Bludit Install: docker-compose , traefik et OVH

April 21, 2023 - Reading time: 140 minutes

 Let's go ..First article

And why not start by explaining the installation of this blog

I use Docker (not yet very familiar with k8s) and docker-compose .

My starting configuration:

  • Provider:                OVH
  • OS:                          Debian 9
  • Docker:                   20.10.23
  • Docker-compose:  2.5.1
  • Ansible:                  2.10.88

For all install i use ansible playbooks and like reverse proxy Traefik

The goals :

  • Install Bludit
  • Use traefik like reverse proxy
  • Use Traefik and let's encrypt for manage certificate
  • Redirect HTTP to HTTPS via Traefik

By default i choose to install all docker-compose file in opt directory . Each docker-compose files are on sub-directory with the name of the application.

For use let's encrypt with Traefik, you must have prepare how to manage certificate .

In my case i use OVH like DNS provider .

1- Manage OVH DNS

First step create a DNS, in my case ashram.kairel.fr.

Go to OVH ui, on zone -> Web cloud -> domain name -> DNS Zone

Add your new zone , in my case "ashram"

Now you have created your zone, it's always better check that propagation is done

$ ping ashram.kairel.fr

64 bytes from vps-cb65982e.vps.ovh.net (51.255.51.203): icmp_seq=1 ttl=64 time=0.035 ms

64 bytes from vps-cb65982e.vps.ovh.net (51.255.51.203): icmp_seq=2 ttl=64 time=0.040 ms

64 bytes from vps-cb65982e.vps.ovh.net (51.255.51.203): icmp_seq=3 ttl=64 time=0.039 ms

Its' ok , we continue

Now we have a DNS A record , we must authorize an application (like traefik) to manage certificate.

For that we must create a new application id

go this url : https://www.ovh.com/auth/api/createApp

Please copy all your credentials

You have now an applicationID , we must add right for let let'sencrypt manage certificates

We can use curl (on all other api caller)

curl -XPOST -H"X-Ovh-Application: <application_id>" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{
    "accessRules": [
        {
            "method": "POST",
            "path": "/domain/zone/ashram.kairel.fr/record"
        },
        {
            "method": "POST",
            "path": "/domain/zone/ashram.kairel.fr/refresh"
        },
        {
            "method": "DELETE",
            "path": "/domain/zone/ashram.kairel.fr/record/*"
      }
    ]
}'

In the response, you have a consumer_key , please keep this key with other credentials

{"consumerKey":"<consummer_key>","validationUrl":"https://www.ovh.com/auth/sso/api?credentialToken=<token>","state":"pendingValidation"}

Go to validation URL for authorize application with new rights, click on unlimited validity and authorize

Good you have now an applicationID authorize to renew your record 

2- Install Traefik 

My docker-compose.yml Traefik file:

version: '3.0'
services:
  traefik:
    image: traefik
    container_name: traefik.kairel.fr
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--api.insecure=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
  - "--certificatesresolvers.myresolver.acme.email=<mail>"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.myresolver.acme.dnsChallenge=ovh"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - reverse_proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "/opt/traefik/letsencrypt:/letsencrypt"
    environment:
      - "TZ=Europe/Paris"
      - "OVH_ENDPOINT=ovh-eu"
  - "OVH_APPLICATION_KEY=<application_key>"
  - "OVH_APPLICATION_SECRET=<application_secret>"
  - "OVH_CONSUMER_KEY=<consummer_key>"
networks:
  reverse_proxy:
name: reverse_proxy

The important key in this docker-compose file:

  • tlschallenge: authorize traefik to use let's encrypt
  • acme.dnschallenge: the dnsprovider use for manage certificate 

Not forget to set correct environment variables with your credentials

Create a (persistant) directory for store certificate

At the end of the file , i use a named networks , because it's usefull for call him in another docker-compose file or just for set firewall rules

Now you have applicationID and traefik 

2- Install Bludit

In this step i just explain how install bludit with ssl and traefik, not to configure it .

my docker-compose file for bludit explain:

version: '3'
services:
  web:
    image: bludit/docker:latest
  container_name: ashram.kairel.fr
    user: root
    volumes:
      - bludit_data:/usr/share/nginx/html/
    labels:
        - "traefik.enable=true"
        - "traefik.docker.network=reverse_proxy"
        - "traefik.http.routers.bludit-http.entrypoints=web"
  - "traefik.http.routers.bludit-http.rule=Host(`ashram.kairel.fr`)"
        - "traefik.http.routers.bludit-http.middlewares=bludit-https"
        - "traefik.http.middlewares.bludit-https.redirectscheme.scheme=https"
        - "traefik.http.routers.bludit.entrypoints=websecure"
  - "traefik.http.routers.bludit.rule=Host(`ashram.kairel.fr`)"
        - "traefik.http.routers.bludit.tls=true"
        - "traefik.http.routers.bludit.tls.certresolver=myresolver"
    networks:
      - reverse_proxy
volumes:
  bludit_data:
    driver: local
networks:
  reverse_proxy:
    external: true
name: reverse_proxy

http.middlewares=bludit-https: Allow http to forward to a middleware: here https

redirectscheme.scheme=https: Redirection http to https

tls.certresolver=myresolver: resolver use in traefik docker-compose, it's thos resolver who are authorize to manage ashram certificate

And now just start yours container ..

Last thing, by default Bludit is configure to use Http and not Https, at the first view , you'll see your css are broken ..

Don't panic, it's normal , just go to admin(advanced options) and change the url site in https.

Currently there are no comments, so be the first!

Search

Categories

Navigation