Pascal's Hideout

First Post

Pascal Kolijn -
Here is where it all starts...

For this site I decide to play with ghost. It is nodejs based blogging engine, with a template based theming engine. To make the install easier and manageable I use a ghost docker container with a docker traefik container as reverse proxy in front of it. The traefik also gives me the out of the box opportunity to use Let's Encrypt to secure the site.

Because I plan to host more containers, I decided to use docker-compose to see if that helps with the management of the various 'apps'.

Config

The docker-compose.yaml:

version: '3'

####
# services

services:

  traefik: # reverse proxy
    hostname: traefik
    image: traefik:alpine
    networks:
      - default
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:dalmore.${MYDOMAIN}; PathPrefixStrip: /traefik"
      - "traefik.port=8080" 
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKERDIR}/traefik:/etc/traefik
      - ${DOCKERDIR}/shared:/shared

  pascal: # ghost blog
    image: ghost:2-alpine
    networks:
      - traefik_proxy
    environment:
      - url=https://pascal.${MYDOMAIN}
    volumes:
      - ${DOCKERDIR}/mainghost:/var/lib/ghost/content
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:pascal.${MYDOMAIN}"
      - "traefik.backend=pascal"

And a traefik.toml to automatically use Let's Encrypt

logLevel = "INFO" # DEBUG, INFO, WARN, ERROR, FATAL, PANIC
defaultEntryPoints = [ "http", "https" ]

#[api]
[web]
address = ":8080"
  [web.auth.basic]
  usersFile = "/shared/.htpasswd"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[file]
  watch = true
  filename = "/etc/traefik/rules.toml"

[acme]
email = "le@kolyn.nl"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
#caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
[acme.httpChallenge]
entryPoint = "http"

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "kolyn.nl"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

The [acme] block enables Let's Encrypt. The important part is onHostRule = true this creates a certificate for every  traefik.frontend.rule as read from the docker daemon. The exposedbydefault = false will only expose docker containers if they are labeled with traefik.enable. The rest is magic....

Usage

You can start it all up in the background ( -d ) : 

$ docker-compose up -d

if you omit the -d then you can see the logs of the various containers in your terminal but if you close the terminal the containers stop, handy for debugging. But else use the -d and you can still view the logs:

docker-compose logs -f

or just the logs for the traefik 'service':

$ docker-compose logs -f traefik