SSL
Certbot
dc exec apache bash certbot certonly -n --agree-tos --dns-route53 \ -d $SERVER_NAME --email user@x.io# if RequestsDependencyWarning: urllib3 (1.26.9) or chardet (3.0.4) doesn't match a supported version! python3 -m pip install --upgrade requests # enable --dns-route53 python3 -m pip install certbot-route53 # certbot.sh #!/bin/bash sudo docker run --rm --name certbot \ -v "$PWD/docker/apache/etc/letsencrypt:/etc/letsencrypt" \ -v "$PWD/docker/apache/var/lib/letsencrypt:/var/lib/letsencrypt" \ -p 0.0.0.0:80:80/tcp \ -p 0.0.0.0:443:443/tcp \ certbot/certbot "$@" ./certbot.sh certonly \ -n --agree-tos --standalone \ -d $SERVER_NAME \ --email user@comp.com;
cert-manager k8s
Gitlab SSL
cd /etc/gitlab/ssl openssl x509 -outform der -in /etc/letsencrypt/live/gitlab.overton-design.com/fullchain.pem -out gitlab.overton-design.com.crt openssl pkey -in /etc/letsencrypt/live/gitlab.overton-design.com/privkey.pem -out gitlab.overton-design.com.key
- SSL on Everything - Use traefik to get ssl for internal traffic
Caddyfile for DNS-01 Certs
Dockerfile
# the different stages of this Dockerfile are meant to be built into separate images # https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage # https://docs.docker.com/compose/compose-file/#target # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact ARG CADDY_VERSION=2 # ------------------------------------- # Caddy Build FROM caddy:${CADDY_VERSION}-builder-alpine AS caddy_builder RUN xcaddy build \ --with github.com/caddy-dns/route53 # --with github.com/greenpau/caddy-security \ # --with github.com/greenpau/caddy-trace # ------------------------------------- # Caddy Run FROM caddy:${CADDY_VERSION}-alpine COPY --from=caddy_builder /usr/bin/caddy /usr/bin/caddy # COPY docker/caddy/Caddyfile /etc/caddy/Caddyfile
Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server. # # Unless the file starts with a global options block, the first # uncommented line is always the address of your site. # # To use your own domain name (with automatic HTTPS), first make # sure your domain's A/AAAA DNS records are properly pointed to # this machine's public IP, then replace the line below with your { admin off debug log { output stdout format json } } (theheaders) { header_up X-Forwarded-Ssl on header_up Host {http.request.host} header_up X-Real-IP {http.request.remote} header_up X-Forwarded-Host {http.request.host} header_up X-Forwarded-Port {http.request.port} header_up X-Url-Scheme {http.request.scheme} } {$THE_SERVER_NAME} { tls { dns route53 { max_retries 10 } } encode zstd gzip root * /usr/share/caddy file_server } grafana.{$THE_SERVER_NAME} { tls { dns route53 { max_retries 10 } } encode zstd gzip reverse_proxy grafana:3000 { import theheaders } } prometheus.{$THE_SERVER_NAME} { tls { dns route53 { max_retries 10 } } encode zstd gzip reverse_proxy prometheus:9090 { import theheaders } } # Refer to the Caddy docs for more information: # https://caddyserver.com/docs/caddyfile
DockerCompose
services: caddy: build: context: caddy dockerfile: ./Dockerfile image: caddy-secure:1.0.0 container_name: caddy_local env_file: - .env environment: - AWS_REGION=us-west-1 - AWS_ACCESS_KEY_ID=${DNS_AWS_ACCESS_KEY_ID:-} - AWS_SECRET_ACCESS_KEY=${DNS_AWS_SECRET_ACCESS_KEY:-} - THE_SERVER_NAME=${THE_SERVER_NAME:-} hostname: caddy ports: - 0.0.0.0:80:80 - 0.0.0.0:443:443 # - 0.0.0.0:2019:2019 volumes: - ./caddy/Caddyfile-local:/etc/caddy/Caddyfile - ./caddy/static:/usr/share/caddy - ./data/caddy:/data/caddy restart: unless-stopped grafana: container_name: grafana hostname: grafana image: grafana/grafana:9.3.2 restart: unless-stopped environment: - GF_ROOT_URL=https://grafana.${THE_SERVER_NAME} - GF_INSTALL_PLUGINS=grafana-piechart-panel,grafana-clock-panel,briangann-gauge-panel,natel-plotly-panel,grafana-simple-json-datasource volumes: - ./grafana/grafana.ini:/etc/grafana/grafana.ini - data-grafana:/var/lib/grafana