{"id":6,"date":"2018-09-30T19:33:00","date_gmt":"2018-09-30T19:33:00","guid":{"rendered":""},"modified":"2023-08-02T17:09:58","modified_gmt":"2023-08-02T17:09:58","slug":"docker-za-web-in-mail-strezbo","status":"publish","type":"post","link":"https:\/\/d-mashina.net\/index.php\/2018\/09\/30\/docker-za-web-in-mail-strezbo\/","title":{"rendered":"Docker za Web in Mail stre\u017ebo"},"content":{"rendered":"<div style=\"text-align: justify;\">\n\u017de dalj \u010dasa sem \u017eelel naredit \/ postavit Linux stre\u017enik z Dockerjem in v njem poganjat Docker kontejnerje za stre\u017ebo spletnih strani in za stre\u017ebo elektronske po\u0161te. Pri tem imam na stre\u017eniku dodeljen samo en javen IP naslov, tako da je nujna uporaba enega od proxy pass stre\u017enikov. Seveda ker naj bi bil stre\u017enik moderno zasnovan, je prav tako nujna uporaba SSL certifikatov za spletne in po\u0161tne storitve. Po ve\u010dih poskusih z razli\u010dnimi distribucijami Linuxa, z razli\u010dnimi tipi proxy pas stre\u017enikov in raz\u010di\u010dnimi tipi po\u0161tnih stre\u017enikov, je padla odlo\u010ditev, da bom uporabil slede\u010de produkte:<\/div>\n<div>\n<ul>\n<li>za Linux distribucijo, sem uporabil zadnjo razli\u010dico Ubuntu LTS, katero sem primerno za\u0161\u010ditil&nbsp;<\/li>\n<ul>\n<li>s po\u017earno pregrado UFW<\/li>\n<li>paketi Fail2ban in DenyHost<\/li>\n<li>Psad za intrusion detection in analizo dnevni\u0161kih datotek<\/li>\n<li>ter Lynis za pregled pomanjkljivost in analizo celotnega sistema (tu bi omenil, da uporabljam Lynis Enterprise)<\/li>\n<\/ul>\n<\/ul>\n<\/div>\n<div>\n<ul>\n<li>za proxy pass stre\u017enik, je prvotna izbira bila na strani Nginxa v kontejnerju<\/li>\n<ul>\n<li>ampak ker sem \u017eelel avtomatiko pri ustvarjanju novih hostov je idealna re\u0161itev bila Traefik, kjer sem dodal \u0161e podporo za Let\u2019s Encrypt SSL certifikate<\/li>\n<\/ul>\n<li>za po\u0161tni sistem pa prav tako v enem stacku &#8211; v kontejnerju uporabljam kombinacijo<\/li>\n<ul>\n<li>Postfix<\/li>\n<li>Dovecot<\/li>\n<li>Rspamd<\/li>\n<li>PostfixAdmin<\/li>\n<li>in RainLoop za spletno pregledovanje elektronske po\u0161te<\/li>\n<\/ul>\n<\/ul>\n<\/div>\n<div>\n<ul>\n<li>za samo administracijo sistema uporabljam Portainer, ko je kaj potrebno hitro poklikat, oz. CLI za zahtevnej\u0161a opravila.<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">\nTo je grobo opisana postavitev osnovnega sistema, na katerem nato enostavno \u201cdeployam\u201d recimo WordPress kontejner s pomo\u010djo composerja, kjer je nuja dodati par vrstic, za uporabo Traefika in avtomatizacijo proxy pass zahtev. Primer docker compose datoteke z Traefikom za WordPress in Adminer za management MySQL baze podatov je tak:<\/div>\n<div>\n<\/div>\n<div>\n<blockquote><p>\nversion: &#8220;3&#8221;<br \/>networks:<br \/>&nbsp; proxy:<br \/>&nbsp; &nbsp; external: true<br \/>&nbsp; internal:<br \/>&nbsp; &nbsp; external: false<br \/>services:<br \/>&nbsp; blog:<br \/>&nbsp; &nbsp; image: wordpress:4.7.5-apache<br \/>&nbsp; &nbsp; environment:<br \/>&nbsp; &nbsp; &nbsp; WORDPRESS_DB_PASSWORD:<br \/>&nbsp; &nbsp; labels:<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.backend=blog<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.rule=Host:www.enadomena.com<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.docker.network=proxy<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.port=80<br \/>&nbsp; &nbsp; networks:<br \/>&nbsp; &nbsp; &nbsp; &#8211; internal<br \/>&nbsp; &nbsp; &nbsp; &#8211; proxy<br \/>&nbsp; &nbsp; depends_on:<br \/>&nbsp; &nbsp; &nbsp; &#8211; mysql<br \/>&nbsp; mysql:<br \/>&nbsp; &nbsp; image: mysql:5.7<br \/>&nbsp; &nbsp; environment:<br \/>&nbsp; &nbsp; &nbsp; MYSQL_ROOT_PASSWORD:<br \/>&nbsp; &nbsp; networks:<br \/>&nbsp; &nbsp; &nbsp; &#8211; internal<br \/>&nbsp; &nbsp; labels:<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.enable=false<br \/>&nbsp; adminer:<br \/>&nbsp; &nbsp; image: adminer:4.3.1-standalone<br \/>&nbsp; &nbsp; labels:<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.backend=adminer<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.rule=Host:db-admin.enadomena.com<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.docker.network=wpprod_proxy<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.port=8080<br \/>&nbsp; &nbsp; networks:<br \/>&nbsp; &nbsp; &nbsp; &#8211; internal<br \/>&nbsp; &nbsp; &nbsp; &#8211; proxy<br \/>&nbsp; &nbsp; depends_on:<br \/>&nbsp; &nbsp; &nbsp; &#8211; mysql&nbsp;<\/p><\/blockquote>\n<p><\/p>\n<div style=\"text-align: justify;\">\nPomembne so vrstice, ki se pri\u010dnejo z \u201c<b>traefik.<\/b>\u201d, s temi povemo proxy pass stre\u017eniku, da jih avtomati\u010dno doda v stre\u017ebo. Seveda je potrebno prav tako ustrezno za\u0161\u010dititi bloge, spletne servise in spletno stre\u017ebo, zato v labels sekcijo dodamo \u0161e recimo zapise kot so:&nbsp;<\/div>\n<p><\/p>\n<blockquote><p>\nlabels:<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.backend=Nginx-Pro<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.rule=Host:www.enadomena.com,enadomena.com<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.docker.network=proxy<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.port=80<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.entryPoints=http,https<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.SSLRedirect=true<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.STSSeconds=315360000<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.STSIncludeSubdomains=true<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.STSPreload=true<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.frameDeny=true<br \/>&nbsp; &nbsp; &nbsp; &#8211; traefik.frontend.headers.browserXSSFilter=true<\/p><\/blockquote>\n<p>\nto je pa\u010d neka osnova, na kateri pri\u010dnemo gradit. Upam, da sem komu dal kako idejo, kako kaj naredit, v kolikor ima kdo idejo, kako \u0161e kaj dopolnit, jo naj zapi\u0161e v komentarje.\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u017de dalj \u010dasa sem \u017eelel naredit \/ postavit Linux stre\u017enik z Dockerjem in v njem poganjat Docker kontejnerje za stre\u017ebo spletnih strani in za stre\u017ebo elektronske po\u0161te. Pri [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/6","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":1,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":243,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/6\/revisions\/243"}],"wp:attachment":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}