Hi! If you read my last post you know how to host your static pages on Azure. I know there are some of you who want opnsource solutions or want to host on your own server / vps by themself. There is a solution - did you heard about Minio and s3www? Minio is object storage compatibile with s3 and it’s 100% open source, s3www is opensouce software that can serve pages from compatibile s3 storage and it’s “Let’s Encrypt ready”. Anyway i dont use lets encrypt on s3www because both of them are don’t resource greedy so you can host more things on one server (i tried on $5 droplet gitea, s3, wikijs, drone, …), so i using Traefik which can automatically create let’s encrypt certificates for all your services.
Prerequisites#
If you already have installed both of them you can skip this section and go next
Setup Traefik#
First of all let’s setup reverse proxy which will be routing trafic to our docker services and creating certificates for https. Put following content to your docker-compose.yml somewhere on your server for example ~/docker/traefik.
version: '2'
services:
proxy:
image: traefik
command:
# --configFile=/traefik.yml
- "--api.dashboard=true"
- "--api.insecure=true"
- "--log.level=DEBUG"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.le.acme.email=<your@email.tld>" # change to your email used for generating new Let's encrypt ceritificates
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" # here are stored certificates informations
- "--accesslog=true"
restart: unless-stopped
networks:
- frontend
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`traefik.your-domain.tld`)" # Change this to your domain
- "traefik.http.middlewares.traefik-websecure-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.traefik.middlewares=traefik-websecure-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.your-domain.tld`)" # Change this to your domain
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=le"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
networks:
frontend:
external: true
To start it run following command
cd ~/docker/traefik
docker-compose up -d
From now you have running reverse proxy for your services. Open http://traefik.your-domain.tld:8080 to see dashboard.
You can disable dashboard from public by setting firewall rule to allow connection only from your IP addresses or you can comment - "8080:8080" rown in docker-compose.yml file if you dont need it.
Setup Minio#
Next You need to configure your S3 object storage. So create new folder ~/docker/minio that will hold your server configuration and add following content to your docker-compose.yml.
version: '3.7'
networks:
frontend:
external: true
services:
minio:
image: minio/minio:RELEASE.2020-08-07T01-23-07Z
restart: unless-stopped
networks:
- frontend
volumes:
- ./data:/data
environment:
MINIO_ACCESS_KEY: <YOUR-ACCESS-KEY>
MINIO_SECRET_KEY: <YOUR-SECRET-KEY>
command: server /data
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
labels:
- "traefik.enable=true"
- "traefik.http.routers.minio.entrypoints=web"
- "traefik.http.routers.minio.rule=Host(`s3.your-domain.tld`)"
- "traefik.http.middlewares.minio-websecure-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.minio.middlewares=minio-websecure-redirect"
- "traefik.http.routers.minio-secure.entrypoints=websecure"
- "traefik.http.routers.minio-secure.rule=Host(`s3.your-domain.tld`)"
- "traefik.http.routers.minio-secure.tls=true"
- "traefik.http.routers.minio-secure.tls.certresolver=le"
- "traefik.http.routers.minio.service=minio"
- "traefik.http.services.minio.loadbalancer.server.port=9000"
# Don't need to use when your container use only one network but it is very important when you have multiple networks with container
- "traefik.docker.network=frontend"
Before you can start it you have to change some rows there.
- Update your secret and access keys
environment:
MINIO_ACCESS_KEY: <YOUR-ACCESS-KEY>
MINIO_SECRET_KEY: <YOUR-SECRET-KEY>
- Change address to your domain in labels
- "traefik.http.routers.minio.rule=Host(`s3.your-domain.tld`)"
- "traefik.http.routers.minio-secure.rule=Host(`s3.your-domain.tld`)"
this will tell the Traefik on which domain your service will run and then he can requsest for new certificate.
All the magic is in labels section
labels:
# Enable traefik for service
- "traefik.enable=true"
# Listen on HTTP :80
- "traefik.http.routers.minio.entrypoints=web"
# Domain for HTTP
- "traefik.http.routers.minio.rule=Host(`s3.your-domain.tld`)"
# Redirect to HTTPS
- "traefik.http.middlewares.minio-websecure-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.minio.middlewares=minio-websecure-redirect"
# Setting for HTTPS entrypoint
- "traefik.http.routers.minio-secure.entrypoints=websecure"
- "traefik.http.routers.minio-secure.rule=Host(`s3.your-domain.tld`)"
- "traefik.http.routers.minio-secure.tls=true"
# Here is configuration for Cert resolver - We are using Lets Encrypt
- "traefik.http.routers.minio-secure.tls.certresolver=le"
# Which service and port it using
- "traefik.http.routers.minio.service=minio"
- "traefik.http.services.minio.loadbalancer.server.port=9000"
# Network for running docker services
- "traefik.docker.network=frontend"
You copy this labels to your next services and change it based on you needs.
Start minio
cd ~/docker/minio
docker-compose up -d
Navigate to https://s3.your-domain.tld and you will se Minio’s login page. To login use your ACCESS-KEY and SECRET-KEY. In web UI you can do simple things as create new buckets, upload files or set permissions. The default user (the one which is created with first start) is admin, so it have access (R/W) to all buckets you create. It’s ok if you using it only for myself, but its not wise but wne you want multiple users? So let me show you how can you create new user ang give it access only to those buckets you want.
Download Minio Client#
First of all you will need Minio Client. So download it
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
./mc --help
On Windows you can donwload it from here https://dl.min.io/client/mc/release/windows-amd64/mc.exe.
Login to server#
To login to your server use following command
mc config host add mystorage https://s3.your-domain.tld <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY> --api s3v4
Create user#
Let’s create our user which will have acces to our bucket with page
mc admin user add home <user-name-or-key> <super-strong-password>
You can create user with any name you want. If you want to login there over web maybe it is better to give it name you can remember, since i want use this user for application i generating for both of them string for example name have 24 characters and password 48. As i said you can use whatever suits your needs better.
Create bucket#
Create bucket where you will store your static site files.
mc mb mystorage/<change-this-to-your-bucket-name>
Create bucket policy#
Next create policy which will be assigned to user
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<change-this-to-your-bucket-name>/*"
],
"Sid": "Public"
}
]
}
Upload policy to server#
mc admin policy add mystorage <policy-name> <policy-name>.json
You can name your fiel with policy to any name you want. I just naming it with same name as my policy.
Apply policy to user#
mc admin policy set mystorage "iso" user=<your-user-name>
This is last thing on our minio server. So we have
- Minio server
- Bucket for our page
- User with policy to Read and Write to this bucket.
Setup s3www#
To server static site from minio you will need server, because you cant tell to minio server to use index files (in time i write this i cant find any information about it). In this example i show you how to use s3www.
To server webpage from minio is easy as
s3www -endpoint "https://s3.amazonaws.com" -accessKey "accessKey" \
-secretKey "secretKey" -bucket "mysite"
But we will need to run it in docker and tell to traefik what it have to do.
Here is docker-compose file i use to hos my sites:
version: "2"
networks:
frontend:
external: true
services:
s3www:
image: maymeow/s3www:latest
command:
- "-endpoint=https:/<change-to-your-s3-address>"
- "-accessKey=<change-this-to-user-name>"
- "-secretKey=<change-this-to-password>"
- "-bucket=<change-this-to-bucket-name>"
- "-address=0.0.0.0:8080"
restart: unless-stopped
networks:
- frontend
# ports:
# - "3000:3000"
labels:
- "traefik.enable=true"
- "traefik.http.routers.s3www.entrypoints=web"
- "traefik.http.routers.s3www.rule=Host(`<chage-this-to-your-page-address>`)"
- "traefik.http.middlewares.s3www-websecure-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.s3www.middlewares=gitea-websecure-redirect"
- "traefik.http.routers.s3www-secure.entrypoints=websecure"
- "traefik.http.routers.s3www-secure.rule=Host(`<chage-this-to-your-page-address>`)"
- "traefik.http.routers.s3www-secure.tls=true"
- "traefik.http.routers.s3www-secure.tls.certresolver=le"
- "traefik.http.routers.s3www.service=gitea"
- "traefik.http.services.s3www.loadbalancer.server.port=8080"
- "traefik.docker.network=frontend"
In <chage-this-to-your-page-address> use just page domain without https:// or http://.
Copy your site to minio#
Everything is set so last thig you have to do is to copy your page data to your minio bucket:
cd /path/to/your/site
mc cp -r . cdn/<change-this-to-buckent-name>
Bonus#
I showed you how to upload site manually and as bonus here is script for gitlab runner to uppload contend vi CI/CD.
deploy to azure:
stage: deploy
image: maymeow/minio-cli
cache:
key: themaymeow-com-build
paths:
- public
policy: pull
dependencies:
- pages
script:
- mc config host add cdn <change-your-s3-address-> $CDN_ACCESS_KEY $CDN_SECRET_KEY --api s3v4
- cd public
- mc cp -r . cdn/<change-this-to-buckent-name>
# Just for visualy check if there are files
- mc ls cdn/<change-this-to-buckent-name>
only:
- master
tags:
- docker
- digitalocean
Don’t forget to create variables CDN_ACCESS_KEY with minio user name and CDN_SECRET_KEY with minio user password.
If you have more questions feel free to contact me.
Reply by Email