Setup traefik

create a proxy network:

docker network create proxy

create a traefik folder to keep the configuration

mkdir -p traefik/configurations

create a docker compose file

vi traefik/compose.yml

change YOUR_DOMAIN with your actual domain for traefik like traefik.openimis.org

services:
  traefik:
    image: "traefik:latest"
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - "no-new-privileges:true"
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/ubuntu/traefik/traefik.yml:/traefik.yml:ro"
      - "/home/ubuntu/traefik/acme.json:/acme.json"
      - "/home/ubuntu/traefik/configurations:/configurations"
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.traefik-secure.entrypoints=websecure
      - traefik.http.routers.traefik-secure.rule=Host(`YOUR_DOMAIN`)
      - traefik.http.routers.traefik-secure.service=api@internal
      - traefik.http.routers.traefik-secure.middlewares=user-auth@file

networks:
  proxy:
    external: true

create an empty acme.json

touch traefik/acme.json
chmod 600 traefik/acme.json

create traefik config file

vi traefik/traefik.yml

change contact@YOURDOMAIN with your admin contact

/!\ the port configured here are 80 and 443. make sure they are free, 80 is mandatory for acme challenges (Let’s encrypt)

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: contact@YOURDOMAIN
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

configure the dynamic configuration

To create a basic authentication key for Traefik, you can follow these steps:

Install apache2-utils:

sudo apt install apache2-utils

Generate the password hash using htpasswd:

htpasswd -nB username

Replace "username" with your desired username. You'll be prompted to enter and confirm a password.

The output will be in the format:

username:$2y$05$hashed_password

For use in Traefik configuration, replace single $ with double $$ to escape them:

username:$$2y$$05$$hashed_password

Replace that in the following file

vi traefik/configurations/dynamic.yml

# Dynamic configuration
http:
  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
    user-auth:
      basicAuth:
        users:
          - "username:$$2y$$05$$hashed_password"

#  routers:
#    example:
#      rule: "Host(`example.YOURDOMAIN`)"
#      service: example-secured
#      entryPoints: websecure
#      tls:
#        certResolver: letsencrypt
#  services:
#    nazkaban-example:
#      loadBalancer:
#        servers:
#          - url: "http://YOURSTATIC_IP:YOURSTATIC_PORT"

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

In that file you can manually create routing as shown with example.YOURDOMAIN which is commented out(be careful of the associated service)

Start treafik:

docker compose up -d

openIMIS