During setup for a new project of mine, I need to setup some infrastructure for host monitoring and a reverse proxy with auth. This all will be realized in docker to have as less dependencies as possible.
( 💭 Better name pending.... )
I will use that repository on linux based hosts und require a full docker and docker-compose installation on it. Instructions to install docker can be found here.
For redirecting the glances container metrics from localhost inside the container network a very new feature is used. This requires docker version > 20.10.0 to be installed.
🔒️ means its authenticated with a Google login and the email whitelist.
Public http port: 80
Public https port: 443
Traefik Dashboard (🔒️): https://<host>/traefik/dashboard/ (Don't forget the last slash)
Ping: https://<host>/ping
Dashboards (🔒️): https://<host>/grafana
The architecture includes Glances to monitor the system conditions. It offers a prometheus interface which will be scraped by (obviously) Prometeus. Which will be accessed by a Grafana installation, which is available from the outside. To allow access to the services included and others as well Traefik manages the http(s) ports.
In this template traefik authenticate the endpoints with the Google auth. (Should be GitHub Auth but thats not supporting whitelisting right now) So when accessing protected services the user is asked to login into their google account first.
As reverse proxy Traefik is used. With its label-based configuration it's easy to extend it to services outside of this repository.
With a little companion container traefik can protect any endpoint in an very easy way.
The auth middleware is named google-auth and can be used at any other endpoint.
When used the access needs to be authenticated to proceed.
The internal dashboard is secured by it as well as Grafana via the X-Forwarded-User header.
For Let's Encrypt certificates an email and a (sub)domain are required. Both need to be specified at the .env file.
If you don't want to use Let's encrypt remove all lines of the traefik service containing letsencrypt.
To include other docker container in the reverse proxy, make sure those container are in the proxy docker network.
Hint: when using in multiple docker-composes create a global network, otherwise die container can't communicate.
And add those labels to the running container (Code from grafana for example):
traefik.enable=true
traefik.http.routers.grafana.rule=PathPrefix(`/grafana`) # The rule needs to be adjusted to your needs. For more see https://doc.traefik.io/traefik/routing/routers/#rule
traefik.http.routers.grafana.entrypoints=websecure # This specifies that the container is available over the https entrypoint.
traefik.http.routers.grafana.middlewares=google-auth # This enables the forward authentication for the container. With it only authenticated users can access your service.
Don't forget to also change the routers name (part behind routers.).
If the other service is also executed by docker-compose it might make sense to use a docker-compose.override.yaml to set some additional changes to the existing file.
For example I show you one of mine:
version: '3'
services:
database:
networks:
- internal
scrapy-do:
ports:
- 7654
networks:
- internal
- proxy
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.scrapy.rule=Host(`some.host.xyz`)'
- 'traefik.http.routers.scrapy.priority=1'
- 'traefik.http.routers.scrapy.entrypoints=websecure'
- 'traefik.http.routers.scrapy.middlewares=google-auth,https-redirect'
- 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.redirectscheme.permanent=true'
networks:
internal:
proxy:
external: true
Grafana will be provisioned with Prometeus and a basic dashboard to monitor the host system and all running docker container.
All the configuration for secrets and options is contained in a .env file at the repository root folder.
To start your config use the .env.sample file, which contains all the used properties.
The setup here will be provided without any security warranty. Make sure for yourself that everything is secured and whitelisted users have the correct rights.