## Requirements
### Software
- Docker and Docker Compose
- Apache HTTPD 2.4
- Traefik v3.2
- Portainer CE
### Domain Configuration
Base domain: kabango.eu
Required subdomains:
- www.kabango.eu (main website)
- kabango.eu (redirects to www)
- traefik.kabango.eu (Traefik dashboard)
- portainer.kabango.eu (Portainer interface)
### Features
- Automatic HTTPS with Let's Encrypt
- HTTP to HTTPS redirect
- Secure management interfaces
- Path-based routing for special section
- Shared Docker network
- Container management via web interface
## Directory Structure
```
/data/docker/
├── traefik/
│ ├── docker-compose.yml
│ ├── traefik.yml
│ └── config/
│ └── users.txt
├── apache1/
│ ├── docker-compose.yml
│ └── html/
│ └── index.html
├── apache2/
│ ├── docker-compose.yml
│ └── html/
│ └── index.html
└── portainer/
├── docker-compose.yml
└── data/
```
## Configuration Files
### Traefik Static Configuration
```yaml
# /data/docker/traefik/traefik.yml
api:
dashboard: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
exposedByDefault: false
network: traefik-net
certificatesResolvers:
letsencrypt:
acme:
email: admin@kabango.eu
storage: /etc/traefik/acme/acme.json
httpChallenge:
entryPoint: web
log:
level: INFO
```
### Traefik Docker Compose
```yaml
# /data/docker/traefik/docker-compose.yml
services:
traefik:
image: traefik:v3.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-net
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./config:/etc/traefik/config
- acme:/etc/traefik/acme
labels:
- traefik.enable=true
- traefik.http.routers.dashboard.rule=Host(`traefik.kabango.eu`)
- traefik.http.routers.dashboard.service=api@internal
- traefik.http.routers.dashboard.middlewares=auth
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.routers.dashboard.tls.certresolver=letsencrypt
- traefik.http.middlewares.auth.basicauth.usersfile=/etc/traefik/config/users.txt
volumes:
acme:
networks:
traefik-net:
external: true
```
### Apache1 Docker Compose (Main Website)
```yaml
# /data/docker/apache1/docker-compose.yml
services:
apache1:
image: httpd:2.4
container_name: apache1
restart: unless-stopped
networks:
- traefik-net
volumes:
- ./html:/usr/local/apache2/htdocs
labels:
- traefik.enable=true
- traefik.http.routers.apache1.rule=Host(`kabango.eu`) || Host(`www.kabango.eu`)
- traefik.http.routers.apache1.entrypoints=websecure
- traefik.http.routers.apache1.tls.certresolver=letsencrypt
- traefik.http.services.apache1.loadbalancer.server.port=80
- traefik.http.middlewares.www-redirect.redirectregex.regex=^https://kabango.eu/(.*)
- traefik.http.middlewares.www-redirect.redirectregex.replacement=https://www.kabango.eu/$${1}
- traefik.http.routers.apache1.middlewares=www-redirect
networks:
traefik-net:
external: true
```
### Apache2 Docker Compose (Special Section)
```yaml
# /data/docker/apache2/docker-compose.yml
services:
apache2:
image: httpd:2.4
container_name: apache2
restart: unless-stopped
networks:
- traefik-net
volumes:
- ./html:/usr/local/apache2/htdocs
labels:
- traefik.enable=true
- traefik.http.routers.apache2.rule=Host(`kabango.eu`) && PathPrefix(`/special`) || Host(`www.kabango.eu`) && PathPrefix(`/special`)
- traefik.http.routers.apache2.entrypoints=websecure
- traefik.http.routers.apache2.tls.certresolver=letsencrypt
- traefik.http.services.apache2.loadbalancer.server.port=80
- traefik.http.middlewares.strip-special.stripprefix.prefixes=/special
- traefik.http.routers.apache2.middlewares=strip-special
networks:
traefik-net:
external: true
```
### Portainer Docker Compose
```yaml
# /data/docker/portainer/docker-compose.yml
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-net
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data:/data
labels:
- traefik.enable=true
- traefik.http.routers.portainer.rule=Host(`portainer.kabango.eu`)
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.tls.certresolver=letsencrypt
- traefik.http.services.portainer.loadbalancer.server.port=9000
networks:
traefik-net:
external: true
```
### Sample HTML Files
Main Website (apache1):
```html
Welcome to Kabango.eu
This is the main website.
Visit our special section.
```
Special Section (apache2):
```html
Special Section
This is the special section of Kabango.eu
```
## Installation Steps
1. Create Docker network:
```bash
docker network create traefik-net
```
2. Create required directories:
```bash
mkdir -p /data/docker/{traefik/config,apache1/html,apache2/html,portainer,portainer/data}
```
3. Create Traefik basic auth credentials:
```bash
htpasswd -nb admin secure_password > /data/docker/traefik/config/users.txt
```
4. Create configuration files:
- Copy all configuration files to their respective locations as shown above
- Ensure correct file permissions
5. Configure DNS:
Point these domains to your server's IP:
- kabango.eu
- www.kabango.eu
- traefik.kabango.eu
- portainer.kabango.eu
6. Start services in order:
```bash
cd /data/docker/traefik && docker compose up -d
cd /data/docker/apache1 && docker compose up -d
cd /data/docker/apache2 && docker compose up -d
cd /data/docker/portainer && docker compose up -d
```
## Access Points
After setup, the following services will be available:
- Main website: https://www.kabango.eu
- Special section: https://www.kabango.eu/special
- Traefik dashboard: https://traefik.kabango.eu (login: admin/secure_password)
- Portainer: https://portainer.kabango.eu (create admin account on first access)
## Security Notes
1. Docker Socket:
- The Docker socket (`/var/run/docker.sock`) is only mounted in containers that require it:
- Traefik: For container discovery
- Portainer: For Docker management
- Other containers don't need and shouldn't have access to the Docker socket
2. Authentication:
- Traefik dashboard is protected with basic authentication
- Portainer requires setting up an admin account on first access
- All management interfaces are only accessible via HTTPS
3. Network Security:
- Services communicate through an isolated Docker network
- Only necessary ports (80, 443) are exposed on the host
- Automatic redirection from HTTP to HTTPS
## Maintenance
### Updating Services
To update any service to the latest version:
```bash
cd /data/docker/
docker compose pull
docker compose up -d
```
### Viewing Logs
To view logs for any service:
```bash
cd /data/docker/
docker compose logs
```
Add `-f` flag to follow the logs:
```bash
docker compose logs -f
```
### Backup
Important directories to backup:
- `/data/docker/traefik/config` - Traefik configuration
- `/data/docker/apache1/html` - Main website content
- `/data/docker/apache2/html` - Special section content
- Portainer data volume - Container configurations
## Troubleshooting
1. Certificate Issues:
- Check Traefik logs for Let's Encrypt errors
- Verify DNS records are correct
- Ensure ports 80 and 443 are accessible
2. Routing Problems:
- Verify Traefik router rules in docker-compose labels
- Check if containers are in the correct network
- Inspect Traefik dashboard for routing status
3. Container Access:
- Use `docker compose ps` to check container status
- Verify network connectivity with `docker network inspect traefik-net`
- Check container logs for errors