Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung		 Vorhergehende Überarbeitung
content:serverbasics:docker-caddy [2024/01/08 19:26] – angelegt Danielcontent:serverbasics:docker-caddy [2024/01/18 14:45] (aktuell) – [Create Caddy Yaml] Daniel
Zeile 11: Zeile 11:
 ===== DNS- Records ===== ===== DNS- Records =====
  
-You will also need a domainname like ''my.domain.tld'' and hostnames, that are resolvable for each service, so that ''service.my.domain.tld'' can be resolved from out of - and in the internet to point to your Server. If you do not have them already, this is how to get them.+You will also need a domainname like ''my.domain.tld'' and hostnames, that are resolvable for each service, so that ''service.my.domain.tld'' can be resolved from out of - and in the internet to point to your Server. If you do not have them already, read further, which descripbes how to get them. 
 + 
 ==== Register some Domain ==== ==== Register some Domain ====
  
Zeile 20: Zeile 22:
 ==== Define services ==== ==== Define services ====
  
-After that, create an A-Name record (or AAAA- Name for ipv6) per service without specifying the ip, som that the dynamic ip of the domain will be taken.+After that, create an A-Name record (or AAAA- Name for ipv6) per service without specifying the ip, som that the dynamic ip of the domain will be taken. Only paste the servicename, dynv6 will automagically append your domain (service → service.my.domain.tld) 
 + 
 +In our example this would be nice:
  
 +''portainer'' → ''portainer.my.domain.tld''
 ===== Create Caddy Yaml ===== ===== Create Caddy Yaml =====
  
Zeile 30: Zeile 35:
 For me, this would be ''mkdir /srv/docker-compose/caddy'' \\ For me, this would be ''mkdir /srv/docker-compose/caddy'' \\
 Change to that directory and create the following docker-compose.yml file in it, putting in the following: Change to that directory and create the following docker-compose.yml file in it, putting in the following:
-<file> 
  
 +<file>
 version: "3.8" version: "3.8"
  
Zeile 48: Zeile 53:
     cap_add:     cap_add:
       - NET_ADMIN       - NET_ADMIN
-initially i wanted to make networkmode host to acces ports on locahost directly +    healthcheck: 
-it turned out not to work in rootless- mode for security reasons +      test: "wget --no-verbose --tries=1 --spider https://www.servername.domainname.tld || exit 1" 
-so don't use host- mode. to access local services take the hostname directly, maybe define it static and add it to /etc/hosts +      interval: "60s" 
-e.g. pcserver:9000 - mind, that the port must be pubilshed by the other containers to the host +      timeout: "3s" 
-# NOT localhost:9000 - this is prevented by docker in rootless- mode !+      start_period: "5s" 
 +      retries: 3 
 +Be sure, that docker daemon has access to unprivileged ports (beneath 1024) 
 +This can be archived by: 
 +setcap cap_net_bind_service=+ep /usr/bin/rootlesskit 
 +
 +# To access local servicestake the hostname directly, maybe define it static and add it to /etc/hosts on the host 
 +Mind, that the ports must be pubilshed by the other containers to the host via ports or expose, or add them to the network 
 +e.g. pcserver:9000 !!! NOT: !!! localhost:9000 - this is prevented by docker in rootless- mode 
 +#Do NOT use networkmode: "host", this will fail (Acme: Connection refused)!
 #    network_mode: "host" #    network_mode: "host"
-# set /etc/sysctl.conf to allow Port 80 and 443 with 
-# net.ipv4.ip_unprivileged_port_start = 80 
-# net.ipv4.ip_unprivileged_port_start = 443 
     ports:     ports:
       - "80:80"       - "80:80"
Zeile 89: Zeile 100:
  
 </file> </file>
 +
 +Also, check that your Firewall has those Ports open on your hosts and that Port Forwarding in your Router is enabled for ipv4 and for ipv6 that the host+ports are not blocked.
 +
 +
 ===== Caddy Configuration ===== ===== Caddy Configuration =====
  
 if you omit the Caddyfile, the server will already work, but we can directly Skip those tests and create the file ''Caddyfile'' in that folder too with the following content: if you omit the Caddyfile, the server will already work, but we can directly Skip those tests and create the file ''Caddyfile'' in that folder too with the following content:
 <file> <file>
-https://portainer.obel1x.dynv6.net:443 {+https://portainer.my.domain.tld:443 {
         header Strict-Transport-Security max-age=31536000;         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy pcserver2023:9000+        reverse_proxy mylocalhostname:9000
 } }
  
 </file> </file>
 +
 +replace //mylocalhostname// with your actual hostname (can be found out by calling hostname in your terminal).
 +
 +Don't use localhost - see above. If you do not have a clue which hostname you have, better specify some fixed one which you can freely chose and edit ''/etc/hosts'' to have that name point to your local ip.
 +
 +
 +===== Fetch and run the Caddy Container =====
 +
 +Thats all - use ''docker-compose up -d'' to start your container. In the Container- Logs you will see Caddy automagically create SSL- Certificates from lets encrypt if everything was setup the right way. Caddy will take care of renewal without the need to configure anything.
 +
 +You now have a powerful proxy, that can transparently deliver your Dockers to the world with SSL- encryption enabled.
  
  
  • content/serverbasics/docker-caddy.1704741977.txt.gz
  • Zuletzt geändert: 2024/01/08 19:26
  • von Daniel