Explanation on how to set this server up with a Single Docker Compose File

[Ryu945]

I am trying to figure out how to setup a single docker compose file to setup everything needed for the Dendrite server. I see in the guide it mentions run two separate docker compose files but I don't even see how it communicates as no ports are published.

[HelderFSFerreira]

Hey,

An example of mine using traefik:

  matrix:
    container_name: matrix
    image: matrixdotorg/dendrite-monolith:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.matrix.rule=Host(`matrix.wounn.xyz`) || PathPrefix(`/_matrix`)"
      - "traefik.http.routers.matrix.entrypoints=websecure"
      - "traefik.http.routers.matrix.tls.certresolver=myresolver"
      - "traefik.http.routers.matrix.middlewares=corsMatrix@file"
      # - "traefik.http.services.matrix.loadbalancer.server.port=8008"
      # - "traefik.http.services.matrix.loadbalancer.server.port=8008"
      # - "traefik.port=8008"
    command: [
      "--tls-cert=server.crt",
      "--tls-key=server.key"
    ]
    volumes:
      - ./matrix:/etc/dendrite
    ports: 
      - 8008:8008
    networks:
      - traefik
      - db
    depends_on:
      - traefik
      - postgres
    restart: unless-stopped

I can make a PR to expose the default ports but it's not mandatory to have them exposed, you can attach the ports anyway. Didn't need of 8448 because traefik is dealing with SSL.

[Ryu945]

Doesn't this mean that all clients connecting to your server have to use HTTP only since the clients know to only use HTTP on 8008 and HTTPS on 8448.

[HelderFSFerreira]

The SSL is handled on traefik and all the clients are using https. This means that all the traefik between traefik and dendrite is http but they are on the same machine.

[Ryu945]

I am talking about the traffic between the client and the traefik server. I thought the server only connect to clients over SSL on 8448 and non ssl over 8008. Behind the proxy is another story. I am just talking about between the client and the reverse proxy. I thought the way it would normally work is the client talks with https up to port 8448. The reverse proxy terminates the SSL at that point and communicates with Dendrite over port 8008 the rest of the way.

Are you saying the client is able to communicate with the server using HTTPS to port 8008? Then it terminates SSL and continues on port 8008 on HTTP to the Dendrite server?

[HelderFSFerreira]

HTTPS (port 443) -> traefik (handles SSL) -> dendrite (Port 8008)

[Ryu945]

Oh, clients use 443? I didn't see that in the guide when I was reading through it at all. I wouldn't have guessed that.

[kegsay]

That's because they are using a reverse proxy like Apache or nginx which will terminate TLS and forward the now unencrypted traffic to :8008. It's not a dendrite specific thing.

[Ryu945]

One who does not know how the service is setup could assume that its ports of operation were intentionally picked to not be 80 or 443.

[melroy89]

Indeed, the example of using multiple compose files is a bit strange. The whole purpose of Docker compose is to use a single file, eg. containing postgres with a dependency to dendrite (via depends_on:)

[dassystem]

This is my docker-compose.yml. Maybe it helps somehow?

version: "3.4"
services:
  monolith:
    hostname: monolith
    image: matrixdotorg/dendrite-monolith:latest
    restart: always
    command: [
      "--tls-cert=server.crt",
      "--tls-key=server.key"
    ]
    ports:
      - 8008:8008
      - 8448:8448
    volumes:
      - ./config:/etc/dendrite
    networks:
      - internal
    depends_on:
      - postgres

  # PostgreSQL is needed for both polylith and monolith modes.
  postgres:
    hostname: postgres
    image: postgres:11
    restart: always
    volumes:
      - ./postgres/create_db.sh:/docker-entrypoint-initdb.d/20-create_db.sh
    # To persist your PostgreSQL databases outside of the Docker image, to 
    # prevent data loss, you will need to add something like this:
    # - /MY/LOCAL/PATH/data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: itsasecret
      POSTGRES_USER: dendrite
    networks:
      - internal
      
networks:
  internal:
    attachable: true

[kegsay]

I'll look to add a docker compose example for monolith (which is the recommended way of running Dendrite) sometime soon.

[dwarf-king-hreidmar]

Something I haven't wrapped my head around and it doesn't seem to be in the docs. Do I need to set tls-cert and tls-key on the monolith if I'm throwing traefik or haproxy in front?

[plague-doctor]

@HelderFSFerreira could you please share the docker-compose.yml including content of corsMatrix@file? This would be sooo helpful. I am going to setup the same but in swarm.

[HelderFSFerreira]

@plague-doctor there you have it:

http:
  middlewares:
    corsMatrix:
      headers:
        accessControlAllowMethods:
          - GET
          - POST
          - PUT
          - DELETE
          - OPTIONS
        accessControlAllowOriginList:
          - "*"
        accessControlAllowHeaders:
          - Origin
          - X-Requested-With
          - Content-Type
          - Accept
          - Authorization
        accessControlMaxAge: 100
        addVaryHeader: true

[kegsay]

We don't support docker-compose as a maintained runtime configuration. We will however support Helm charts, which are kinda like docker-compose in some ways.