Full control with your own VPS from easyname
With a VPS from easyname, you have full control over your server – flexible, scalable and operated in an environmentally conscious manner in ISO-certified data centres in Austria. Ideal for your applications, projects and maximum performance.
Note
Some screenshots show the backend of our sister company dogado. However, the steps shown can also be carried out in the easyname backend.
Overview
- System used: Debian 11 64-bit
- User account: I am performing all steps as ‘root’
- Duration: approx. 20–30 minutes. However, it may take longer for the DNS settings to take effect
- Difficulty: Easy. Just copy the code?
- Special notes:
- Ports 80 and 443 must be free. No other services may be running on them.
1. Installing Traefik v2
1.1 Introduction
Normally, ports 80 (HTTP) and 443 (HTTPS) would be occupied by a service, and you would need to purchase a second server (VPS). Traefik therefore allows many services, such as email, cloud storage and video conferencing, to be run on a single server. A further advantage is that all connections running via Traefik are subsequently secured using HTTPS.
Traefik is open-source and free in its basic version. This guide is based on this version. However, there is also an Enterprise version, which, for example, offers more options for scaling across multiple Traefik servers.
1.2 Preparation
This guide is based on the current Debian 11 operating system. We will set up Traefik using Docker. This will allow us to perform very quick updates later on, as well as easily integrate new services.
1.2.1 Installing Docker
So, first we’ll install Docker and Docker Compose. To do this, enter the following in the console:
apt-get update
apt-get install ca-certificates curl gnupg lsb-release
mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
We have now installed and configured everything we need for Docker. We can now install it very easily.
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
Now let’s check the installed version. To do this, simply enter the following command:
docker --version && docker-compose version
1.2.2 Installing htpasswd
We need this programme to generate a secure password for our Traefik login. To install it, enter the following:
apt-get install apache2-utils 1.2.4 Creating the required files and directories
Now we’ll create the directory where Traefik will be installed later. To do this, enter the following command. You can, of course, change the directory. In this guide, I’ll always be working with this directory. You’ll need to take this into account accordingly.
mkdir -p /opt/containers/traefik Next, we’ll create some files within this directory that will later store certificates for us.
mkdir -p /opt/containers/traefik/data
touch /opt/containers/traefik/data/acme.json
chmod 600 /opt/containers/traefik/data/acme.json
touch /opt/containers/traefik/data/traefik.yml 1.2.5 Information about YML files
With YML files, it is very important that all lines are correctly indented. Lines MUST always be indented using the space bar. They must NOT contain any tabs. You can always have the following code ‘checked’ online. Most errors are caused by incorrect formatting. One service for checking this is, for example: https://codebeautify.org/yaml-validator
1.3 Creating dynamic_conf.yml
This file specifies which parameters should be used for the ‘secure connection’ via HTTPS. We want a very good rating (A+) from SSL Labs. SSL Labs is a website for testing the security of your own website.
I always use ‘nano’ as my editor. You can install it using the following command
apt-get install nano You can also use any other editor.
Now enter the following code into your console:
nano /opt/containers/traefik/data/dynamic_conf.yml Now copy the following into the file:
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
#HSTS Configuration
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
1.4 Customise traefik.yml
In this step, we create an empty file, into which we will then enter some settings.
nano /opt/containers/traefik/data/traefik.yml Now copy the following into this file:
api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "./dynamic_conf.yml"
certificatesResolvers:
http:
acme:
email: email@example.com #### enter your email address here ####
storage: acme.json
httpChallenge:
entryPoint: http You now need to enter your email address under ‘Email’. This is required for Let’s Encrypt. This is a free online service that provides you with valid HTTPS certificates (‘secure connection’).
1.5 Customise docker-compose.yml
Now we can begin the actual “installation” of Traefik. To do this, open the following file:
nano /opt/containers/traefik/docker-compose.yml Now copy the following code into the file. This code is, so to speak, the blueprint for our Traefik container.
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/dynamic_conf.yml:/dynamic_conf.yml
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "providers.file.filename=/dynamic_conf.yml"
- "traefik.http.routers.traefik-secure.middlewares=secHeaders@file,traefik-auth"
networks:
proxy:
external: true
Now save the file and close your editor. We will now generate a username and password and then update the file with these details.
To generate a username and password, enter the following command:
echo $(htpasswd -nb '' ) | sed -e s/\\$/\\$\\$/g Here, you should replace “user” and “password” with your own username and password. It might look something like this:
echo $(htpasswd -nb dogado 'secret123') | sed -e s/\\$/\\$\\$/g You should now see an output that looks something like this:
Output: dogado:$$apr1$$6SCsKdSF$$NrWj6Usie0LpPAIEj8H3Y0
Now copy this string and open our docker-compose file again.
nano /opt/containers/traefik/docker-compose.yml Now paste your copied code here:
before:
"traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD" after:
"traefik.http.middlewares.traefik-auth.basicauth.users= dogado:$$apr1$$6SCsKdSF$$NrWj6Usie0LpPAIEj8H3Y0“
You’ll also need to change the hostname. This is the name that Traefik will be accessible under later on.
Before:
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.com`)"
After:
- "traefik.http.routers.traefik.rule=Host(`traefik.euredomain.de`)"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.euredomain.de`)"
We’re almost done now.
1.6 Creating a Docker network
Finally, we just need to create a Docker network. This will be used later for the individual containers to communicate with Traefik. I’m calling this network “proxy”. You can use any other name, though. You’ll just need to adjust the instructions accordingly later on. To do this, enter the following code:
docker network create proxy We’ve now got everything ready for the first start-up.
1.7 Uninstalling Apache2
The Debian 11 image we’re using already has an Apache2 server pre-installed. We’ll uninstall this, as we need ports 80 and 443 for Traefik. We’ll host all our websites via containers later on. To uninstall Apache2, enter the following:
apt-get remove apache2 2. Configure DNS settings
To ensure we can easily create subdomains in Traefik later (e.g. mail.yourdomain.com, cloud.yourdomain.com), we need to adjust the DNS settings.
To do this, log in to your customer account at easyname.at. Now click on Domains
Then click on the pencil icon next to your domain to edit it
Now select ‘DNS’. Then click on ‘Add DNS record’.
Now enter ‘*’ in the Name field and your server’s IP address in the Content field.
Then click on ‘Save’.
It may take several hours for these settings to be applied globally and become active.
3. Start Traefik
Now enter the following to start your Traefik container:
docker compose -f /opt/containers/traefik/docker-compose.yml up -d Now go to your website in your web browser (e.g. traefik.yourdomain.com). After a few seconds, you should see the following:
Once you've logged in using the account details you've just created, it should look something like this.
4. Test the website's security
Now let’s go to the following website and see if we get the desired A+ rating: https://www.ssllabs.com/ssltest/
Enter your website here (e.g. traefik.yourdomain.com). It should now look like this:
