Træfik¶

Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Most of the time SeAT is not going to be the only web application running on your Webserver. Therefore you need an orchestrator or proxy-server which handles sub-domains, ports, certificates etc. Here Træfik makes managing your webserver very easy, especially because it is docker aware and configures itself.

Installation¶

First create a new docker network:

docker network create web

Next, we need to create a directory on the server where we will store the Træfik configuration files. Once weh ave the directory ready we will also prepare the files Træfik will use.

# Create the directory
mkdir -p /opt/traefik

# Prepare the configuration files
touch /opt/traefik/docker-compose.yml
touch /opt/traefik/acme.json
touch /opt/traefik/traefik.toml

# Ensure the permissions on acme.json is secure
chmod 600 /opt/traefik/acme.json

Since we are going to run Træfik inside of a docker container, we need to create a docker-compose.yml inside the traefik directory. This file describes the configuration in a way traefik understands and lets us easily reconfigure it in the future: Open /opt/traefik/docker-compose.yml and add the following contents:

version: "3.2"
services:
  traefik:
    image: traefik:1.6.0-alpine
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    ports:
      - 80:80
      - 443:443
      # Uncomment Port 8080 if you plan to use Træfik's Dashboard
      #- 8080:8080
    #labels:
      #- traefik.frontend.rule=Host:{monitor.your.server}
      #- traefik.port=8080

    networks:
      - web
networks:
  web:
    external: true

Next you need to a edit the traefik.toml-file.

defaultEntryPoints = ["http", "https"]

[api]
#entrypoint="monitor"

[docker]
domain = "{your.domain}"
watch = true

[entryPoints]
 [entryPoints.http]
 address = ":80"
  [entryPoints.http.redirect]
  entryPoint = "https"
 [entryPoints.https]
 address = ":443"
  [entryPoints.https.tls]
 #[entryPoints.monitor] # Uncomment if you use the web dashboard
   #address=":8080"
   #[entryPoints.monitor.auth]
     #[entryPoints.monitor.auth.basic]
       #users = ["admin:{your_MD5_encrypted_PW}"] #replace the curly paranthesis with your MD5 encrypted PW


[acme]
 email = "{your.em@il.net}"
 storage = "acme.json"
 entryPoint = "https"
 onHostRule = true
 onDemand = false
  [acme.httpChallenge]
   entryPoint = "http"

After configuring both the docker-compose.yml and traefik.toml files (leaving the acme.json file empty), you should now ne able to start Træfik:

docker-compose up -d

Adapt SeAT's docker-compose.yml file to serve Træfik¶

By default, SeAT ships with ngnix as a web server. This web server exposes two ports to the web. We need to adapt the docker-compose.yml file inside SeAT's installation folder. Inside /opt/seat-docker add the comment character # to the ngnix sections like:

  nginx:
    image: eveseat/eveseat-nginx
    depends_on:
      - seat-app
    container_name: seat-nginx
    restart: always
    environment:
      - NGINX_HOST=${NGINX_HOST}
    volumes:
      - "seat-code:/var/www/seat"
      # Remove the comment below to enable nginx logs to disk.
      #- ./logs/nginx/:/var/log/nginx/
    #ports:
      #- "${NGINX_HTTP}:80"
      #- "${NGINX_HTTPS}:443"
    command: /bin/sh -c "envsubst '${NGINX_HOST}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
    labels:
        - "traefik.frontend.rule=Host:{seat.your.domain}"
        - "traefik.docker.network=web"
        - "traefik.port=80"
    networks:
      - seat-network
      - web

Next, add a new section to the existing networks section as follows:

networks:
    seat-network:
    web:
       external: true

For these changes to take affect, restart the stack with:

docker-compose up -d

Adapt Callback-URL to support https¶

After having setup Træfik, your application is now only available via https. Therefore you must adapt the ESI-Callback URL in .env in your SeAT-Docker folder and on the developers-portal.

Change ESI Callback on Developers¶

Browse to https://developers.eveonline.com/applications and select your Application (1) which you have created previously:

Select Update Details (2)

Change the callback url (3) to use https and confirm the changes and update app (4):

Update .env in Seat-Docker-Folder¶

Change directories to seat-docker:

cd /opt/seat-docker

Update the .env files parameters with the new callback-url:

EVE_CALLBACK_URL=https://seat.test/auth/eve/callback

For these changes to take affect, restart the stack with:

docker-compose up -d

Now you have a HTTPS only SeAT instance and a very state-of-the-art proxy server which you can also use to manage other applications such as discourse (the forum), tripwire or pathfinder.

Monitor Træfik Health¶

Træfik ships with a monitoring dashboard that includes metrics integration with prometheus. If you wish to take advantage of the web dashboard you need to uncomment the marked sections in the .toml and docker-compose.yml files for Træfik and set the password for the dashboard login.

!!!! info "Have you set a subdomain?" Remember to create an A record entry for the dashboard. For eg: monitor.{yourdomain.com}

The password hash format used by the dashboard is a 1000 thousand iteration MD5 sum. To generate such a password hash you need to install a helper utility first. On Ubuntu, this can be done with:

sudo apt-get install apache2-utils

Next, generate the password hash with htpasswd. Substitute secure_password with the password you'd like to use for the Træfik admin user:

htpasswd -nb admin secure_password

This command will output a hash similar to the below format:

admin:$apr1$ruca84Hq$mbjdMZBAG.KWn7vfN/SNK/

Take this output and replace the users = [admin:MD5Password] section in the Traefik .toml.