Blog: docker

How to Protect your sites Vouch Proxy, NGINX, Reverse Proxies with Docker Compose (Part 1)

2024-05-13 by Pablo Morales

This post was written in en

I've written in the past how to install Vouch Proxy using Debian. I also wrote a post a while ago where I dockerized my site and services. If it isn't obvious, I really like Vouch Proxy. It's simple and it met my needs.

I'm going to share how I setup the following services using Docker Compose:

  • Vouch Proxy Image without description
  • NGINX Reverse Proxy
  • Creating Reverse Proxies for your apps to be protected with Vouch Proxy. I will provide example services as use cases.

This post will divided into three (3) parts.

This guide, is recommended for those who have experience with Docker and Docker Compose. I will keep this simple for you to follow along if you don't have experience. When using Docker Compose and docker-compose.yml files, you are launching multiple containers at one time. When using a Dockerfile, one container is launched at a time.

We'll using a lot of environmental variables to configure our applications. It seems like a lot of work at first but you'll be happy that you did.

Let's Setup Docker Compose

Here is the docker compose we are going to use. I will break it down piece by piece as mentioned above.

services:
  nginx:
    container_name: nginx
    image: nginxproxy/nginx-proxy
    restart: unless-stopped
    ports:
        - 80:80
        - 443:443
    volumes:
        - /var/run/docker.sock:/tmp/docker.sock:ro
        - /var/docker/nginx/html:/usr/share/nginx/html
        - /var/docker/nginx/certs:/etc/nginx/certs
        - /var/docker/nginx/vhost:/etc/nginx/vhost.d
        - /var/docker/nginx/conf:/etc/nginx/conf.d
    logging:
        options:
            max-size: "10m"
            max-file: "3"
  letsencrypt-companion:
    container_name: letsencrypt-companion
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: unless-stopped
    volumes_from:
        - nginx
    volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - /var/docker/nginx/acme:/etc/acme.sh
    environment:
        DEFAULT_EMAIL: [email protected]
  mariadb:
    container_name: mariadb
    image: mariadb:latest
    command: --default-authentication-plugin=mysql_native_password
    environment:
      MYSQL_ROOT_PASSWORD: changeme
      MYSQL_DATABASE: kanboard
      MYSQL_USER: kanboard
      MYSQL_PASSWORD: changeme
    volumes:
      - mariadb:/var/lib/mysql:z
  vouch-proxy-auth:
    container_name: vp-proxy
    image: quay.io/vouch/vouch-proxy:alpine-latest
    ports:
      - 9090:9090
    volumes:
      - ./vouch-proxy-config:/config
    restart: always
    environment:
      VIRTUAL_HOST: your-domain.com
      LETSENCRYPT_HOST: your-domain.com
  grafana:
    container_name: grafana
    image: grafana/grafana:latest
    volumes:
      - ../plugins/:/etc/grafana/plugins/ # For locally developed plugins
      - ./grafana/provisioning/:/etc/grafana/provisioning/ # Automatically configure datasources
      - grafana_vol:/var/lib/grafana # Volume to persist configuration between restarts
    environment:
      - "GF_SECURITY_ADMIN_PASSWORD=pwd"
      - GF_USERS_ALLOW_SIGN_UP=FALSE
      - GF_USERS_AUTO_ASSIGN_ORG=TRUE
      - GF_USERS_AUTO_ASSIGN_ORG_ROLE=EDITOR
      - GF_AUTH_PROXY_ENABLED=true                  # Enable authentication via a proxy
      - GF_AUTH_PROXY_HEADER_NAME=X-Vouch-User   # Header that grafana will expect (do not change)
      - GF_AUTH_PROXY_HEADER_PROPERTY=email         # Either email or username depending on what will be in the token
      - GF_AUTH_PROXY_AUTO_SIGN_UP=false
      - GF_INSTALL_PLUGINS=grafana-azure-data-explorer-datasource # Auto install plugins from grafana.com
      - GF_SERVER_HTTP_PORT=3001
      - GF_SERVER_PROTOCOL=http
      - GF_SERVER_DOMAIN=grafana.domain.com
      - GF_SERVER_ROOT_URL=grafana.domain.com
      - GF_SERVER_SERVE_FROM_SUB_PATH=false
      - GF_SMTP_ENABLED=TRUE
      - "GF_SMTP_HOST=smtp.domain.com"
      - "GF_SMTP_USER=smtp-user"
      - GF_SMTP_PASSWORD=changeme
      - "[email protected]"
      - "GF_SMTP_FROM_NAME=Name of Grafana Instance"
      - "GF_SMTP_STARTTLS_POLICY=MANDATORYSTARTTLS" #may or may not need on needs
    expose:
      - 3001
  vp-proxy-graf:
    image: nginx:latest
    container_name: vp-proxy-graf
    environment:
      VIRTUAL_HOST: grafana.domain.com
      LETSENCRYPT_HOST: grafana.domain.com
    volumes:
      - ./prometheus-grafana/nginx/graf:/etc/nginx/conf.d
    ports:
      - 8081:80
  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus
    restart: unless-stopped
    volumes:
      - ./prometheus-grafana/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/etc/prometheus/console_libraries'
      - '--web.console.templates=/etc/prometheus/consoles'
      - '--web.enable-lifecycle'
    expose:
      - 9091
  vp-proxy-prom:
    image: nginx:latest
    container_name: vp-proxy-prom
    environment:
      VIRTUAL_HOST: prometheus.domain.com
      LETSENCRYPT_HOST: prometheus.domain.com
    volumes:
      - ./prometheus-grafana/nginx/prom:/etc/nginx/conf.d
    ports:
      - 8082:80
  node-exporter:
    image: prom/node-exporter:latest
    container_name: node-exporter
    restart: unless-stopped
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /:/rootfs:ro
    command:
      - '--path.procfs=/host/proc'
      - '--path.rootfs=/rootfs'
      - '--path.sysfs=/host/sys'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
    expose:
      - 9100
volumes:
  prometheus_data: {}
  grafana_vol:
  mariadb:
  prom_data:

We won't run the docker compose command yet. We don't have all the files and other steps needed to run it correctly

Setup Vouch Proxy Config

# Vouch Proxy configuration
# bare minimum to get Vouch Proxy running with google

vouch:
  logLevel: debug
  listen: 0.0.0.0

  domains:
    - your-base-domain.com
      #  vouch.cookie.domain: your-base-domain.com

  cookie:
    secure: true
    domain: your-base-domain.com


oauth:
  provider: google
  # get credentials from...
  # https://console.developers.google.com/apis/credentials
  client_id: your-client-id
  client_secret: your-client-secret
  # Google may require callback_urls (redirect URIs) to be 'https'
  callback_urls:
  - https://vouch.domain.com/auth
  preferredDomain: your-base-domain.com # be careful with this option, it may conflict with chrome on Android
  # endpoints are set from https://godoc.org/golang.org/x/oauth2/google

Dockerizing my website and services

2023-07-18 by Pablo Morales

This post was written in en

Image without description

This week I started using Docker (again). I have used it one or twice through out the years. My first time being in 2015. I was so opposed or timid in the use of using Docker. I was so used to doing things the "hard way" otherwise known as manual install. So My friend Mani, has been showing me his Kubernetes setup and talking about Docker. I thought it was pretty rad! Just the way things flowed and how easy it is to stop and start a container. This is something he has started for a while. I hope to become well versed in this.

This leads to what is mentioned in the title of this post. I am in the process of learning to understand containers, Kubernetes, miniKube, docker and how this all ties together. I'll start with Docker and learn Kubernetes side-by-side and hope to understand. The goal is to containerize all my websites and services to keep up with the times and become a better developer.

My first successful implementation of a docker container was, wait for it..... Can you guess what it is? If you guessed Image without description Vouch Proxy! You win an cookie πŸͺ! Hooray! For the record, not a browser cookie. Those are not tasty or pleasing.

It was pretty simple once I figured out how to run the commands to adjust to my needs. I used my existing configuration file for Vouch Proxy but with some redactions. So, if you are seeing this post, or signed into my website, vouch proxy is running on docker!

Next step is my website which runs on php and uses Datenstrom Yellow as the flat-file cms.

I am excited for this new phase of my developer life. I have so much to learn! Shout out to Mani for leading me in this direction.