Running a Cells container behind a Traefik reverse proxy
Created on 2020/07/01,In this tutorial, we explain how you can configure a reverse proxy for your Cells Docker container and what settings are the most important to change.
Run your Cells docker container behind a Traefik reverse-proxy using SSL
For the purpose of this deployment, we use docker-compose as it offers a simple way to visualize the full stack deployment under a single file. The reverse proxy we are going to use is Traefik, a very efficient Go reverse proxy designed to perfectly integrate with Docker and Kubernetes.
This configuration file is valid for a cells service accessible via https://cells.domain.tld. Please edit the <cell.domain.tld> value to the actual url you use to reach the service. As the point of this documentation is to setup a reverse proxy with SSL, we did not mention volumes mountpoints specific to a proper cells configuration.
docker-compose.yml
version: '3'
services:
reverse:
image: traefik:v2.0
ports:
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
command:
- "--providers.docker=true"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
- "--certificatesresolvers.mytlschallenge.acme.email=<user@domain.tld>"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
cells:
image: pydio/cells:latest
ports:
- "8000:80"
environment:
- CELLS_BIND=cells.domain.tld:80
- CELLS_EXTERNAL=https://cells.domain.tld
- CELLS_NO_TLS=1
labels:
- "traefik.http.routers.cells.rule=Host(`<cells.domain.tld>`)"
- "traefik.http.routers.cells.entrypoints=websecure"
- "traefik.http.routers.cells.tls.certresolver=mytlschallenge"
#extra_hosts:
# - "<cells.domain.tld>:<ip_to_access_domain>"
What is in this file
reverse:
ports: our reverse proxy listens incoming requests on port 443volumes:- in order to listen to docker events, traefik containers needs to access our machine docker socket
- we also setup a permanent volume so the SSL certificates are not regenerated every time we relaunch our container
command:provider: we link traefik routing system to dockerentrypoints: we namewebsecureour link to port 443certificateresolvers:- we name
mytlschallengethe certificate issuing process, set it up totlschallenge- meaning that Let's encrypt checks the domain is ours by connecting to our server on port 443 -, provide a valid email to complete the certificate issuing, and define the path in the container where the certificate is stored / found - in case the machine is not accessible from outside your network, you might use
dnschallengeinstead oftlschallenge
cells:
ports: our cells instance are configured to listen on port 80, and the container exposes port 8000 to avoid conflicts with the ports our reverse proxy listens toenvironment:CELLS_BIND: address where the application http server is bound to - our cell container accepts requests addressed tocells.domain.tld, in plain httpCELLS_EXTERNAL: url the end user uses to connect to the application - in our case, by typinghttps://cells.domain.tldin a web browserCELLS_NO_TLS: as Traefik manages the SSL certificate, it is the point of termination of the SSL connection, and communication between cells and traefik are done in plain HTTP, so we deactivate SSL on cells' side
labels:- we name
cellsthe configuration we are going to use, and specify it is to be used for requests searching to reach the hostcells.domain.tld - we specify that the requests that are served are the ones reaching the entrypoint
websecure- that we have defined in traefik, listening on port 443 - we define that the SSL communication for this host is using the resolver
mytlschallengewe configured in traefik extra_hosts: this option is used exclusively if there is no DNS entry accessible by the cells container matching the domain name, as cells must be able to access itself via theCELLS_BINDaddress.extra_hostsdirective simply add a new entry to the/etc/hostsfile of the container.
- we name