Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

General discussion about Blue Iris
Post Reply
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

I posted earlier about how to set up a reverse proxy to act as a gateway with free secure HTTPS using Let'sEncrypt certs. I am a firm believer that understanding the underlying tech is very important so that log of my steps is still very relevant. But the future is using more portable and deployable docker images and being able to move them around and spin up additional ones when needed due to load. It is now time for me to learn how to do that.

I'll document that process here.

The goals are
  • Set p a secure reverse proxy for any number of internally hosted web services, BI being the one of interest here.
  • Use the free Let'sEncrypt certs to have legit SSL HTTPS without having to use those self-signed certs that force users to accept the warning.
  • Be able to deploy the Docker images on any PC in my home easily. Maybe use a deployment orchestration tool like Kubernetes.
One prerequisite to using LetsEncryot is that you own a domain name and have control over the DNS records. You can buy a domain from any vendor you choose cheaply and I like DynU because they have a nice DynamicDNS client. We can discuss which service is best elsewhere.

I just installed Docker Desktop on my Win10 Machine and have to reboot now, be back soon... (oh, make sure that you have virtualization enabled in your bios settings)
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

Install the following apps (I used default settings unless otherwise noted) ...
  • Docker Desktop
Open a Desktop set of apps to get started Git Bash terminal in your working directory, an Atom text editor and a Docker console...

From the Traefik (reverse proxy) Docker get started page https://hub.docker.com/_/traefik create the yaml file in a working directory

Image

Start the docker per the getting started doc, I ran this from my working traefik directory so $PWD was already set

Code: Select all

docker run -d -p 8080:8080 -p 80:80 \
-v $PWD/traefik.yml:/etc/traefik/traefik.yml \
-v /var/run/docker.sock:/var/run/docker.sock \
traefik:v2.0
First time I ran this I got an error

Code: Select all

C:\Program Files\Docker\Docker\resources\bin\docker.exe: Error response from daemon: mkdir C:\Program Files\Git\var: Access is denied.
I had to open a new Git Bash shell as an Admin user and create the directory.

Code: Select all

cd c:/"Program Files"/Git
mkdir var
Now it seems like that docker image is running. Wonder what I can do with it? Traefik should have some web UI to manage its config. I wonder a) is there an IP registered in my router for this new docker doo-hickey that is running and can I get to its web page???

Image
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

Hmmm... if I browse to http://localhost:8080 I should get the Traefik dashboard but it isn't working. I wonder if it is my Windows firewall blocking it?

Nope, not firewall.

Let's do some more research.

https://www.digitalocean.com/community/ ... untu-18-04
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

I spent a lot of time playing around with Docker on both my Win and OSX machines and it is pretty cool.

The main advantage is that you don't need to build a complete OS stack for every container like I am basically doing now by using separate VMs for each playground.

One big down-side I ran into is that you can't run VirtualBox and Docker on the same host. Docker requires Hyper-V be turned on and VirtualBox requires that it be turned off. Bummer. I don't want to turn off my VM yet until everything is replicated on the Docker environment so I put the BI/Docker-Proxy aside for a bit while I played with some other Geek stuff.

On the Traefik/Nginx topic, Traefik seems to excel when all of the web apps it is routing to are docker containers. Our use case is clearly not that case because our web app that we want to route to is BI. It can work in Traefik but that isn't what it was designed for.
User avatar
Thixotropic
Posts: 743
Joined: Wed Sep 04, 2019 7:20 pm
Location: Low-Earth Orbit

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by Thixotropic »

Have you looked at Ngrok? It seems like it's a very easy way to get an https connection...if you can get it working.

I've been trying to get it to work and I'm 99% of the way there. The connection reaches my PC but gets rejected, and that's where I'm stuck.

(sorry, didn't mean to hijack your thread)
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

I have HTTPS working with legit Let'sEncrypt certificates already using a VM. I was just thinking that Docker would be cool to learn and maybe be a little lighter.

Ngrok loks like an interesting service to help people get through their firewalls but I prefer to tinker on my own.
User avatar
Thixotropic
Posts: 743
Joined: Wed Sep 04, 2019 7:20 pm
Location: Low-Earth Orbit

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by Thixotropic »

HeneryH wrote: Fri Mar 06, 2020 3:27 amNgrok loks like an interesting service to help people get through their firewalls but I prefer to tinker on my own.
I've learned a bit about Docker from my last job, but it's a heavier solution than I'm looking for. If you can get a solution and walk-through for it, I'd be interested in seeing if I could implement it. And I applaud you for your persistence in delving into it.

I think at this point I'm probably just going to use Teamviewer if I can't get ngrok working. It's not ideal, but it gets the job done.
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Replicating the Reverse Proxy/Let'sEncrypt VM using Docker

Post by HeneryH »

My use case is perhaps different than others. I have about 10 clients at a small boat yard/slips who need to have access to the web viewer. I didn't want them to have to accept that alert about self-signed certs. So I created a quick virtual machine to handle that. VMs are a little heavier than Docker containers. But I had the headroom so no problem there. I'm just a geek.
User avatar
Thixotropic
Posts: 743
Joined: Wed Sep 04, 2019 7:20 pm
Location: Low-Earth Orbit

NGROK issue solved :)

Post by Thixotropic »

Update...solved!

I'm happy to report that with the help of Blue Iris support, I got this working. :) A huge thank you to the support team for helping to resolve this. Here's their reply, and so far it seems to work perfectly (at least on a local LAN connection):
"If you receive an error remotely stating “successfully tunneled to your NGROK client, but the client failed to establish a connection to the local address localhost:81” it may be that “localhost” is not resolvable for some reason. In this case you may use the full LAN IP address in the NGROK command. Edit the BAT file and change the 81 to your full LAN address such as 192.168.0.200:81 for example."
So...I added the full IP address, tested it, and BADDA BING, BADDA BOOM, I now have a secure HTTPS connection to my BI box from anywhere in the world.

I updated my other post about Ngrok to reflect this in the hopes it'll help someone else.
Blue Iris 5.x x64 | Windows 10 Pro x64 | 16GB RAM | i7-7700 3.6 GHz | 1TB HDD | 2TB RAID NAS | 9 Cameras | Almost Dual NIC | 2KVA UPS
Post Reply