One place for hosting & domains

      Debian

      How To Sync and Share Your Files with Seafile on Debian 9


      The author selected Electronic Frontier Foundation Inc to receive a donation as part of the Write for DOnations program.

      Introduction

      Seafile is an open-source, self-hosted, file synchronization and sharing platform. Users can store and optionally encrypt data on their own servers with storage space as the only limitation. With Seafile you can share files and folders using cross-platform syncing and password-protected links to files with expiration dates. A file-versioning feature means that users can restore deleted and modified files or folders.

      In this tutorial, you will install and configure Seafile on a Debian 9 server. You will use MariaDB (the default MySQL variant on Debian 9) to store data for the different components of Seafile, and Apache as the proxy server to handle the web traffic. After completing this tutorial, you will be able use the web interface to access Seafile from desktop or mobile clients, allowing you to sync and share your files with other users or groups on the server or with the public.

      Prerequisites

      Before you begin this guide, you’ll need the following:

      • One Debian 9 server with a minimum of 2GB of RAM set up by following this Initial Server Setup with Debian 9 tutorial, including a sudo non-root user and a firewall.
      • An Apache web server with a virtual host configured for the registered domain by following How To Install the Apache Web Server on Debian 9.
      • An SSL certificate installed on your server by following this How To Secure Apache with Let’s Encrypt on Debian 9 tutorial.
      • A fully registered domain name. This tutorial will use example.com throughout.
      • Both of the following DNS records set up for your server. You can follow this introduction to DigitalOcean DNS for details on how to add them.

        • An A record with example.com pointing to your server’s public IP address.
        • An A record with www.example.com pointing to your server’s public IP address.
      • A MariaDB database server installed and configured. Follow the steps in the How To Install MariaDB on Debian 9 tutorial. Skip Step 3 of this tutorial — “(Optional) Adjusting User Authentication and Privileges”. You will only be making local connections to the database server, so changing the authentication method for the root user is not necessary.

      Step 1 — Creating Databases for the Seafile Components

      Seafile requires three components in order to work properly. These three components are:

      • Seahub: Seafile’s web frontend, written in Python using the Django web framework. From Seahub you can access, manage, and share your files using a web browser.
      • Seafile server: The data service daemon that manages the raw file upload, download, and synchronization. You do not interact with the server directly, but use one of the client programs or the Seahub web interface.
      • Ccnet server: The RPC service daemon to enable internal communication between the different components of Seafile. For example, when you use Seahub, it is able to access data from the Seafile server using the Ccnet RPC service.

      Each of these components stores its data separately in its own database. In this step you will create the three MariaDB databases and a user before proceeding to set up the server.

      First, log in to the server using SSH with your username and IP address:

      ssh sammy@your_server_ip
      

      Connect to the MariaDB database server as administrator (root):

      At the MariaDB prompt, use the following SQL command to create the database user:

      • CREATE USER 'sammy'@'localhost' IDENTIFIED BY 'password';

      Next, you will create the following databases to store the data of the three Seafile components:

      • ccnet-db for the Ccnet server.
      • seahub-db for the Seahub web frontend.
      • seafile-db for the Seafile file server.

      At the MariaDB prompt, create your databases:

      • CREATE DATABASE `ccnet-db` CHARACTER SET = 'utf8';
      • CREATE DATABASE `seafile-db` CHARACTER SET = 'utf8';
      • CREATE DATABASE `seahub-db` CHARACTER SET = 'utf8';

      Then, grant all privileges to the Seafile database user to access and make changes in these databases:

      • GRANT ALL PRIVILEGES ON `ccnet-db`.* to `sammy`@localhost;
      • GRANT ALL PRIVILEGES ON `seafile-db`.* to `sammy`@localhost;
      • GRANT ALL PRIVILEGES ON `seahub-db`.* to `sammy`@localhost;

      Exit the MariaDB prompt by typing exit:

      Now that you have created a user and the databases required to store the data for each of the Seafile components, you will install dependencies to download the Seafile server package.

      Step 2 — Installing Dependencies and Downloading Seafile

      Some parts of Seafile are written in Python and therefore require additional Python modules and programs to work. In this step, you will install these required dependencies before downloading and extracting the Seafile server package.

      To install the dependencies using apt run the following command:

      • sudo apt install python-setuptools python-pip python-urllib3 python-requests python-mysqldb ffmpeg

      The python-setuptools and python-pip dependencies oversee installing and managing Python packages. The python-urllib3 and python-requests packages make requests to websites. Finally, the python-mysqldb is a library for using MariaDB from Python and ffmpeg handles multimedia files.

      Seafile requires Pillow, a python library for image processing, and moviepy to handle movie file thumbnails. These modules are not available in the Debian package repository. You will install them manually using pip:

      • sudo pip install Pillow==4.3.0 moviepy

      Now that you have installed the necessary dependencies, you can download the Seafile server package.

      Seafile creates additional directories during setup. To keep them all organized, create a new directory and change into it:

      You can now download the latest version (6.3.4 as of this writing) of the Seafile server from the website by running the following command:

      • wget https://download.seadrive.org/seafile-server_6.3.4_x86-64.tar.gz

      Seafile distributes the download as a compressed tar archive, which means you will need to extract it before proceeding. Extract the archive using tar:

      • tar -zxvf seafile-server_6.3.4_x86-64.tar.gz

      Now change into the extracted directory:

      At this stage, you have downloaded and extracted the Seafile server package and have also installed the necessary dependencies. You are now ready to configure the Seafile server.

      Step 3 — Configuring the Seafile Server

      Seafile needs some information about your setup before you start the services for the first time. This includes details like the domain name, the database configuration, and the path where it will store data. To initiate the series of question prompts to provide this information, you can run the script setup_seafile_mysql.sh, which is included in the archive you extracted in the previous step.

      Run the script using bash:

      • bash setup-seafile-mysql.sh

      Press ENTER to continue.

      The script will now prompt you with a series of questions. Wherever defaults are mentioned, pressing the ENTER key will use that value.

      This tutorial uses Seafile as the server name, but you can change it if necessary.

      Question 1
      
      What is the name of the server?
      It will be displayed on the client. 3 - 15 letters or digits
      [ server name ] Seafile
      

      Enter the domain name for this Seafile instance.

      Question 2
      
      What is the ip or domain of the server?.
      For example: www.mycompany.com, 192.168.1.101
      [ This server's ip or domain ] example.com
      

      For Question 3 press ENTER to accept the default value. If you have set up external storage, for example, using NFS or block storage, you will need to specify the path to that location here instead.

      Question 3
      
      Where do you want to put your seafile data?
      Please use a volume with enough free space
      [ default "/home/sammy/seafile/seafile-data" ]
      

      For Question 4 press ENTER to accept the default value.

      Question 4
      
      Which port do you want to use for the seafile fileserver?
      [ default "8082" ]
      

      The next prompt allows you to confirm the database configuration. You can create new databases or use existing databases for setup. For this tutorial you have created the necessary databases in Step 1, so select option 2 here.

      -------------------------------------------------------
      Please choose a way to initialize seafile databases:
      -------------------------------------------------------
      
      [1] Create new ccnet/seafile/seahub databases
      [2] Use existing ccnet/seafile/seahub databases
      
      [ 1 or 2 ] 2
      

      Questions 6–9 relate to the MariaDB database server. You will only need to provide the username and password of the mysql user that you created in Step 1. Press ENTER to accept the default values for host and port.

      
      What is the host of mysql server?
      
      [ default "localhost" ]
      
      What is the port of mysql server?
      
      [ default "3306" ]
      
      Which mysql user to use for seafile?
      
      [ mysql user for seafile ] sammy
      
      What is the password for mysql user "seafile"?
      
      [ password for seafile ] password
      

      After providing the password, the script will request the names of the Seafile databases. Use ccnet-db, seafile-db, and seahub-db for this tutorial. The script will then verify if there is a successful connection to the databases before proceeding to display a summary of the initial configuration.

      Enter the existing database name for ccnet:
      [ ccnet database ] ccnet-db
      
      verifying user "sammy" access to database ccnet-db ...  done
      
      Enter the existing database name for seafile:
      [ seafile database ] seafile-db
      
      verifying user "sammy" access to database seafile-db ...  done
      
      Enter the existing database name for seahub:
      [ seahub database ] seahub-db
      
      verifying user "sammy" access to database seahub-db ...  done
      
      ---------------------------------
      This is your configuration
      ---------------------------------
      
          server name:            Seafile
          server ip/domain:       example.com
      
          seafile data dir:       /home/sammy/seafile/seafile-data
          fileserver port:        8082
      
          database:               use existing
          ccnet database:         ccnet-db
          seafile database:       seafile-db
          seahub database:        seahub-db
          database user:          sammy
      
      --------------------------------
      Press ENTER to continue, or Ctrl-C to abort
      ---------------------------------
      

      Press ENTER to confirm.

      Output

      Generating ccnet configuration ... done Successly create configuration dir /home/sammy/seafile/ccnet. Generating seafile configuration ... done Generating seahub configuration ... ---------------------------------------- Now creating seahub database tables ... ---------------------------------------- creating seafile-server-latest symbolic link ... done ----------------------------------------------------------------- Your seafile server configuration has been finished successfully. ----------------------------------------------------------------- run seafile server: ./seafile.sh { start | stop | restart } run seahub server: ./seahub.sh { start <port> | stop | restart <port> } ----------------------------------------------------------------- If you are behind a firewall, remember to allow input/output of these tcp ports: ----------------------------------------------------------------- port of seafile fileserver: 8082 port of seahub: 8000 When problems occur, Refer to https://github.com/haiwen/seafile/wiki for information.

      As you will be running Seafile behind Apache, opening ports 8082 and 8000 in the firewall is not necessary, so you can ignore this part of the output.

      You have completed the initial configuration of the server. In the next step, you will configure the Apache web server before starting the Seafile services.

      Step 4 — Configuring the Apache Web Server

      In this step, you will configure the Apache web server to forward all requests to Seafile. Using Apache in this manner allows you to use a URL without a port number, enable HTTPS connections to Seafile, and make use of the caching functionality that Apache provides for better performance.

      To begin forwarding requests, you will need to enable the proxy_http module in the Apache configuration. This module provides features for proxying HTTP and HTTPS requests. The following command will enable the module:

      Note: The Apache rewrite and ssl modules are also required for this setup. You have already enabled these modules as part of configuring Let's Encrypt in the second Apache tutorial listed in the prerequisites section.

      Next, update the virtual host configuration of example.com to forward requests to the Seafile file server and to the Seahub web interface.

      Open the configuration file in a text editor:

      • sudo nano /etc/apache2/sites-enabled/example.com-le-ssl.conf

      The lines from ServerAdmin to SSLCertificateKeyFile are part of the initial Apache and Let's Encrypt configuration that you set up as part of the prerequisite. Add the highlighted content, beginning at Alias and ending with the ProxyPassReverse directive:

      /etc/apache2/sites-enabled/example.com-le-ssl.conf

      
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
          ServerAdmin admin@example.com
          ServerName example.com
          ServerAlias www.example.com
          DocumentRoot /var/www/example.com/html
          ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
          CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
      
          Include /etc/letsencrypt/options-ssl-apache.conf
          SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
          SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
      
          Alias /media  /home/sammy/seafile/seafile-server-latest/seahub/media
          <Location /media>
              Require all granted
          </Location>
      
          # seafile fileserver
          ProxyPass /seafhttp http://127.0.0.1:8082
          ProxyPassReverse /seafhttp http://127.0.0.1:8082
          RewriteEngine On
          RewriteRule ^/seafhttp - [QSA,L]
      
          # seahub web interface
          SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
          ProxyPass / http://127.0.0.1:8000/
          ProxyPassReverse / http://127.0.0.1:8000/
      </VirtualHost>
      </IfModule>
      

      The Alias directive maps the URL path example.com/media to a local path in the file system that Seafile uses. The following Location directive enables access to content in this directory. The ProxyPass and ProxyPassReverse directives make Apache act as a reverse proxy for this host, forwarding requests to / and /seafhttp to the Seafile web interface and file server running on local host ports 8000 and 8082 respectively. The RewriteRule directive passes all requests to /seafhttp unchanged and stops processing further rules ([QSA,L]).

      Save and exit the file.

      Test if there are any syntax errors in the virtual host configuration:

      • sudo apache2ctl configtest

      If it reports Syntax OK, then there are no issues with your configuration. Restart Apache for the changes to take effect:

      • sudo systemctl restart apache2

      You have now configured Apache to act as a reverse proxy for the Seafile file server and Seahub. Next, you will update the URLs in Seafile's configuration before starting the services.

      Step 5 — Updating Seafile's Configuration and Starting Services

      As you are now using Apache to proxy all requests to Seafile, you will need to update the URLs in Seafile's configuration files in the conf directory using a text editor before you start the Seafile service.

      Open ccnet.conf in a text editor:

      • nano /home/sammy/seafile/conf/ccnet.conf

      Modify the SERVICE_URL setting in the file to point to the new HTTPS URL without the port number, for example:

      Update /home/sammy/seafile/conf/ccnet.conf

      SERVICE_URL = https://example.com
      

      Save and exit the file once you have added the content.

      Now open seahub_settings.py in a text editor:

      • nano /home/sammy/seafile/conf/seahub_settings.py

      You can now add a FILE_SERVER_ROOT setting in the file to specify the path where the file server is listening for file uploads and downloads:

      Update /home/sammy/seafile/conf/seahub_settings.py

      # -*- coding: utf-8 -*-
      SECRET_KEY = "..."
      FILE_SERVER_ROOT = 'https://example.com/seafhttp'
      # ...
      

      Save and exit seahub_settings.py.

      Now you can start the Seafile service and the Seahub interface:

      • cd /home/sammy/seafile/seafile-server-6.3.4
      • ./seafile.sh start
      • ./seahub.sh start

      As this is the first time you have started the Seahub service, it will prompt you to create an admin account. Enter a valid email address and a password for this admin user:

      Output

      What is the email for the admin account? [ admin email ] admin@example.com What is the password for the admin account? [ admin password ] password-here Enter the password again: [ admin password again ] password-here ---------------------------------------- Successfully created seafile admin ---------------------------------------- Seahub is started Done.

      Open https://example.com in a web browser and log in using your Seafile admin email address and password.

      Login screen of the Seafile web interface

      Once logged in successfully, you can access the admin interface or create new users.

      Now that you have verified the web interface is working correctly, you can enable these services to start automatically at system boot in the next step.

      Step 6 — Enabling the Seafile Server to Start at System Boot

      To enable the file server and the web interface to start automatically at boot, you can create the respective systemd service files and activate them.

      Create a systemd service file for the Seafile file server:

      • sudo nano /etc/systemd/system/seafile.service

      Add the following content to the file:

      Create /etc/systemd/system/seafile.service

      [Unit]
      Description=Seafile
      After=network.target mysql.service
      
      [Service]
      Type=forking
      ExecStart=/home/sammy/seafile/seafile-server-latest/seafile.sh start
      ExecStop=/home/sammy/seafile/seafile-server-latest/seafile.sh stop
      User=sammy
      Group=sammy
      
      [Install]
      WantedBy=multi-user.target
      

      Here, the ExectStart and ExecStop lines indicate the commands that run to start and stop the Seafile service. The service will run with sammy as the User and Group. The After line specifies that the Seafile service will start after the networking and MariaDB service has started.

      Save seafile.service and exit.

      Create a systemd service file for the Seahub web interface:

      • sudo nano /etc/systemd/system/seahub.service

      This is similar to the Seafile service. The only difference is that the web interface is started after the Seafile service. Add the following content to this file:

      Create /etc/systemd/system/seahub.service

      [Unit]
      Description=Seafile hub
      After=network.target seafile.service
      
      [Service]
      Type=forking
      ExecStart=/home/sammy/seafile/seafile-server-latest/seahub.sh start
      ExecStop=/home/sammy/seafile/seafile-server-latest/seahub.sh stop
      User=sammy
      Group=sammy
      
      [Install]
      WantedBy=multi-user.target
      

      Save seahub.service and exit.

      You can learn more about systemd unit files in the Understanding Systemd Units and Unit Files tutorial.

      Finally, to enable both the Seafile and Seahub services to start automatically at boot, run the following commands:

      • sudo systemctl enable seafile.service
      • sudo systemctl enable seahub.service

      When the server is rebooted, Seafile will start automatically.

      At this point, you have completed setting up the server, and can now test each of the services.

      Step 7 — Testing File Syncing and Sharing Functionality

      In this step, you will test the file synchronization and sharing functionality of the server you have set up and ensure they are working correctly. To do this, you will need to install the Seafile client program on a separate computer and/or a mobile device.

      Visit the download page on the Seafile website and follow the instructions to install the latest version of the program on your computer. Seafile clients are available for the various distributions of Linux (Ubuntu, Debian, Fedora, Centos/RHEL, Arch Linux), MacOS, and Windows. Mobile clients are available for Android and iPhone/iPad devices from the respective app stores.

      Once you have installed the Seafile client, you can test the file synchronization and sharing functionality.

      Open the Seafile client program on your computer or device. Accept the default location for the Seafile folder and click Next.

      In the next window, enter the server address, username, and password, then click Login.

      At the home page, right click on My Library and click Sync this library. Accept the default value for the location on your computer or device.

      Seafile client — Sync the default library

      Add a file, for example a document or a photo, into the My Library folder. After some time, the file will upload to the server. The following screenshot shows the file photo.jpg copied to the My Library folder.

      Add a file to the default library from the computer

      Now, log in to the web interface at https://example.com and verify that your file is present on the server.

      My Library page to verify file sync

      Click on Share next to the file to generate a download link for this file that you can share.

      You have verified that the file synchronization is working correctly and that you can use Seafile to sync and share files and folders from multiple devices.

      Conclusion

      In this tutorial you set up a private instance of a Seafile server. Now you can start using the server to synchronize files, add users and groups, and share files between them or with the public without relying on an external service.

      When a new release of the server is available, please consult the upgrade section of the manual for steps to perform an upgrade.



      Source link

      How To Install YunoHost on Debian 9


      The author selected the Mozilla Foundation to receive a donation as part of the Write for DOnations program.

      Introduction

      YunoHost is an open-source platform that facilitates the seamless installation and configuration of self-hosted web applications, including webmail clients, password managers, and even WordPress sites. Self-hosting webmail and other applications provides privacy and control over your personal information. YunoHost allows you to configure settings, create users, and self-host your own applications from its graphical user interface. A marketplace of applications is available through YunoHost to add to your hosting environment. The frontend UI acts as a homepage for all of your applications.

      In this tutorial, you will install and configure YunoHost on a server running Debian 9. To achieve this, you will configure your DNS records using DigitalOcean, secure your YunoHost instance with Let’s Encrypt, and install your chosen web applications.

      Prerequisites

      Step 1 — Installing YunoHost

      In this step, you will install YunoHost using the official installation script. YunoHost provides this open-source script that guides you through installing and configuring everything necessary for a YunoHost operation.

      Before you download the install script, move into a temporary directory. Using the /tmp directory will delete the script on reboot, which you will not need after you’ve installed YunoHost:

      Next, run the following command to download the official install script from YunoHost:

      • wget -O yunohost https://install.yunohost.org/

      This command downloads the script and saves it to the current directory as a file called yunohost.

      Now you can run the script with sudo:

      When asked to overwrite configuration files, select yes.

      You will then see a Post-installation screen confirming YunoHost's installation.

      Post-Installation Screen: YunoHost packaged have been installed successfully! Prompts to begin post-installation process.

      Select Yes to proceed to the post-installation process.

      When asked to enter the Main domain, enter the domain name you want to use to access your YunoHost instance. Then choose and enter a secure password for the administrator account.

      You have now installed YunoHost on your server. In the next step, you will log in to your fresh YunoHost instance to configure and manage domains.

      Step 2 — Configuring DNS

      Now you have YunoHost installed, you can access the admin panel for the first time. You will set up the domain where you would like to host YunoHost by configuring your DNS records.

      To start, type either the IP address of your server or the domain name you chose in the last step into your web browser. You'll see a screen warning that your connection is not private.

      This Connection Is Not Private

      The connection is not yet secure because YunoHost uses a self-signed certificate by default. You can visit the site anyway since you'll secure your site with Let's Encrypt in the next step.

      Now, enter the admin password you set in the previous step to access YunoHost's admin panel.

      Admin Panel

      In order for YunoHost to function properly, you will configure the DNS settings for your domain name. From the admin panel, navigate to the Domains section and select your domain name. You'll now see the Operations page where you can access the DNS configuration settings.

      Domain Section

      Select the DNS configuration button. YunoHost will display a sample zone file for your domain. You'll use this file to configure the records for your domain.

      sample zone file

      To start configuring your DNS records, access your domain host. This tutorial walks through configuring DNS records via DigitalOcean's control panel.

      Log in to your DigitalOcean account and click on Networking in the menu. Enter your YunoHost domain in the Domain field and click Add Domain.

      You'll be taken to your domain name's edit page. On this page, you'll see the fields where you can add the YunoHost records.

      DigitalOcean DNS record create page

      There will be three NS records already set up that specify the DigitalOcean servers are providing DNS services for your domain. You can now add the following records using the sample file provided by YunoHost:

      • Create two new A records:

        • Enter @ for the name and choose your Droplet or IP address in the Will Direct To box, leave the TTL at 3600.
        • Enter * for the name and choose your Droplet or IP address in the Will Direct To box, leave the TTL at 3600.
      • Create two new SRV records:

        • Enter _xmpp-client._tcp for the hostname, 5222 for the port, 0 priority, 5 for the weight, and change the TTL to 3600.
        • Enter _xmpp-server._tcp for the hostname, 5269 for the port, 0 priority, 5 for the weight, and change the TTL to 3600.
      • Create three new CNAME records:

        • Enter muc for the hostname, @ in is an alias of, and set the TTL to 3600.
        • Enter pubsub for the hostname, @ in is an alias of, and set the TTL to 3600.
        • Enter vjud for the hostname, @ in is an alias of, and set the TTL to 3600.

      For your Mail configuration, create the following records:

      • An MX record with @ for the hostname, your domain name for the mail server with a priority of 10 and the TTL at 3600.
      • Three new TXT records:
        • Copy the TXT string, including the double quotes, from the sample zone file into the value box that starts with: "v=spf1", add @to the hostname, and leave the TTL at 3600.
        • Copy the long TXT string, including the double quotes, from the sample zone file into the value box, add mail._domainkey to the hostname, and leave the TTL at 3600.
        • Copy the TXT string, including the double quotes, from the sample zone file into the value box, something like: "v=DMARC1; p=none", add _dmarcto the hostname, and leave the TTL at 3600.

      And finally, for Let's Encrypt, configure the following record:

      • Create a new CAA record:
        • Enter @ for the hostname, add letsencrypt.org to the authority granted for box, set tag to issue, flags to 128, and set the TTL to 3600.

      Once you have added all of the DNS records you'll see a list on your domain's control panel. You can also read this guide for more information on managing your records through the DigitalOcean control panel.

      List of records set up

      You have configured all the DNS records necessary for the YunoHost services to work. In the next step you'll secure your connection by installing Let's Encrypt.

      Step 3 — Installing Let's Encrypt

      In this step you will configure an SSL certificate via Let's Encrypt to ensure that your connection is secured by encrypted HTTPS each time you or users log in to your site. YunoHost includes a function to install Let's Encrypt to your domain through the user interface.

      In the Domains section of the admin panel, select your domain name again. Navigate down to the Operations section. From here, under Manage SSL certificates, select SSL certificates. You'll see an option to Install a Let's Encrypt certificate, you can select this to install the certificate.

      You will now have a Let's Encrypt certificate installed for your domain. You will no longer see the warning messages when you visit your domain or IP address. Your Let's Encrypt certificate will automatically renew by default. To manually renew your Let's Encrypt certificate or revert to a self-signed certificate in the future, you can use this Operations page.

      Manage SSL Certificates

      You have configured and secured your domain. In the next section you'll set up a new user and email account to begin installing applications to your YunoHost operation.

      Step 4 — Installing Applications

      YunoHost provides the ability to install a number of pre-packaged web applications alongside each other. To begin installing and using applications, you need to create a regular, non-admin user and email account. You can do this through the admin panel.

      From the root of the admin panel, navigate to the Users section.

      Select the green New user button to the right of your screen. Enter the desired credentials for the new user in the fields provided.

      New User page with fields for username, email, etc.

      You've finished creating the user. By default, this user already has an associated email address, which you can access through any IMAP email client. Alternatively, you can install a webmail client on YunoHost to accomplish this, which you will do as part of this tutorial.

      You have configured all of YunoHost's basic functions and created a user, complete with an email account. You can now access the applications through the admin panel that are ready for installation. In this tutorial, you'll install Rainloop, a lightweight webmail app, but you can follow these instructions to install any of the available applications.

      Navigate to the Applications section of the admin panel. From here, you can select and install any of the official applications.

      Applications page. List of applications in alphabetical order, ready for installation.

      Select Rainloop from the list. You will see some configuration options for the application.

      Rainloop Configuration Options

      • Label for Rainloop: You can choose what to enter here, the application displays this to users on YunoHost's home screen.
      • Choose a domain for Rainloop: Enter the domain name that will host the application.
      • Choose a path for Rainloop: Set the URL path for the application, like /rainloop. If you'd like it to be at the root of the domain, simply enter /. Keep in mind that if you do so, you will not be able to use any other applications with that domain.
      • Is it a public application?: Choose if you want the application to be accessible to the public, or only to logged in users.
      • Enter a strong password for the 'admin' user: Enter a password for the admin user of the application.
      • Do you want to add YunoHost users to the recipients suggestions?: "Yes" here will result in the application suggesting other users' email addresses and names as recipients when composing emails.
      • Select default language: Select your preferred language.

      Once finished, click the green Install button.

      You've installed Rainloop. Open a new browser tab and navigate to the path you chose for the application (example.com/rainloop). You will see the Rainloop main dashboard.

      Rainloop main screen.

      You can repeat Step 4 to create more users and install further applications as you wish.

      In the Applications section of the admin panel, it is also possible to install custom applications from third parties by pulling from GitHub repositories.

      You now have a secure YunoHost instance configured on your server.

      Conclusion

      In this tutorial you have installed YunoHost on your server, created an email account, and installed an application. You have a central place to host all your applications alongside each other, including a webmail client to check your email. See the YunoHost website for a full list of applications, both official and unofficial. Also see the official Troubleshooting guide that provides information on services, configuration, and upgrades to YunoHost.



      Source link

      How To Use Traefik as a Reverse Proxy for Docker Containers on Debian 9


      The author selected Girls Who Code to receive a donation as part of the Write for DOnations program.

      Introduction

      Docker can be an efficient way to run web applications in production, but you may want to run multiple applications on the same Docker host. In this situation, you’ll need to set up a reverse proxy since you only want to expose ports 80 and 443 to the rest of the world.

      Traefik is a Docker-aware reverse proxy that includes its own monitoring dashboard. In this tutorial, you’ll use Traefik to route requests to two different web application containers: a WordPress container and an Adminer container, each talking to a MySQL database. You’ll configure Traefik to serve everything over HTTPS using Let’s Encrypt.

      Prerequisites

      To follow along with this tutorial, you will need the following:

      Step 1 — Configuring and Running Traefik

      The Traefik project has an official Docker image, so we will use that to run Traefik in a Docker container.

      Before we get our Traefik container up and running, though, we need to create a configuration file and set up an encrypted password so we can access the monitoring dashboard.

      We’ll use the htpasswd utility to create this encrypted password. First, install the utility, which is included in the apache2-utils package:

      • sudo apt install apache2-utils

      Then generate the password with htpasswd. Substitute secure_password with the password you’d like to use for the Traefik admin user:

      • htpasswd -nb admin secure_password

      The output from the program will look like this:

      Output

      admin:$apr1$ruca84Hq$mbjdMZBAG.KWn7vfN/SNK/

      You’ll use this output in the Traefik configuration file to set up HTTP Basic Authentication for the Traefik health check and monitoring dashboard. Copy the entire output line so you can paste it later.

      To configure the Traefik server, we’ll create a new configuration file called traefik.toml using the TOML format. TOML is a configuration language similar to INI files, but standardized. This file lets us configure the Traefik server and various integrations, or providers, we want to use. In this tutorial, we will use three of Traefik’s available providers: api, docker, and acme, which is used to support TLS using Let’s Encrypt.

      Open up your new file in nano or your favorite text editor:

      First, add two named entry points, http and https, that all backends will have access to by default:

      traefik.toml

      defaultEntryPoints = ["http", "https"]
      

      We'll configure the http and https entry points later in this file.

      Next, configure the api provider, which gives you access to a dashboard interface. This is where you'll paste the output from the htpasswd command:

      traefik.toml

      ...
      [entryPoints]
        [entryPoints.dashboard]
          address = ":8080"
          [entryPoints.dashboard.auth]
            [entryPoints.dashboard.auth.basic]
              users = ["admin:your_encrypted_password"]
      
      [api]
      entrypoint="dashboard"
      

      The dashboard is a separate web application that will run within the Traefik container. We set the dashboard to run on port 8080.

      The entrypoints.dashboard section configures how we'll be connecting with the api provider, and the entrypoints.dashboard.auth.basic section configures HTTP Basic Authentication for the dashboard. Use the output from the htpasswd command you just ran for the value of the users entry. You could specify additional logins by separating them with commas.

      We've defined our first entryPoint, but we'll need to define others for standard HTTP and HTTPS communication that isn't directed towards the api provider. The entryPoints section configures the addresses that Traefik and the proxied containers can listen on. Add these lines to the file underneath the entryPoints heading:

      traefik.toml

      ...
        [entryPoints.http]
          address = ":80"
            [entryPoints.http.redirect]
              entryPoint = "https"
        [entryPoints.https]
          address = ":443"
            [entryPoints.https.tls]
      ...
      

      The http entry point handles port 80, while the https entry point uses port 443 for TLS/SSL. We automatically redirect all of the traffic on port 80 to the https entry point to force secure connections for all requests.

      Next, add this section to configure Let's Encrypt certificate support for Traefik:

      traefik.toml

      ...
      [acme]
      email = "your_email@your_domain"
      storage = "acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
      

      This section is called acme because ACME is the name of the protocol used to communicate with Let's Encrypt to manage certificates. The Let's Encrypt service requires registration with a valid email address, so in order to have Traefik generate certificates for our hosts, set the email key to your email address. We then specify that we will store the information that we will receive from Let's Encrypt in a JSON file called acme.json. The entryPoint key needs to point to the entry point handling port 443, which in our case is the https entry point.

      The key onHostRule dictates how Traefik should go about generating certificates. We want to fetch our certificates as soon as our containers with specified hostnames are created, and that's what the onHostRule setting will do.

      The acme.httpChallenge section allows us to specify how Let's Encrypt can verify that the certificate should be generated. We're configuring it to serve a file as part of the challenge through the http entrypoint.

      Finally, let's configure the docker provider by adding these lines to the file:

      traefik.toml

      ...
      [docker]
      domain = "your_domain"
      watch = true
      network = "web"
      

      The docker provider enables Traefik to act as a proxy in front of Docker containers. We've configured the provider to watch for new containers on the web network (that we'll create soon) and expose them as subdomains of your_domain.

      At this point, traefik.toml should have the following contents:

      traefik.toml

      defaultEntryPoints = ["http", "https"]
      
      [entryPoints]
        [entryPoints.dashboard]
          address = ":8080"
          [entryPoints.dashboard.auth]
            [entryPoints.dashboard.auth.basic]
              users = ["admin:your_encrypted_password"]
        [entryPoints.http]
          address = ":80"
            [entryPoints.http.redirect]
              entryPoint = "https"
        [entryPoints.https]
          address = ":443"
            [entryPoints.https.tls]
      
      [api]
      entrypoint="dashboard"
      
      [acme]
      email = "your_email@your_domain"
      storage = "acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
      
      [docker]
      domain = "your_domain"
      watch = true
      network = "web"
      

      Save the file and exit the editor. With all of this configuration in place, we can fire up Traefik.

      Step 2 – Running the Traefik Container

      Next, create a Docker network for the proxy to share with containers. The Docker network is necessary so that we can use it with applications that are run using Docker Compose. Let's call this network web.

      • docker network create web

      When the Traefik container starts, we will add it to this network. Then we can add additional containers to this network later for Traefik to proxy to.

      Next, create an empty file which will hold our Let's Encrypt information. We'll share this into the container so Traefik can use it:

      Traefik will only be able to use this file if the root user inside of the container has unique read and write access to it. To do this, lock down the permissions on acme.json so that only the owner of the file has read and write permission.

      Once the file gets passed to Docker, the owner will automatically change to the root user inside the container.

      Finally, create the Traefik container with this command:

      • docker run -d
      • -v /var/run/docker.sock:/var/run/docker.sock
      • -v $PWD/traefik.toml:/traefik.toml
      • -v $PWD/acme.json:/acme.json
      • -p 80:80
      • -p 443:443
      • -l traefik.frontend.rule=Host:monitor.your_domain
      • -l traefik.port=8080
      • --network web
      • --name traefik
      • traefik:1.7.6-alpine

      The command is a little long so let's break it down.

      We use the -d flag to run the container in the background as a daemon. We then share our docker.sock file into the container so that the Traefik process can listen for changes to containers. We also share the traefik.toml configuration file and the acme.json file we created into the container.

      Next, we map ports 80 and 443 of our Docker host to the same ports in the Traefik container so Traefik receives all HTTP and HTTPS traffic to the server.

      Then we set up two Docker labels that tell Traefik to direct traffic to the hostname monitor.your_domain to port 8080 within the Traefik container, exposing the monitoring dashboard.

      We set the network of the container to web, and we name the container traefik.

      Finally, we use the traefik:1.7.6-alpine image for this container, because it's small.

      A Docker image's ENTRYPOINT is a command that always runs when a container is created from the image. In this case, the command is the traefik binary within the container. You can pass additional arguments to that command when you launch the container, but we've configured all of our settings in the traefik.toml file.

      With the container started, you now have a dashboard you can access to see the health of your containers. You can also use this dashboard to visualize the frontends and backends that Traefik has registered. Access the monitoring dashboard by pointing your browser to https://monitor.your_domain. You will be prompted for your username and password, which are admin and the password you configured in Step 1.

      Once logged in, you'll see an interface similar to this:

      Empty Traefik dashboard

      There isn't much to see just yet, but leave this window open, and you will see the contents change as you add containers for Traefik to work with.

      We now have our Traefik proxy running, configured to work with Docker, and ready to monitor other Docker containers. Let's start some containers for Traefik to act as a proxy for.

      Step 3 — Registering Containers with Traefik

      With the Traefik container running, you're ready to run applications behind it. Let's launch the following containers behind Traefik:

      1. A blog using the official WordPress image.
      2. A database management server using the official Adminer image.

      We'll manage both of these applications with Docker Compose using a docker-compose.yml file. Open the docker-compose.yml file in your editor:

      Add the following lines to the file to specify the version and the networks we'll use:

      docker-compose.yml

      version: "3"
      
      networks:
        web:
          external: true
        internal:
          external: false
      

      We use Docker Compose version 3 because it's the newest major version of the Compose file format.

      For Traefik to recognize our applications, they must be part of the same network, and since we created the network manually, we pull it in by specifying the network name of web and setting external to true. Then we define another network so that we can connect our exposed containers to a database container that we won't expose through Traefik. We'll call this network internal.

      Next, we'll define each of our services, one at a time. Let's start with the blog container, which we'll base on the official WordPress image. Add this configuration to the file:

      docker-compose.yml

      version: "3"
      ...
      
      services:
        blog:
          image: wordpress:4.9.8-apache
          environment:
            WORDPRESS_DB_PASSWORD:
          labels:
            - traefik.backend=blog
            - traefik.frontend.rule=Host:blog.your_domain
            - traefik.docker.network=web
            - traefik.port=80
          networks:
            - internal
            - web
          depends_on:
            - mysql
      

      The environment key lets you specify environment variables that will be set inside of the container. By not setting a value for WORDPRESS_DB_PASSWORD, we're telling Docker Compose to get the value from our shell and pass it through when we create the container. We will define this environment variable in our shell before starting the containers. This way we don't hard-code passwords into the configuration file.

      The labels section is where you specify configuration values for Traefik. Docker labels don't do anything by themselves, but Traefik reads these so it knows how to treat containers. Here's what each of these labels does:

      • traefik.backend specifies the name of the backend service in Traefik (which points to the actual blog container).
      • traefik.frontend.rule=Host:blog.your_domain tells Traefik to examine the host requested and if it matches the pattern of blog.your_domain it should route the traffic to the blog container.
      • traefik.docker.network=web specifies which network to look under for Traefik to find the internal IP for this container. Since our Traefik container has access to all of the Docker info, it would potentially take the IP for the internal network if we didn't specify this.
      • traefik.port specifies the exposed port that Traefik should use to route traffic to this container.

      With this configuration, all traffic sent to our Docker host's port 80 will be routed to the blog container.

      We assign this container to two different networks so that Traefik can find it via the web network and it can communicate with the database container through the internal network.

      Lastly, the depends_on key tells Docker Compose that this container needs to start after its dependencies are running. Since WordPress needs a database to run, we must run our mysql container before starting our blog container.

      Next, configure the MySQL service by adding this configuration to your file:

      docker-compose.yml

      services:
      ...
        mysql:
          image: mysql:5.7
          environment:
            MYSQL_ROOT_PASSWORD:
          networks:
            - internal
          labels:
            - traefik.enable=false
      

      We're using the official MySQL 5.7 image for this container. You'll notice that we're once again using an environment item without a value. The MYSQL_ROOT_PASSWORD and WORDPRESS_DB_PASSWORD variables will need to be set to the same value to make sure that our WordPress container can communicate with MySQL. We don't want to expose the mysql container to Traefik or the outside world, so we're only assigning this container to the internal network. Since Traefik has access to the Docker socket, the process will still expose a frontend for the mysql container by default, so we'll add the label traefik.enable=false to specify that Traefik should not expose this container.

      Finally, add this configuration to define the adminer container:

      docker-compose.yml

      services:
      ...
        adminer:
          image: adminer:4.6.3-standalone
          labels:
            - traefik.backend=adminer
            - traefik.frontend.rule=Host:db-admin.your_domain
            - traefik.docker.network=web
            - traefik.port=8080
          networks:
            - internal
            - web
          depends_on:
            - mysql
      

      This container is based on the official Adminer image. The network and depends_on configuration for this container exactly matches what we're using for the blog container.

      However, since we're directing all of the traffic to port 80 on our Docker host directly to the blog container, we need to configure this container differently in order for traffic to make it to our adminer container. The line traefik.frontend.rule=Host:db-admin.your_domain tells Traefik to examine the host requested. If it matches the pattern of db-admin.your_domain, Traefik will route the traffic to the adminer container.

      At this point, docker-compose.yml should have the following contents:

      docker-compose.yml

      version: "3"
      
      networks:
        web:
          external: true
        internal:
          external: false
      
      services:
        blog:
          image: wordpress:4.9.8-apache
          environment:
            WORDPRESS_DB_PASSWORD:
          labels:
            - traefik.backend=blog
            - traefik.frontend.rule=Host:blog.your_domain
            - traefik.docker.network=web
            - traefik.port=80
          networks:
            - internal
            - web
          depends_on:
            - mysql
        mysql:
          image: mysql:5.7
          environment:
            MYSQL_ROOT_PASSWORD:
          networks:
            - internal
          labels:
            - traefik.enable=false
        adminer:
          image: adminer:4.6.3-standalone
          labels:
            - traefik.backend=adminer
            - traefik.frontend.rule=Host:db-admin.your_domain
            - traefik.docker.network=web
            - traefik.port=8080
          networks:
            - internal
            - web
          depends_on:
            - mysql
      

      Save the file and exit the text editor.

      Next, set values in your shell for the WORDPRESS_DB_PASSWORD and MYSQL_ROOT_PASSWORD variables before you start your containers:

      • export WORDPRESS_DB_PASSWORD=secure_database_password
      • export MYSQL_ROOT_PASSWORD=secure_database_password

      Substitute secure_database_password with your desired database password. Remember to use the same password for both WORDPRESS_DB_PASSWORD and MYSQL_ROOT_PASSWORD.

      With these variables set, run the containers using docker-compose:

      Now take another look at the Traefik admin dashboard. You'll see that there is now a backend and a frontend for the two exposed servers:

      Populated Traefik dashboard

      Navigate to blog.your_domain, substituting your_domain with your domain. You'll be redirected to a TLS connection and can now complete the WordPress setup:

      WordPress setup screen

      Now access Adminer by visiting db-admin.your_domain in your browser, again substituting your_domain with your domain. The mysql container isn't exposed to the outside world, but the adminer container has access to it through the internal Docker network that they share using the mysql container name as a host name.

      On the Adminer login screen, use the username root, use mysql for the server, and use the value you set for MYSQL_ROOT_PASSWORD for the password. Once logged in, you'll see the Adminer user interface:

      Adminer connected to the MySQL database

      Both sites are now working, and you can use the dashboard at monitor.your_domain to keep an eye on your applications.

      Conclusion

      In this tutorial, you configured Traefik to proxy requests to other applications in Docker containers.

      Traefik's declarative configuration at the application container level makes it easy to configure more services, and there's no need to restart the traefik container when you add new applications to proxy traffic to since Traefik notices the changes immediately through the Docker socket file it's monitoring.

      To learn more about what you can do with Traefik, head over to the official Traefik documentation. If you'd like to explore Docker containers further, check out How To Set Up a Private Docker Registry on Ubuntu 18.04 or How To Secure a Containerized Node.js Application with Nginx, Let's Encrypt, and Docker Compose.



      Source link