Hi Ernst,
I’m not using Traefik, as Virtualmin+Apache is already doing the job (and I have the application-level firewall modsecurity installed on it that I wanted to keep working).
I am using a proxy setting in the Apache site config. Below is the config I added to the https virtual host, together with the references where I found the configuration tips.
But I guess you could do same in the default Apache server serving *:80 and *:443 and proxy them to Traefik if you want to use Traefik ? Disadvantage is that it would go through Apache then Traefik and again trhough an Apache or Nginx server. The other way would be to disable apache alltogether in Virtualmin and install your own Traefik port service.
Here is my config (replace 1.2.3.4 and mysite and port 83 with your own ones):
Inside the <VirtualHost 1.2.3.4:443>
of /etc/apache2/sites-available/mysite.conf:
###Ref: https://gitlab.com/gitlab-org/gitlab-recipes/blob/8-2-stable/web-server/apache/gitlab-ssl-apache24.conf
ProxyPreserveHost on
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
#Allow forwarding to docker container:
ProxyPassReverse http://127.0.0.1:83/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteRule .* http://127.0.0.1:83%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
And inside the docker-compose.yml file, I expose the service to localhost port 83 (which is blocked from outside by the firewall):
services:
myproject:
image: myimagesource
restart: always
ports:
- 83:3000
I also edited the docker-compose.yml file of the app to use the MySQL server of Virtualmin instead of a containerized one, as my dockerized app has everything stored in a MySql database and none in filesystem except for the ones remapped to the local /home/mysite/...
directories (no docker volumes) so that Virtualmin backups do indeed backup everything needed to restore the site, except for the docker-compose up
command. Additionally, everything in the Virtualmin backup file is in cleartext which is an added continuity joker.
This is my entire docker-compose.yml
file to run Redmine inside a Docker container on Virtualmin (together with the Apache site-config file modification above, and a (apache-server) group-writable directory /home/myredminesite/redmine-files
created):
version: '3.8'
services:
forge-redmine:
image: redmine
restart: always
ports:
- 83:3000
environment:
# REDMINE_DB_MYSQL: db
REDMINE_DB_MYSQL: localhost
REDMINE_DB_DATABASE: forge_redmine
REDMINE_DB_USERNAME: forge
REDMINE_DB_PASSWORD: MyComplexDatabasePasswordHere
# REDMINE_SECRET_KEY_BASE: 12312312312312312312312312312312312312312312312312312312312312312312312312
volumes:
- "/var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock"
- "/home/myredminesite/redmine-files:/usr/src/redmine/files"
By lack of time, I haven’t found the right way to use a port instead of a socket for mysql in my dockerized app (redmine), so when the mysql server is restarted on the Virtualmin host, e.g. by an automated security-upgrade, the dockerized app needs to be restarted too.
Finally, I upgrade the app regularly with:
cd /home/mysite/docker/
docker-compose pull
docker-compose down
docker-compose up -d
docker image prune -f
This all is manual configuration, but works great.
It would be sure great if Virtualmin would take in charge installing and upgrading popular apps via docker-compose.
Does that work for you too ?
Please share your solution in reply, would love to have Traefik working on my next project!