Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

traefik configs with xnat for https and owner certs #89

Open
uaengr opened this issue Oct 26, 2022 · 3 comments
Open

traefik configs with xnat for https and owner certs #89

uaengr opened this issue Oct 26, 2022 · 3 comments

Comments

@uaengr
Copy link

uaengr commented Oct 26, 2022

The configuration of traefik to use https is non trivial I would like to see a working example of XNAT+traefik+OwnCerts
The setup we require needs XNAT to be secured via SSL certs serverd over https:

I considered dropping traefik and using nginx as a reverse proxy, but am unsure of the ramifications..

This should be easy, according all the hype about traefik, but I am not able to get it working. Nor can see where in the logs there are issues.
@cse-amarjeet
Copy link

Hello @uaengr,
I also came across the same issue. did you find any workaround for this issue?

I have an issue with using the features/dependency-mgmt branch for deployment. This branch uses Traefik, but I am unable to configure my own wildcard SSL certificate generated by GoDaddy. To work around this issue, I made the modification docker-compose file to port 443, mounted the certificate to the Traefik docker, and changed the traefik configuration. However, when I access the website from a browser, it uses the Traefik default certificate instead of my SSL certificate.

Please respond, any help would be greatly appreciated.

@uaengr
Copy link
Author

uaengr commented Mar 26, 2024

Amarjeet,
We implemented the NGNIX as a proxy method. Further, we completely abandoned the features/dependency management branch. We started with the Main branch on https://github.com/NrgXnat/xnat-docker-compose.git and then modified it for our needs. So we never did get the Traefik with our own certs working.

@chaddupuis
Copy link

A little late here, but in case someone else comes across this. I'm in the process of rebulding our setup, but we did have traefik working with our own local certs. It's lenghty (sorry), but here's is how I set it up. fwiw, it was a while ago, but I remember the traefik settings being particularly difficult - it was also unclear (still) if traefik.toml or traefik.yml is read/precedence order so I just left both in.

The xnat-traefik and xnat-web sections of my working docker compose:

  xnat-traefik:
    container_name: xnat-traefik
    image: "traefik:latest"
    networks:
      - xnat-services
    restart: always
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker=true"
      # our local certs have to be from a "provider" 
      - "--providers.file.filename=/etc/traefik/our-ssl-certs.yml"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # mount the volume containing certs
      - "/var/data/xnat/xnat-ssl-certs:/etc/certs/"
      # our ssl cert settings - needs to be in its own file
      - "./traefik/config/our-ssl-certs.yml:/etc/traefik/our-ssl-certs.yml"
      - "./traefik/config/traefik.yml:/etc/traefik/traefik.yml"
      - "./traefik-data/logs:/var/log"
    labels:
      - "traefik.enable=true"
      # global redirects for all hosts - may need to be more specific
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.*}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # following is standard from xnat
      - "traefik.http.middlewares.strip-routes.stripprefix.prefixes=/pacs"
      - "traefik.http.middlewares.service-redirect.redirectregex.regex=^(https|http)://([a-zA-Z0-9_.-]+)/([a-zA-Z0-9_.-]+)$$"
      - "traefik.http.middlewares.service-redirect.redirectregex.replacement=$${1}://$${2}/$${3}/"
      - "traefik.http.middlewares.append-slash-to-training.redirectregex.regex=^(.+/training/[^/]+)$$"
      - "traefik.http.middlewares.append-slash-to-training.redirectregex.replacement=$${1}/"
      - "traefik.http.routers.traefik_dash.rule=PathPrefix(`/dashboard`)"
      - "traefik.http.routers.traefik_dash.middlewares=service-redirect@docker,strip-routes@docker"
      - "traefik.http.services.traefik_dash.loadbalancer.server.port=8080"

  xnat-web:
    container_name: xnat-web
    image: xnat-web
    networks: [xnat-services]
    restart: always
    build:
      context: ./xnat
      args:
        XNAT_VERSION: "${XNAT_VERSION}"
        XNAT_SMTP_ENABLED: "${XNAT_SMTP_ENABLED}"
        XNAT_SMTP_HOSTNAME: "${XNAT_SMTP_HOSTNAME}"
        XNAT_SMTP_PORT: "${XNAT_SMTP_PORT}"
        XNAT_SMTP_AUTH: "${XNAT_SMTP_AUTH}"
        XNAT_SMTP_USERNAME: "${XNAT_SMTP_USERNAME}"
        XNAT_SMTP_PASSWORD: "${XNAT_SMTP_PASSWORD}"
        XNAT_DATASOURCE_DRIVER: "${XNAT_DATASOURCE_DRIVER}"
        XNAT_DATASOURCE_URL: "${XNAT_DATASOURCE_URL}"
        XNAT_DATASOURCE_USERNAME: "${XNAT_DATASOURCE_USERNAME}"
        XNAT_DATASOURCE_PASSWORD: "${XNAT_DATASOURCE_PASSWORD}"
        XNAT_ACTIVEMQ_URL: "${XNAT_ACTIVEMQ_URL}"
        XNAT_ACTIVEMQ_USERNAME: "${XNAT_ACTIVEMQ_USERNAME}"
        XNAT_ACTIVEMQ_PASSWORD: "${XNAT_ACTIVEMQ_PASSWORD}"
        XNAT_WEBAPP_FOLDER: "${XNAT_WEBAPP_FOLDER}"
        XNAT_ROOT: "${XNAT_ROOT}"
        XNAT_HOME: "${XNAT_HOME}"
        XNAT_EMAIL: "${XNAT_EMAIL}"
    expose:
      - 8080
    ports:
      - "8000:8000"
      - "8104:8104"
      - "8144:8144"
    labels:
      - "traefik.http.routers.xnat-web.entrypoints=websecure"
      - "traefik.http.routers.xnat-web.tls=true"
      - "traefik.http.routers.xnat-web.rule=PathPrefix(`/`)"
      - "traefik.http.services.xnat-web.loadbalancer.server.port=8080"
    volumes:
      - ./xnat-data/archive:/data/xnat/archive
      - ./xnat-data/prearchive:/data/xnat/prearchive
      - ./xnat-data/cache:/data/xnat/cache
      - ./xnat-data/pipeline:/data/xnat/pipeline
      - ./xnat-data/ftp:/data/xnat/ftp
      - ./xnat-data/build:/data/xnat/build
      - ./xnat-data/config:/data/xnat/home/config
      - ./xnat-data/logs:/data/xnat/home/logs
      - ./xnat-data/plugins:/data/xnat/home/plugins
      - ./xnat-data/auth:/data/xnat/home/config/auth
      # add ldap plugin and provider
      - ./plugin-properties/ldapus-provider.properties:/data/xnat/home/config/auth/ldapus-provider.properties
      - ./xnat-ldap-plugin-build/build/libs/xnat-ldap-auth-plugin-1.0.0.jar:/data/xnat/home/plugins/xnat-ldap-auth-plugin-1.0.0.jar
      # add xsync plugin build
      - ./xnat-xsync-plugin-build/xsync-plugin-all-1.5.0.jar:/data/xnat/home/plugins/xsync-plugin-all-1.5.0.jar      
      # added auth below for ldap plugin
      # some instructions say .../home/auth other /auth
      # working previously at /data/xnat/home/config/auth
      - ./xnat-data/webapps:/usr/local/tomcat/webapps
      - ./xnat-data/tomcat:/usr/local/tomcat/logs

      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      CATALINA_OPTS: "-Xms${XNAT_MIN_HEAP} -Xmx${XNAT_MAX_HEAP} -Dxnat.home=${XNAT_HOME} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:8000"
      PGPASSWORD: "${XNAT_DATASOURCE_PASSWORD}"
      XNAT_HOME: "${XNAT_HOME}"

Then in traefik/config I have our-ssl-certs.yml, traefik.toml and traefik.yml as below:
our-ssl-certs.yml

tls:
  certificates:
    - certFile:  /etc/certs/ourcert.edu.crt
      keyFile: /etc/certs/ourkey.edu.key

traefik.toml (don't think this is used)

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["http"]

# add our certs - mounted at /etc/certs in custom docker compose
[tls.certificates]
  certFile = "/etc/certs/ourcert.edu..crt"
  keyFile = "/etc/certs/ourkey.edu.key"
  

[entryPoints]
  [entryPoints.http]
  address = ":80"

[retry]

[docker]
exposedByDefault = false

traefik.yml

## traefik.yml

# need entrypoint and redirections specified
entryPoints:
  web:
    address: :80
    http:
#      redirections:
#        entryPoint:
#          to:  websecure
#          scheme:  https
          #permanent: true
  websecure:
    address:  :443

# Docker configuration backend
# have to have "file" provider to serve ssl cert configuration
providers:
  docker:
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.localhost`)"
  file:
    filename: /etc/traefik/our-ssl-certs.yml


# API and dashboard configuration
api:
  dashboard: true
  insecure: true

log:
  level: INFO
  filePath: "/var/log/traefik.log"

accessLog:
  filePath: "/var/log/access.log"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chaddupuis @uaengr @cse-amarjeet