Traefik

Call it The GCDLADB if you like.

Traefik and Acme.sh for DG-STAGING  6 min read   Sep 15, 2020   |  Updated: Sep 28, 2020 15:15
This post is a follow-up to Dockerized Traefik Host Using ACME DNS-01 Challenge and Staging ISLE Installation: Migrate Existing Islandora Site - with Annotations, specifically Step 11 in the later document. It introduces a Digital.Grinnell-specific implementation of the Traefik with Acme.sh. Testing with McFateM/docker-traefik2-acme-host I started work on this implementation with a test, by cloning https://github.com/McFateM/docker-traefik2-acme-host and proceeding as directed in the repository’s README.md document, as user islandora on node DGDockerX, like so: DGDockerX Host Commands cd ~ git clone https://github. ...
New Host Config: Vulnerability Scan  7 min read   Jun 11, 2020
Today I elected to run a vulnerability scan against our new instance of the docker-traefik2-acme-host configuration that’s running on static.grinnell.edu. The command I used, and the results, are posted below. ╭─islandora@dgdockerx ~ ╰─$ /home/islandora/testssl.sh/testssl.sh static.grinnell.edu ########################################################### testssl.sh 3.0rc4 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on dgdockerx:/home/islandora/testssl.sh/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64") Start 2020-06-11 17:33:25 -->> 132. ...
Host Config: docker-traefik2-acme-host  1 min read   Jun 10, 2020
This post is celebrating the completion (really, is anything ever complete?) of a new server/host/stack deployment project: docker-traefik2-acme-host. In order to make this post really easy to read, I’m going to wrap it up in one bullet… README.md Troubleshooting Should you ever encounter an error like the one below, be sure to ask your IT provider if they created the proper CNAME record when creating your DNS entry. [Tue Jun 30 20:53:50 UTC 2020] ohscribe.grinnell.edu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge. ...
Traefik and Acme.sh Instead of DNS-01  13 min read   Jun 2, 2020
This post is a follow-up to Dockerized Traefik Host Using ACME DNS-01 Challenge. It introduces an alternative to the failed process that was proposed in that earlier post. Note that the following config-specific elements have been replaced below: 6 occurances of ?.grinnell.edu now say example-1.grinnell.edu, and 2 occurances of ?.info now say example-2.info. New Proposal On June 1 my colleage, Matt, suggested the following… As much as I would like to resolve the DNS-01 challenge using Traefik alone, I don’t believe it will support what we’re trying to do here. ...
Simplified Testing of Traefik 2 with ACME DNS-01 Challenge  3 min read   May 19, 2020
This post is a simplified and focused follow-up to Dockerized Traefik Host Using ACME DNS-01 Challenge. Simplify Today, 19-May-2020, I’m going to take a shot at simplifying my testing on dgdocker3.grinnell.edu by removing unnecessary things and consolidating as much as possible to reduce clutter in the logs and get right to the point. I’m also going to have a look to see if there are additional logs that can tell give me more detail. Everything used here, and everything that takes place here, will be found in a new directory, /opt/containers/test on DGDocker3. ...
Dockerized Traefik Host Using ACME DNS-01 Challenge  11 min read   Apr 27, 2020
This post builds on My dockerized-server Config and attempts to change what was a problematic ACME HTTP-01 or httpChallenge in Traefik and Let’s Encrypt to an ACME DNS-01 or dnsChallenge. The problem with the old HTTP-01 or httpChallenge is that it requires the creation of a valid and widely accessible “A” record in our DNS before the creation of a cert; the record has to be in place so that the Let’s Encrypt CA-server can find it to confirm that the request is valid. ...
Repairing Static.Grinnell.edu  4 min read   Sep 17, 2019
This morning, Tuesday, September 17, 2019, I awoke to find our https://static.grinnell.edu server, and all of the services on it, unreachable via the web. I managed to open a shell on the host and found that the server was up-and-running as expected, but a quick docker ps command indicated that one of the key services on the server, namely Traefik, had stopped and then failed to restart, repeatedly. Traefik is the service that’s responsible for routing web traffic on the static host. ...
Configuring DGDocker2  13 min read   Sep 3, 2019   |  Updated: Sep 11, 2019 10:53
My mission today is to successfully migrate the images/containers/services chronicled in post 030, “Dockerized Omeka-S: Starting Over” to Docker-ready node dgdocker2 without compromising any of the services that already run there. Pushing WMI Omeka-S to Production on dgdocker2 Grinnell’s dgdocker2 server, specifically dgdocker2.grinnell.edu with an IP address of 132.161.132.143, is a Docker-ready CentOS 7 node that’s currently supporting the following containers and configuration: ╭─root@dgdocker2 ~ ╰─# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ef20d71ffea8 mcfatem/ohscribe "./boot.sh" 6 days ago Up 6 days 5000/tcp ohscribe b525f4670cd2 mariadb:latest "docker-entrypoint. ...
My dockerized-server Config  3 min read   Sep 7, 2019   |  Updated: Sep 8, 2019 09:26
This post picks up from where Configuring DGDocker2 left off. In it I will establish a workflow to setup a “Dockerized” server complete with Traefik, Portainer, and Who Am I. It should be relatively easy to add additional non-static services to any server that is initially configured using this package. For “static” servers have a look at post 008 docker-bootstrap Workflow . Capture As a Project Picking up from the end of Configuring DGDocker2, my first step on the dgdocker2 server was to move everything into a single subdirectory of /opt; I called the new directory dockerized-server, like so: ...
Removing Traefik's Weak Cipher Suites  2 min read   May 10, 2019   |  Updated: Sep 4, 2019 15:28
Most of the servers I deploy to and manage here at Grinnell College are now “Dockerized”, and all of those use Traefik to manage traffic, of course. Before a web app or server can be opened for access to the world here, it has to pass a vulnerability scan, and I’m not privy to the specifics of that scan. However, I do know that “weak cipher suites” are a common source of failure among my newest servers. It took a couple of weeks of searching, and trial/error solution attempts to identify the nature and specific source of these weaknesses, and to eradicate them. ...