Portainer/docker reverse_proxy chat

Hi all

With the coming of docker in NS7 I would share some thoughts with you about reverse proxy and docker, but firstly WHY ?

docker creates application running on a specific port, for instances portainer runs on the TCP 9000 but it is not a convenient way to recall it, either portainer.mydomain.com or mydomain.com/portainer could be a better way to retrieve the path.

therefore several manners could be used

• traefik or ngninx-proxy

It is a docker container, just run it and it will do the reverse proxy, domain based IIRC.
pro: it is easy for us, you even have a little UI
cons: we need to stop httpd running on 80 and 443 because it will be used by the proxy container.

• apache reverse proxy

we could do our reverse proxy with apache

pro : we could use both web application (installed manually or by rpm) and web container
cons : we have an UI and a backend to do

what need a reverse proxy for container

• reverse /container or domain.com to localhost/TCPport
• force https
• restriction by IP access

well now i’m listening you

I tested this afternoon to get something workable with apache and docker, as a side note it is not completely relevant to docker, we might need it if you run for example a website in nginx or any application on a tcp port

of course you have cons and pro with this method

• cons
  all is manual, you must create it with the good docker port
  container ports must be statically set, else it might change with a dockerd restart

• pro
  it is simple and all our web applications on apache could still run

drop a file in /etc/httpd/conf.d/vhost-proxy.conf, adapt your vhost name and the tcp port of your docker containers

<VirtualHost *:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


<VirtualHost *:80>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel warn

    IncludeOptional conf.d/default-virtualhost.inc

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:443>
    ServerName apache.exemple.com
    SSLEngine On
    ProxyPass / http://127.0.0.1:32770/ retry=0
    ProxyPassReverse / http://127.0.0.1:32770/ retry=0
    <Location "/">
	<RequireAll>
	#Require all granted
	Require ip 192.168.56.0/24
	SSLRequireSSL
	</RequireAll>
    </Location>
 </VirtualHost>

<VirtualHost *:80>
    ServerName apache.exemple.com

    # 20forcessl_redirect enabled
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]


    ProxyPass / http://127.0.0.1:32770/ retry=0
    ProxyPassReverse / http://127.0.0.1:32770/ retry=0
    <Location "/">
        <RequireAll>
        #Require all granted
        Require ip 192.168.56.0/24
        </RequireAll>
    </Location>
 </VirtualHost>

<VirtualHost *:443>
    ServerName apache2.exemple.com
    SSLEngine On
    ProxyPass  / http://127.0.0.1:32769/ retry=0
    ProxyPassReverse / http://127.0.0.1:32769/ retry=0
    <Location "/">
	<RequireAll>
	Require ip 192.168.56.0/24
SSLRequireSSL
	</RequireAll>
    </Location>
</VirtualHost>


<VirtualHost *:80>
    ServerName apache2.exemple.com

    # 20forcessl_redirect enabled
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

    ProxyPass /  http://127.0.0.1:32769/ retry=5
    ProxyPassReverse / http://127.0.0.1:32769/ retry=5
    <Location "/">
        <RequireAll>
        Require ip 192.168.56.0/24
        </RequireAll>
    </Location>
</VirtualHost>

I don’t know if we can go to this direction, but at least it is not a lost of time for coding because it can help in other cases. We could do an UI with nethserver-proxypass and offer

• Virtualhost to reverse
• TCP port of docker container/application
• force or not https
• restrict or not networks
• create dns entries for virtualhost like in the virtualhost panel ???
• use a specific ssl certificate like in the virtualhost panel ???

what do you think @dev_team

Yes I agree with you. Traefik does not fulfil the requirement of an UI to configure reverse proxy, so let’s go with an enhancement to the current package: nethserver-proxypass!

A nethserver-docker app can install a template or a .conf file, or generate an esmith DB record… Whatever method we’ll implement, the UI shouldn’t be required to modify the app config, just display it is enough.

Furthermore, if we use Apache as reverse proxy the container IP address must be assigned statically. This is a +1 for a central git repo for all docker-based apps of nethserver.

Ok just to let you inform on how to design the work on a Reverse proxy for virtualhost

• UI

A specific panel will be done under the Gateway/Proxypass.
We want two tabs for path and vhost Reverse Proxy

fields will be

Virtualhost to reverse
TCP port of docker container/application
force or not https
restrict or not networks
create dns entries for virtualhost like in the virtualhost panel
use a specific ssl certificate like in the virtualhost panel

• Templates

Template will be designed to be simple to add more settings by esmith::templates and MORE_DATA

the issue to track the development is https://github.com/NethServer/dev/issues/5454

Added more

• reverse to a ssl proxy
• no certificate verification of proxy
• ProxyPreserveHost On if wanted

Really good! In the meantime, I saw you did a couple of bug fixes for nethserver-virtualhosts. As you’re granted write access to that repo, do you want to release nethserver-virtualhosts?

You need to install nethserver-mock somewhere (I installed it on my F27).

I suggest to generate also a GPG key and add it to your GitHub account, and also to configure your git environment with

git config --global push.followTags true

Then follow carefully this procedure:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/building_rpms.html#creating-a-release-tag

I released for the first time in the Nethserver infra

Just for the record, Nethbot can build packages and upload to NethForge too

I woulkd like to revice this topic. Currently I am running in exactly this feature: I would like to self host Discourse. The only supported way of installing Discourse is using their prepared Docker image.
My server is running NethServer (of course ) and since NethServer is using Apache, the known ports for http and https are already in use.
A reverse proxy could be an option to overcome this problem (or using an alternative port, but that is quite cumbersome and less ideal)
So… in order to make it possible to have docker based web applications, I would sure like to see this option available.

I think that podman will be the next game to play, this is a docker like, but without daemon directly run by the kernel (shoot if i am wrong).

We use to follow upstream, so this should be the next direction, but nethserver-docker is on testing, and got recently some updates, maybe you could test it ?

Saying that but not guilty for this, if a lot of people are willing to use docker and not podman, maybe we could make an exception to the nethserver mantra.

I still never understood why, but the worse system operating is also the most used…so even if docker is not the best way, it is also the most known and used.

If Podman can run docker images I wouldn’t care if it is either Podman or Docker. If RH (in all their wisdom) decide to go for a non compatible instance, I’d say: stay with Docker, but that is just my opinion.

I have a secret dream, podman could run docker containers, but I did not tested it
In fact podman IMO is not enough, you need an user interface, this is what portainer (which is also a docker container) is made for.

So if podman could run and be managed by portainer…for me it should not be a huge migration path…but for now it is just a dream, even if they wanted something like a clone

So… let’s be practical then: stay with Docker for now and when RH has made some progress of Podman, we can re-evaluate it.
For now I will fire up a new VM to test nethserver-docker.
(@stephdl, is there any documentation on nethserver-docker?)

for now it is the readme on the github page https://github.com/NethServer/nethserver-docker

I understand it is work-in-progress…: there is no button in applications to open portainer userinterface…

yep I thought first it was there…something trivial to do

Hi,
it properly does not belong here but as you try to make portainer and Traefik like each other may you can give some piece away.

I try to manage docker container running behind Traefik from a portainer running on different server.
Is there anything I have to pay attention to?

Thank you
Stefan