Luis Barrueco
b39bb5adaf
Some checks failed
continuous-integration/drone/push Build is failing
As documented in the README's "Configuring wildcard SSL using DNS" section, the necessary pieces for DNS-01 ACME challenges to work are already baked into Traefik's recipe, though they were originally considered for provisioning wildcard certificates. Furthermore, in environments where the server is not exposed to the internet, the default HTTP-01 challenge mechanism doesn't work, so, taking advantage of this alternative method makes complete sense. This change causes ACME validations to be done always using DNS when LETS_ENCRYPT_DNS_CHALLENGE_ENABLED is active. Without it, for standard certificate requests Traefik uses the HTTP-01 challenge method, which doesn't work in servers behind a firewall. We should amend the related section in the [operators handbook](https://docs.coopcloud.tech/operators/handbook/#running-an-offline-coop-cloud-server) to make a not about the possibility of using DNS challenges in those scenarios as well. * [x] I have deployed and tested my changes I tested this with both a server "exposed" to the internet and one behind a firewall. The first one continued to use the HTTP-01 challenge because no DNS-related settings were added to it, and the second one was successfully able to provision certificates (even though it's only reachable within the LAN). * [x] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash) * [x] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes) Reviewed-on: #112 Co-authored-by: Luis Barrueco <yo@luisb.xyz> Co-committed-by: Luis Barrueco <yo@luisb.xyz>
Traefik
- Maintainer: @p4u1, @decentral1se, @javielico, Local-IT: @moritz, @msimon, @carla
- Status:
stable - Category: Utilities
- Features: ?
- Image:
traefik, 4, upstream - Healthcheck: Yes
- Backups: No
- Email: N/A
- Tests: 2
- SSO: ? (Keycloak)
Basic usage
- Set up Docker Swarm and
abra abra app new traefikabra app config YOURAPPDOMAIN- be sure to changeDOMAINto something that resolves to your Docker swarm boxabra app deploy YOURAPPDOMAIN
Configuring basic auth
- Create the usersfile locally:
htpasswd -c usersfile <username> - Uncomment the Basic Auth section in your .env file
- Insert the secret: `abra app secret insert usersfile v1 -f usersfile
- Redploy your app:
abra app deploy -f <domain>
Configuring SSL using DNS
Automatic certificate generation will Just Work™ for most recipes which use a
fixed number of subdomains. If your server can't be reached from the Internet,
or if you're deploying a recipe that needs to work across arbitrary
subdomains, like
federatedwiki and
go-ssb-room (requiring
the use of wildcard certificates,) you can give Traefik access to your DNS provider
so that it can carry out Letsencrypt DNS challenges.
- Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
can be easily added, see
the
legodocs. - Run
abra app config YOURAPPDOMAIN - Uncomment e.g.
ENABLE_GANDIand the relatedSECRET_.._VERSIONline, e.g.SECRET_GANDIV5_API_KEY_VERSION - Set
LETS_ENCRYPT_DNS_CHALLENGE_PROVIDERto your provider, e.g.gandi - Generate an API key for your provider, probably using their web interface.
- Run
abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE, whereSECRETNAMEis from the compose file (e.g.compose.gandi-api-key.yml) e.g.gandiv5_api_keyandSECRETVALUEis the API key.- For Gandi, you can use either the deprecated API Key or a GandiV5 Personal Access Token, in which case use compose.gandi-personal-access-token.yml.
- See comments for each provider in your env file for specific instructions
- Redeploy Traefik, using e.g.
abra app deploy YOURAPPDOMAIN -f
Blocking scrapers with Anubis
Uncomment the lines on the Anubis section of the configuration. Set a domain name for the cookies and a domain that will serve Anubis redirection service. Optionally and for added security, set a list of the domain names for the apps that are going to be protected.
After deploying these changes, go to each recipe that supports Anubis and follow the process there. Enabling Anubis here is not enough for protection your apps.
Enabling onion service
Uncomment the line in the config setting ONION_ENABLED=1. This will create a new entrypoint on port 9052 which can be used to bypass forced SSL. For more details, see the onion recipe.