OMV, Docker, Portainer, Traefik, LetsEncrypt, Fail2ban and Google oAuth

ptruman · 8. August 2020

Hi all

As I've mentioned on and off, I've recently migrated off my old HP N54L to an HP Gen8 Microserver - and upgraded to OpenMediaVault 5 (having used 3 & 4) at the same time.

I wanted to leverage Docker a hell of a lot more - and when I found OMV5 came with Portainer, I went down a rabbit hole and pulled together this guide, as some of the other ones I found were missing some bits of useful info (Traefik config etc) or didn't pull it all together.

It's not a short post, but I hope it's of use to some!

https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

I'm migrating my V1 Google Site to V2, so articles will start coming across there shortly

tinh_x7 · 9. August 2020

Traefik is too much work.

I migrated from Traefik to Caddy, it's easier.

ptruman · 9. August 2020

Caddy seems a bit web specific, and I'm using HTTP, TCP and UDP routing in Traefik now, all with no bother

davidh2k · 10. August 2020

The traefik learning curve can be high at first. Even I had to wrap my head around it for quite some time. But when you have it set up, its a breeze. Cert management at its best, especcially when you use the DNS authentication, which is superb, especially for your typical broadband connection with dynamic IP assignment.

Edit: Scrolling through the guide a bit. You can use

mkdir -p /path/to/new/folders

instead of

mkdir /path/to/new

mkdir /path/to/new/folder

Zitat

It's important to add that LetsEncrypt only supports wildcard domains (i.e. *.yourdomain.com) - and if you have (or plan on having) many containers, and you want to reference them by machine name, ala container.yourdomain.com - you will need wildcards - and therefore you'll need a DNS provider that supports the LetsEncrypt ACME API.

That statement is not completely correct. Letsencrypt only allows for specific domains to be assigned with a cert- this includes subdomains in particular. - So I wouldn't write *.yourdomain.com but rather something like service1.yourdomain.com. However, you are right that you actually want to use wildcard certs *.yourdomain.com you need to use DNS authentication.

Zitat

There is a comprehensive (and growing) list of eligible DNS providers - but it's important to stress that while the Traefik website may list your provider, that provider may be linked to a specific version of LEGO - which Traefik may not have included in a release yet. It's worth checking the LEGO release page for your provider and then checking if that version of LEGO is included in Traefik via the Traefik release page. One reason this article took a while to write was that the author needed support for their DNS provider - LEGO supported it, but that LEGO version wasn't in Traefik until 2.2.2.

Cloudflare served me well in that case on multiple servers/domains.

Zitat

Next up - consider running your containers within a subdomain - not as a subdomain. i.e. if you want to run ZoneMinder - consider zoneminder.yoursubdomain.yourdomain.com instead of zoneminder.yourdomain.com. This is for three reasons:

Security through obscurity. Can work but doesn't have to.

Zitat
Code
[global]

TOML vs YAML. Love it or hate it.

Zitat

Code

[entryPoints.websecure]
        address = ":443"    [entryPoints.web.http.redirections.entryPoint]

Now I'm jealous with my config beeing on 2.0 state.

Zitat

Code

# Uncomment the next line for using the ACME staging server
    # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

Be carefull using this. At least in 1.7 there was a bug that I encountered that made it so when switching from staging to prod, it renewed certs on every restart. Maybe throw away the acme.json content just to be sure afterwards.

Overall some good thoughts on the configuration.

Greetings

David

tinh_x7 · 10. August 2020

Traefik worked for me, but too much labels and it didn’t renew LetsEncrypt cert for me.

I asked for help on Traefik forum, but response. Caddy is a better option for me.

Nginx Proxy Manager seems like a popularity choice too.

ptruman · 10. August 2020

davidh2k - I've been ok with swapping in and out of staging, but have also scrapped acme.json once.

Given Google's (now formal) announcement today of killing Google Play Music and charging you to keep your screen off, I'll be speeding up my writeup of WireGuard under Docker and using JetAudio to have access to your library anywhere

davidh2k · 11. August 2020

Zitat von ptruman

davidh2k - I've been ok with swapping in and out of staging, but have also scrapped acme.json once.

Probably the bug was fixed with the 2.0 code base rewrite.

Zitat von ptruman

charging you to keep your screen off,

Well, the family plan is cheap in india...

Zitat von ptruman

using JetAudio

Never heard of it. Why no something around Lidarr and Subsonic etc.?

Greetings

David

Zitat von tinh_x7

I asked for help on Traefik forum, but response. Caddy is a better option for me.

What ever that suits you best is good.

Zitat von tinh_x7

Traefik worked for me, but too much labels

I can understand the "too much labels" part, since I have to use labels too, since traefik otherwise would use the stack name as subdomain and the service as sub-subdomain. This is especcially true for 2.x since you now have to use more labels. But I gotta be honest, once you got the hang of it, it's just copy and paste from config A to B.

Greetings

David

Jetzt mitmachen!