Create wiki page 'Reverse Proxy with traefik'

[GuillaumeLazar]

🗣 Suggestion

I saw the the issue #142 and the wiki page https://github.com/cypht-org/cypht/wiki/Reverse-Proxy-with-NGINX but I found nothing about the traefik reverse proxy.

After playing with the cypht docker image + traefik reverse proxy, I would like to share some instructions for the newcomers. It's really fast to deploy cypht with https on a sub-domain with the docker image + traefik.

This docker-compose.yml is :

• based on the official instructions from here: https://hub.docker.com/r/sailfrog/cypht-docker without exposing the http port 80 on the host
• it requires a FQDN (e.g: mydomain.com)
• cypht will be accessible using a sub-domain (e.g: mail.mydomain.com)

1. Configure a DNS entry to redirect mydomain.com and *.mydomain.com to your server ip address

2. Create the file docker-compose.yml and update mydomain and password fields:

# docker-compose.yml
services:
  traefik:
    image: "traefik:latest"
    restart: "always"
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--log.level=INFO" # DEBUG INFO ERROR
      - "--accesslog=true"
      - "--accesslog.filePath=/logs/access.log"
      - "--certificatesresolvers.leresolver.acme.httpchallenge=true"
      - "[email protected]"
      - "--certificatesresolvers.leresolver.acme.storage=/acme/acme.json"
      - "--certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "traefik_acme:/acme"
      - "traefik_logs:/logs"
    labels:
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"

  cypht-db:
    image: mariadb:10
    volumes:
      - cypht_db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=root_password
      - MYSQL_DATABASE=cypht
      - MYSQL_USER=cypht
      - MYSQL_PASSWORD=cypht_password
      
  cypht:
    image: sailfrog/cypht-docker:latest
    volumes:
      - cypht_users:/var/lib/hm3/users
    environment:
      - CYPHT_AUTH_USERNAME=admin
      - CYPHT_AUTH_PASSWORD=admin_password
      - CYPHT_DB_CONNECTION_TYPE=host
      - CYPHT_DB_HOST=cypht-db
      - CYPHT_DB_NAME=cypht
      - CYPHT_DB_USER=cypht
      - CYPHT_DB_PASS=cypht_password
      - CYPHT_SESSION_TYPE=DB
    labels:
      # cypht behind traefik
      - "traefik.enable=true"
      - "traefik.http.routers.cypht.rule=Host(`mail.mydomain.com`)"
      - "traefik.http.routers.cypht.entrypoints=websecure"
      - "traefik.http.services.cypht.loadbalancer.server.port=80"
      - "traefik.http.routers.cypht.service=cypht"
      - "traefik.http.routers.cypht.tls.certresolver=leresolver"
      - "traefik.http.routers.cypht.middlewares=security-headers"
      - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"

volumes:
  traefik_acme:
  traefik_logs:
  cypht_users:
  cypht_db:

3. build and start the containers: docker compose up --build --detach

4. Access to cypht: https://mail.mydomain.com

It could be added to a wiki page if you think it could help someone.

[marclaporte]

@jonocodes thoughts?

[jonocodes]

@jonocodes thoughts?

Yes I have been thinking about how to present the docker setup once sailfrog/cypht-docker is no longer used. Generally docker compose is not used much in production but it does make a good starting point for describing how a contain is used.

There are a bunch of scenarios that we can give compose files for since there are different configs.

• kubernetes
• reverse proxying with the above, or nginx, or apache, etc
• using postgres instead of mysql
• using sqlite
• using memcached and other caches
• connecting to gmail
• etc

But I will say for the most part these should just be 'tips' since they should be out of scope for this project.

The part I have been hung up on is would these compose examples be better in a (wiki) doc, or in actual example docker-compose.yml files. The advantage being that as files we may actually consider them code and keep them tested and up to date.

That being said traefik is nice. I personally am using caddy which is another a lightweight reverse proxy that auto-configs TLS, but only because I have not figured out why nginx is not happy in my local dev environment.

[marclaporte]

@rodriguezny @Yannick243 @Shadow243 @josaphatim @kroky any wisdom?

[kroky]

Sure, why not add the example traefik setup to a wiki page and later organize the docker documentation better - once we have an official docker image, docker-compose files, etc. can be shared as examples or distributed in specific folder here in the repo.

[jonocodes]

Also worth looking at: https://frankenphp.dev/