Docker - Kuma Monitoring

Intro

got a hint to try a nice monitoring tool. kuma. https://github.com/louislam/uptime-kuma

pre-condition

.env

we need few variables, edit the touch section appropriately

cat << 'EOF' > .env
# touch
HOST="kuma"
DOMAIN="your.domain"
PORT=3001

# don't touch
SERVICE="${HOST}"
EOF

docker-compose.yml

… and the docker compose file …

cat << 'EOF' > docker-compose.yml
version: '3.3'

networks:
  traefik:
    external: true

services:
  uptime-kuma:
    image: louislam/uptime-kuma:1
    container_name: uptime-kuma
    restart: always
    volumes:
      - ./data_kuma:/app/data
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${SERVICE}.rule=Host(`${HOST}.${DOMAIN}`)"
      - "traefik.http.routers.${SERVICE}.tls=true"
      - "traefik.http.services.${SERVICE.loadBalancer.server.port=3001"
EOF

Run the Service

docker compose up

and wait at least 30 Seconds.

Docker - Disk Cleanup

Docker Cleanup

if you play round with docker and fill up all your diskspace, as i did, the following command cleaned lot of wasted space. speciall in the /var/lib/docker/overlay2 - Folder.

docker system prune --all --volumes --force

Result

...
yl6ajwpa4nyicajls7e8xhjwo
hveehb6rp5drucnmm7ti2rc5g
ot7dr6b4qpxcf2vaq1r23n56k
qk2qk4dq0nch1lnghozdazjq9
3uewt5kxbyhemx1q410qamha7

Total reclaimed space: 21.45GB

Any Comments ?

sha256: 9770f41e2df8df14a08f6cd1ae244f7dff98afbb0baa10f076c8897210b18c44

Docker - Traefik - Wildcard Subdomain

Intro

I was wondering if you can have Wildcart Certs for certain Subdomain. Idea is to provide a Service with “myservice.auth.your.domain” which automatically requests Authentication, while the same Service “myservice.whitelist.your.domain” is reachable through some Whitelisted IP only.

As Traefik can Chain Middleware, but not implements some logic (If Whitelist -> ok, else do Basic Auth …), i have to build another solution.

let’s have a look

Prepare Folders

cd /your/traffic/rootfolder
mkdir -p config/dynamic

.env File

we need two variables, so let’s put them in the .env File

Docker - Traefik - HugoBlog

Intro

as i’m playing with traefik & docker, why not duplicate this blog in container ? for fun and profit ? let’s give at try …

pre-condition

docker compose

cat << 'EOF' > docker-compose.yml
version: '3'

services:
  hugo:
    image: jakejarvis/hugo-extended:latest
    ports:
      - 1313:1313
    volumes:
      - ./src:/src
    command: server --buildDrafts --buildFuture --bind 0.0.0.0
    restart: always
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hugo.rule=Host(`testblog.norma.li`)"
      - "traefik.http.routers.hugo.tls=true"

networks:
  traefik:
    external: true
EOF

prepare hugo

which hugo || apt install hugo
hugo new site src
mkdir src/themes
git clone https://github.com/vimux/mainroad.git src/themes/mainroad

config.toml

cat << 'EOF' > src/config.toml
baseURL = "https://testblog.norma.li/"
languageCode = "en-us"
title = "My Brandnew Docker Traefik Hugo Blog ..."
theme = "mainroad"
EOF

docker up

docker compose up -d

Create Page

cd src
hugo new posts/hello.md
sed -i '/draft: true/d' content/posts/hello.md
echo -e "hello world :)\n" >> content/posts/hello.md

Access Page

https://testblog.norma.li

OpenBGPD - Upgrade Looking Glass

I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet.

Upgrade to 7.2

Did an Upgrade to the latest Version with my Script.

Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this:

tail -f /var/log/messages

Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied
Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677
Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied

Reapply the Permission

chmod 0550 /var/www/cgi-bin/bgplg
chown www:daemon /var/www/cgi-bin/bgplg

chmod 0555 /var/www/bin/bgpctl
chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute*

Check Service

$ curl --head "https://bgp.stoege.net/cgi-bin/bgplg"
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Type: text/html
Date: Fri, 21 Oct 2022 09:45:38 GMT
Server: OpenBSD httpd
Transfer-Encoding: chunked

and we’re back again …

OpenBSD 7.2

OpenBSD 7.2 finally released.

Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly

Upgrade Guide

As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).

As with other Versions, i have my own upgrade Script for upgrading all my boxes. Use it at your own risk and test it somewhere before you do this on your productive environment.

Docker - Traefik - Wildcard Cert

Intro

TLS is must, but do you wanna generate a own Certificate for each Service you Provide ? Specially, when you have a *.domain.tld Record set ?

Trafik is able to handle that for you. Let’s Encrypt offers the possibility to use DNS Validation for Wildcard Domains. Here is a list of Providers that can automate DNS Verfication.

Helpful URL

Fully Example with Docker Compose, Traefik, Digital Ocean

Prepare Env

cd /where/ever/you/want
mkdir data
touch data/acme.json

Variables

we need a few Variables. Let’s put them in a .env file and docker-compose will use them when called.

Docker - Traefik - Redirect

Simple (simple ???) Redirect for all Requests to another Page. At least, it works …

docker-compose.yml

  whoami5:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirect-regex.redirectregex.permanent=false"
      - "traefik.http.middlewares.redirect-regex.redirectregex.regex=(.)*"
      - "traefik.http.middlewares.redirect-regex.redirectregex.replacement=https://blog.stoege.net"
      - "traefik.http.routers.whoami5.middlewares=redirect-regex"
      - "traefik.http.routers.whoami5.rule=Host(`redirect.your.domain.de`)"
      - "traefik.http.routers.whoami5.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami5.tls=true"

Any Comments ?

sha256: f98bc4f9d6b271b301836a764b2e27e64eb9f6c774b5d7ce1887ed421ffbef75

Docker - Traefik - IPWhitelist

Whitelist IP Range

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, x.x.x.x/y"
      - "traefik.http.routers.whoami.middlewares=test-ipwhitelist@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

-> only “localhost” and SRC IP x.x.x.x/y can access this URL. Rest will be blocked. -> Disadvantage. Container needs to be restartet if the Source Range gets modified!

we can do this better :)

Move to File

you may want to put your “IP Ranges” to a dedicated File and import it where needed.

Docker - Traefik - Stripprefix

Strip Prefix

Let’s assume you have a URL “https://whoami.your.domain.de/removeme" and you wanna get rid of the “removeme” before passing the Request to the Webserver. Stripprefix is your friend …

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/wegdamit,/removeme"
      - "traefik.http.routers.whoami.middlewares=test-stripprefix@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

Any Comments ?

sha256: 0620c0c2d7ae033f2536f6797a048772e52a09119367f4864f8bb2a754d2ea57