{"id":21522766,"url":"https://github.com/poeschl/proxy-hosting-template","last_synced_at":"2025-03-17T17:24:57.766Z","repository":{"id":79397673,"uuid":"371094075","full_name":"Poeschl/proxy-hosting-template","owner":"Poeschl","description":"Template infrastructure for host monitoring and a reverse proxy with auth.","archived":false,"fork":false,"pushed_at":"2023-03-02T21:27:03.000Z","size":627,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-24T04:53:26.156Z","etag":null,"topics":["docker-compose","hosting","letsencrypt","monitoring","oauth2","prometheus","reverse-proxy","traefik-v2"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Poeschl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":"https://www.buymeacoffee.com/poeschl"}},"created_at":"2021-05-26T16:05:13.000Z","updated_at":"2023-08-20T12:07:35.000Z","dependencies_parsed_at":null,"dependency_job_id":"db2f7858-188e-40b9-8dbd-522f199c937d","html_url":"https://github.com/Poeschl/proxy-hosting-template","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Poeschl%2Fproxy-hosting-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Poeschl%2Fproxy-hosting-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Poeschl%2Fproxy-hosting-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Poeschl%2Fproxy-hosting-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Poeschl","download_url":"https://codeload.github.com/Poeschl/proxy-hosting-template/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244075960,"owners_count":20394031,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker-compose","hosting","letsencrypt","monitoring","oauth2","prometheus","reverse-proxy","traefik-v2"],"created_at":"2024-11-24T01:11:41.465Z","updated_at":"2025-03-17T17:24:57.745Z","avatar_url":"https://github.com/Poeschl.png","language":null,"funding_links":["https://www.buymeacoffee.com/poeschl"],"categories":[],"sub_categories":[],"readme":"# Proxy Hosting Template\n\nDuring setup for a new project of mine, I need to setup some infrastructure for host monitoring and a reverse proxy with auth.\nThis all will be realized in docker to have as less dependencies as possible.\n\n( 💭 Better name pending.... )\n\n## Requirements on the system\n\nI will use that repository on linux based hosts und require a full docker and docker-compose installation on it.\nInstructions to install docker can be found [here](https://docs.docker.com/engine/install/#server).\n\nFor redirecting the glances container metrics from localhost inside the container network a very new feature is used.\nThis requires _docker version \u003e 20.10.0_ to be installed.\n\n## Endpoints\n\n🔒️ means its authenticated with a Google login and the email whitelist.\n\n### Traefik\n\nPublic http port: `80`\n\nPublic https port: `443`\n\nTraefik Dashboard (🔒️): `https://\u003chost\u003e/traefik/dashboard/` (Don't forget the last slash)\n\nPing: `https://\u003chost\u003e/ping`\n\n### Grafana\n\nDashboards (🔒️): `https://\u003chost\u003e/grafana`\n\n## Architecture\n\n![Grafana Dashboard](assets/architecture.png)\n\nThe architecture includes [Glances](https://github.com/nicolargo/glances) to monitor the system conditions.\nIt offers a prometheus interface which will be scraped by (obviously) Prometeus.\nWhich will be accessed by a Grafana installation, which is available from the outside.\nTo allow access to the services included and others as well Traefik manages the http(s) ports.\n\nIn this template traefik authenticate the endpoints with the Google auth.\n(Should be GitHub Auth but thats not supporting whitelisting right now)\nSo when accessing protected services the user is asked to login into their google account first.\n\n## Traefik Setup\n\nAs reverse proxy [Traefik](https://doc.traefik.io/traefik/) is used.\nWith its label-based configuration it's easy to extend it to services outside of this repository.\n\n### Forward Auth\n\nWith a little companion container traefik can protect any endpoint in an very easy way.\nThe auth middleware is named `google-auth` and can be used at any other endpoint.\nWhen used the access needs to be authenticated to proceed.\n\nThe internal dashboard is secured by it as well as Grafana via the `X-Forwarded-User` header.\n\n### Let's Encrypt\n\nFor Let's Encrypt certificates an email and a (sub)domain are required. Both need to be specified at the `.env` file.\nIf you don't want to use Let's encrypt remove all lines of the traefik service containing `letsencrypt`.\n\n### Include other services to Traefik\n\nTo include other docker container in the reverse proxy, make sure those container are in the `proxy` docker network.\nHint: when using in multiple docker-composes create a global network, otherwise die container can't communicate.\nAnd add those labels to the running container (Code from grafana for example):\n\n```yaml\ntraefik.enable=true\ntraefik.http.routers.grafana.rule=PathPrefix(`/grafana`) # The rule needs to be adjusted to your needs. For more see https://doc.traefik.io/traefik/routing/routers/#rule\ntraefik.http.routers.grafana.entrypoints=websecure # This specifies that the container is available over the https entrypoint.\ntraefik.http.routers.grafana.middlewares=google-auth # This enables the forward authentication for the container. With it only authenticated users can access your service.\n\n```\nDon't forget to also change the routers name (part behind `routers.`).\n\nIf the other service is also executed by docker-compose it might make sense to use a `docker-compose.override.yaml` to set some additional changes to the existing file.\nFor example I show you one of mine:\n\n```yaml\nversion: '3'\n\nservices:\n  database:\n    networks:\n      - internal\n\n  scrapy-do:\n    ports: \n      - 7654\n    networks:\n      - internal\n      - proxy\n\n    labels:\n      - 'traefik.enable=true'\n      - 'traefik.http.routers.scrapy.rule=Host(`some.host.xyz`)'\n      - 'traefik.http.routers.scrapy.priority=1'\n      - 'traefik.http.routers.scrapy.entrypoints=websecure'\n      - 'traefik.http.routers.scrapy.middlewares=google-auth,https-redirect'\n\n      - 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'\n      - 'traefik.http.middlewares.https-redirect.redirectscheme.permanent=true'\n\nnetworks:\n  internal:\n  proxy:\n    external: true\n```\n\n\n## Grafana\n\n![Grafana Dashboard](assets/grafana-sample.png)\n\nGrafana will be provisioned with Prometeus and a basic dashboard to monitor the host system and all running docker container.\n\n## Configuration\n\nAll the configuration for secrets and options is contained in a `.env` file at the repository root folder.\nTo start your config use the `.env.sample` file, which contains all the used properties.\n\n## Disclaimer\n\nThe setup here will be provided without any security warranty.\nMake sure for yourself that everything is secured and whitelisted users have the correct rights.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpoeschl%2Fproxy-hosting-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpoeschl%2Fproxy-hosting-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpoeschl%2Fproxy-hosting-template/lists"}