Advanced Setups

Table of Contents

• Setting up Cloudflare's cloudflared
  • 1. Sign up for Cloudflare
  • 2. Add cloudflared to docker-compose.yml
  • 3. Configure Application on Cloudflare
• Setting up Traefik
  • 1. Create Traefik Docker Instance
  • 2. Add Traefik labels to CRCON docker-compose.yml
  • 3. Add traefik-proxy network to frontend service
  • 4. Update Networks in docker-compose.yml

Setting up Cloudflare's cloudflared

The following guide will help you setup Cloudflare's Zero Trust application service tunnel called cloudflared. Typically this is used to secure internal applications using the Zero Trust authentication system, of which you can utilize Google/Microsoft authentication.

Another reason is to expose your applications from within your home network where your service provider might block port 80/443.

1. Sign up for Cloudflare

You'll need a Cloudflare account, and you will also need a domain name setup on cloudflare.

Ensure you have access Zero Trust section so that it's setup in your account.

2. Add cloudflared to docker-compose.yml

The cloudflared service needs to be configured in your docker-compose.yml file.

tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=mytokengoeshere

3. Configure Application on Cloudflare

This needs to be written up but here's quick guide.

https://fossengineer.com/selfhosting-cloudflared-tunnel-docker/

Setting up Traefik

This needs to be written up but here's quick guide.

1. Create Traefik Docker Instance

Create a directory called traefik and create a file called docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik-proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/traefik/traefik.yml:/traefik.yml:ro
      - /srv/traefik/acme.json:/acme.json
      - /srv/traefik/logs:/var/log/traefik
      - /srv/traefik/configuration:/configuration
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      # This is the domain to use for traefik status interface
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
      # # Generate password using bcrypt - https://bcrypt-generator.com/
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:$$apr1$$WysFYSH.$$Melp8/Th0Lam3B/LkiMVl."
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  traefik-proxy:
    external: true

2. Add Traefik labels to CRCON docker-compose.yml

Edit the docker-compose.yml for CRCON and add the following labels to the frontend service under networks

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=http"
      - "traefik.http.routers.rcon.rule=Host(`rcon.domain.com`)"
      - "traefik.http.middlewares.rcon-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.rcon.middlewares=rcon-https-redirect"
      - "traefik.http.routers.rcon-secure.entrypoints=https"
      - "traefik.http.routers.rcon-secure.rule=Host(`rcon.domain.com`)"
      - "traefik.http.routers.rcon-secure.tls=true"
      - "traefik.http.routers.rcon-secure.tls.certresolver=http"
      - "traefik.http.routers.rcon-secure.service=rcon"
      - "traefik.http.services.rcon.loadbalancer.server.port=80"
      - "traefik.docker.network=traefik-proxy"
      - "traefik.http.routers.stats.rule=Host(`stats.domain.com`)"
      - "traefik.http.middlewares.stats-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.stats.middlewares=stats-https-redirect"
      - "traefik.http.routers.stats-secure.entrypoints=https"
      - "traefik.http.routers.stats-secure.rule=Host(`stats.domain.com`)"
      - "traefik.http.routers.stats-secure.tls=true"
      - "traefik.http.routers.stats-secure.tls.certresolver=http"
      - "traefik.http.routers.stats-secure.service=stats"
      - "traefik.http.services.stats.loadbalancer.server.port=7010"

3. Add traefik-proxy network to frontend service

This ensures that traefik can access the frontend docker instance.

  frontend_1: &frontend
    image: ${FRONTEND_DOCKER_REPOSITORY}:${TAGGED_VERSION}
    ports:
      - ${RCONWEB_PORT}:80
      - ${RCONWEB_PORT_HTTPS}:443
      - ${PUBLIC_STATS_PORT}:81
      - ${PUBLIC_STATS_PORT_HTTPS}:444
    restart: always
    environment:
      RCONWEB_EXTERNAL_ADDRESS: ${RCONWEB_EXTERNAL_ADDRESS}
      HLL_HOST: ${HLL_HOST}
    volumes:
      - ./static:/static/
      - ./certs:/certs/      
    depends_on:
      backend_1:
        condition: service_healthy
    networks:
      - server1
      - traefik-proxy
      - common

4. Update Networks in docker-compose.yml

Find the networks section at the top of the docker-compose.yml file and add traefik-proxy

networks:
  server1:
  server2:
  server3:
  common:
  traefik-proxy:
    external: true