Hi! If you read my last post you know how to host your static pages on Azure. I know there are some of you who want opnsource solutions or want to host on your own server / vps by themself. There is a solution - did you heard about Minio and s3www? Minio is object storage compatibile with s3 and it’s 100% open source, s3www is opensouce software that can serve pages from compatibile s3 storage and it’s “Let’s Encrypt ready”. Anyway i dont use lets encrypt on s3www because both of them are don’t resource greedy so you can host more things on one server (i tried on $5 droplet gitea, s3, wikijs, drone, …), so i using Traefik which can automatically create let’s encrypt certificates for all your services.
If you already have installed both of them you can skip this section and go next
Setup Traefik
First of all let’s setup reverse proxy which will be routing trafic to our docker services and creating certificates for https. Put following content to your docker-compose.yml somewhere on your server for example ~/docker/traefik.
version:'2'services:proxy:image:traefikcommand:# --configFile=/traefik.yml- "--api.dashboard=true"- "--api.insecure=true"- "--log.level=DEBUG"- "--providers.docker=true"- "--providers.docker.exposedbydefault=false"- "--entrypoints.web.address=:80"- "--entrypoints.websecure.address=:443"- "--certificatesresolvers.le.acme.httpchallenge=true"- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"- "--certificatesresolvers.le.acme.email=<your@email.tld>"# change to your email used for generating new Let's encrypt ceritificates- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"# here are stored certificates informations- "--accesslog=true"restart:unless-stoppednetworks:- frontendports:- "80:80"- "443:443"- "8080:8080"volumes:- /etc/localtime:/etc/localtime:ro- /var/run/docker.sock:/var/run/docker.sock:ro- ./letsencrypt:/letsencryptlabels:- "traefik.enable=true"- "traefik.http.routers.traefik.entrypoints=web"- "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.tld`)"# Change this to your domain- "traefik.http.middlewares.traefik-websecure-redirect.redirectscheme.scheme=websecure"- "traefik.http.routers.traefik.middlewares=traefik-websecure-redirect"- "traefik.http.routers.traefik-secure.entrypoints=websecure"- "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.tld`)"# Change this to your domain- "traefik.http.routers.traefik-secure.tls=true"- "traefik.http.routers.traefik-secure.tls.certresolver=le"- "traefik.http.routers.traefik-secure.service=api@internal"- "traefik.http.services.traefik.loadbalancer.server.port=8080"networks:frontend:external:true
To start it run following command
1
2
cd ~/docker/traefik
docker-compose up -d
From now you have running reverse proxy for your services. Open http://traefik.your-domain.tld:8080 to see dashboard.
You can disable dashboard from public by setting firewall rule to allow connection only from your IP addresses or you can comment - "8080:8080" rown in docker-compose.yml file if you dont need it.
Setup Minio
Next You need to configure your S3 object storage. So create new folder ~/docker/minio that will hold your server configuration and add following content to your docker-compose.yml.
version:'3.7'networks:frontend:external:trueservices:minio:image:minio/minio:RELEASE.2020-08-07T01-23-07Zrestart:unless-stoppednetworks:- frontendvolumes:- ./data:/dataenvironment:MINIO_ACCESS_KEY:<YOUR-ACCESS-KEY>MINIO_SECRET_KEY:<YOUR-SECRET-KEY>command:server /datahealthcheck:test:["CMD","curl","-f","http://localhost:9000/minio/health/live"]interval:30stimeout:20sretries:3labels:- "traefik.enable=true"- "traefik.http.routers.minio.entrypoints=web"- "traefik.http.routers.minio.rule=Host(`s3.your-domain.tld`)"- "traefik.http.middlewares.minio-websecure-redirect.redirectscheme.scheme=https"- "traefik.http.routers.minio.middlewares=minio-websecure-redirect"- "traefik.http.routers.minio-secure.entrypoints=websecure"- "traefik.http.routers.minio-secure.rule=Host(`s3.your-domain.tld`)"- "traefik.http.routers.minio-secure.tls=true"- "traefik.http.routers.minio-secure.tls.certresolver=le"- "traefik.http.routers.minio.service=minio"- "traefik.http.services.minio.loadbalancer.server.port=9000"# Don't need to use when your container use only one network but it is very important when you have multiple networks with container- "traefik.docker.network=frontend"
Before you can start it you have to change some rows there.
labels:# Enable traefik for service- "traefik.enable=true"# Listen on HTTP :80- "traefik.http.routers.minio.entrypoints=web"# Domain for HTTP- "traefik.http.routers.minio.rule=Host(`s3.your-domain.tld`)"# Redirect to HTTPS- "traefik.http.middlewares.minio-websecure-redirect.redirectscheme.scheme=https"- "traefik.http.routers.minio.middlewares=minio-websecure-redirect"# Setting for HTTPS entrypoint- "traefik.http.routers.minio-secure.entrypoints=websecure"- "traefik.http.routers.minio-secure.rule=Host(`s3.your-domain.tld`)"- "traefik.http.routers.minio-secure.tls=true"# Here is configuration for Cert resolver - We are using Lets Encrypt- "traefik.http.routers.minio-secure.tls.certresolver=le"# Which service and port it using- "traefik.http.routers.minio.service=minio"- "traefik.http.services.minio.loadbalancer.server.port=9000"# Network for running docker services- "traefik.docker.network=frontend"
You copy this labels to your next services and change it based on you needs.
Start minio
1
2
cd ~/docker/minio
docker-compose up -d
Navigate to https://s3.your-domain.tld and you will se Minio’s login page. To login use your ACCESS-KEY and SECRET-KEY. In web UI you can do simple things as create new buckets, upload files or set permissions. The default user (the one which is created with first start) is admin, so it have access (R/W) to all buckets you create. It’s ok if you using it only for myself, but its not wise but wne you want multiple users? So let me show you how can you create new user ang give it access only to those buckets you want.
Download Minio Client
First of all you will need Minio Client. So download it
1
2
3
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
./mc --help
mc config host add mystorage https://s3.your-domain.tld <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY> --api s3v4
Create user
Let’s create our user which will have acces to our bucket with page
1
mc admin user add home <user-name-or-key> <super-strong-password>
You can create user with any name you want. If you want to login there over web maybe it is better to give it name you can remember, since i want use this user for application i generating for both of them string for example name have 24 characters and password 48. As i said you can use whatever suits your needs better.
Create bucket
Create bucket where you will store your static site files.
mc admin policy add mystorage <policy-name> <policy-name>.json
You can name your fiel with policy to any name you want. I just naming it with same name as my policy.
Apply policy to user
1
mc admin policy set mystorage "iso"user=<your-user-name>
This is last thing on our minio server. So we have
Minio server
Bucket for our page
User with policy to Read and Write to this bucket.
Setup s3www
To server static site from minio you will need server, because you cant tell to minio server to use index files (in time i write this i cant find any information about it). In this example i show you how to use s3www.
deploy to azure:stage:deployimage:maymeow/minio-clicache:key:themaymeow-com-buildpaths:- publicpolicy:pulldependencies:- pagesscript:- mc config host add cdn <change-your-s3-address-> $CDN_ACCESS_KEY $CDN_SECRET_KEY --api s3v4- cd public- mc cp -r . cdn/<change-this-to-buckent-name># Just for visualy check if there are files- mc ls cdn/<change-this-to-buckent-name>only:- mastertags:- docker- digitalocean
Don’t forget to create variables CDN_ACCESS_KEY with minio user name and CDN_SECRET_KEY with minio user password.
If you have more questions feel free to contact me.
