traefik Traefik Docker Wordpress Setup

[buzzkillb]

I really like this guide I found so just rewriting pieces of it and adding some more stuff. Very good blog so check it out.

https://tech.aufomm.com/2020/04/16/deploy-wordpress-with-docker-and-traefik-2/

Install Docker and docker-compose. Then we want to generate a hashed password for the traefik panel.

sudo apt-get install apache2-utils

then we get the user:hashedpassword like this

htpasswd -nbB <USER> "<PASSWORD>"

example for the above

htpasswd -nbB admin "StrongPasswordHere"

Copy somewhere to use for setting up traefik shortly.

Start setting up the system.

touch docker-compose.yml
mkdir data
mkdir data/configurations
touch data/traefik.yml
touch data/acme.json
touch data/configurations/dynamic.yml
chmod 600 data/acme.json

~/docker-compose.yml

edit traefik.yourdomain to whatever subdomain you want to use to access the control panel like traefik.example.com

version: '3.3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      
networks:
  proxy:
    external: true

~/data/traefik.yml

update your email address below.

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
  https:
    address: ":443"
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt
              
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@yourdomain
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: http
        
  buypass:
    acme:
      email: admin@yourdomain
      storage: acme.json
      caServer: https://api.buypass.com/acme/directory 
      keyType: EC256
      httpChallenge:
        entryPoint: http

~/data/configurations/dynamic.yml

in the users: line change to your user:hashedpassword copied earlier

# Dynamic configuration
http:
  middlewares:
    secureHeaders:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000        
        
    user-auth:
      basicAuth:
        users:
          - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
          
tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

Now make a directory like ~/blog or ~/wordpressblog or something where your wordpress data folder will be stored. I will use ~/blog since that's pretty simple to type.

~/blog/docker-compose.yml

version: '3.7'

services:
  db:
    image: mariadb
    container_name: wp-db
    volumes:
      - db-data:/var/lib/mysql
    networks:
      - default
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: supersecretpassword
      MYSQL_DATABASE: db
      MYSQL_USER: dbuser
      MYSQL_PASSWORD: dbpassword

  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    container_name: wordpress
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_NAME: db
      WORDPRESS_DB_USER: dbuser
      WORDPRESS_DB_PASSWORD: dbpassword
    volumes:
      - ./wp-data:/var/www/html
    networks:
      - proxy
      - default
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.wordpress-secure.entrypoints=https"
      - "traefik.http.routers.wordpress-secure.rule=Host(`blog.yourdomain`)"
      # - "traefik.http.routers.wordpress-secure.service=wordpress-service"
      # - "traefik.http.services.wordpress-service.loadbalancer.server.port=80"

volumes:
  db-data:
    name: wp-db-data
networks:
  proxy:
    external: true

Change the passwords and usernames to whatever you want. And also change blog.yourdomain to example -> blog.example.com

The above will store your wordpress data folder in the same docker-compose.yml folder.

The trick to adding a second wordpress is make another folder like ~/blog2 and stick the same docker-compose.yml in. Then modify the container names, user, passwords, the volumes: / db-data: / name to the new container name. And then modify this line per wordpress.

- "traefik.http.routers.wordpress-blog2-secure.rule=Host(`blog2.example.com`)"

Now to spin everything up. Go back to your ~/ directory and type

docker-compose up -d

We get a network error like this.

docker-compose up -d
ERROR: Network proxy declared as external, but could not be found. Please create the network manually using `docker network create proxy` and try again.

Start the network.

docker network create proxy

Run docker-compose again to start traefik.

docker-compose up -d

Now try your traefik subdomain.

Then spin up your docker-compose.yml in the blog folder.

docker-compose up -d

And that's it.