back, it’s been redesigned).

Screen-Shot-2018-03-13-at-22.19.45

Basic auth

Since we have exposed the API of Traefik we’d like to have some authentication. Basic auth is supported so let’s add that. Run this for the username you want – for example admin – and enter your password.

sudo apt install apache2-utils
htpasswd -n username

Here’s what I got for admin/admin.

admin:$apr1$IBj9Hfsd$kf7vXLpY4/9XD365jcp/n1

Now that needs to go in the traefik.toml but to work any $ signs have to be escaped with another $.
Add this to the [entrypoints]-section…

  [entryPoints.api]
    address = ":8080"
    [entryPoints.api.auth]
     [entryPoints.api.auth.basic]
       users = [
         "admin:$$apr1$$IBj9Hfsd$$kf7vXLpY4/9XD365jcp/n1"
       ]

Now stop and rebuild your service…

docker-compose stop
docker-compose up -d

…and you should have basic auth!

Add a container

Now of course to have any use for this we need a container! Why not a blog with ghost?

Create a directory and a docker-compose.yml, remember to change the domain and add the hostname to your DNS! ?

mkdir -p /opt/ghost
mcedit /opt/ghost/docker-compose.yml
version: '2'
services:
  server:
    image: ghost:alpine
    container_name: ghost
    restart: unless-stopped
    networks:
      - web
    labels:
      # This one is important since we default to not expose
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:blog.example.com"
      - "traefik.port=2368"
      - "traefik.docker.network=web"
    volumes:
      - /opt/ghost/blog:/var/lib/ghost/content
    environment:
      - NODE_ENV=production
      - url=https://blog.example.com

networks:
  web:
    external: true

Run the usual docker-compose up -d and voilà blog up with SSL/TLS and all, pure magic ?


WordPress:
Esto vale solo para el punto 3 el docker-compose.yml
https://openwebinars.net/blog/instalacion-de-wordpress-con-docker-compose/ pero hay que modificalo un poco

A bajo los varios docker-compose.yml

root@3d:/opt/traefik# cat docker-compose.yml
version: '2'
services:
  db:
#    image: mysql:latest
    image: linuxserver/mariadb
    volumes:
#      - "./.data/db:/var/lib/mysql"
      - "/opt/wordpress/mysql:/var/lib/mysql"
    restart: always
    networks:
      - web
    environment:
      MYSQL_ROOT_PASSWORD: PASSWORD
      MYSQL_DATABASE: WordPress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: PASSWORD

  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    links:
      - db
    ports:
      - "1080:80"
    restart: always
    networks:
      - web
    labels:
      # This one is important since we default to not expose
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:isla1.tormentasolar.win"
      - "traefik.docker.network=web"
    volumes:
      - "/opt/wordpress/WP:/var/www/html"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_PASSWORD: PASSWORD

networks:
  web:
    external: true


root@3d:/opt/ghost# cat docker-compose.yml
version: '2'
services:
  server:
    image: ghost:alpine
    container_name: ghost
    restart: unless-stopped
    networks:
      - web
    labels:
      # This one is important since we default to not expose
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:WWW.TUDOMINIO.ORG"
      - "traefik.port=2368"
      - "traefik.docker.network=web"
    volumes:
      - /opt/ghost/blog:/var/lib/ghost/content
    environment:
      - NODE_ENV=production
      - url=https://WWW.TUDOMINIO.ORG

networks:
  web:
    external: true

root@3d:/opt/wordpress# cat docker-compose.yml
version: '2'
services:
  db:
    image: mariadb:latest
    volumes:
      - "./.data/db:/var/lib/mysql"
      - "/opt/wordpress/mariadb:/var/lib/mysql"
    restart: always
    networks:
      - web
    environment:
      MYSQL_ROOT_PASSWORD: PASSWD
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: PASSWD

  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    links:
      - db
    ports:
      - "8000:80"
    restart: always
    networks:
      - web
    labels:
      # This one is important since we default to not expose
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:WWW2.TUDOMINIO.ORG"
      - "traefik.docker.network=web"
    volumes:
      - "/opt/wordpress/WP:/var/www/html"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_PASSWORD: PASSWD

networks:
  web:
    external: true

Si no lo he entendido mal, hay que poner en el dominio principal a trafik por ejemplo: midominio.org así puede utilizar un certificado ssl común para todos los subdominios.
Luego se puede poner varios subdominios con las aplicaciones que nos interesa. Esto podría ser un problema si queremos que la gente entre en nuestra página web tecleando indistintamente https:midominio.org o https://www.midominio.org. Esto lo tengo que resolver todavía.

Otra duda es saber si con traefik podemos hacer proxy inverso con otros dominios, como por ejemplo «mi-otro-dominio.com» y «mysite.org» a la vez.

Comentarios cerrados.