navcontainerhelper icon indicating copy to clipboard operation
navcontainerhelper copied to clipboard
verified publisher icon microsoft

Suggesion: Traefik Documentation

Open DanielGoehler opened this issue 2 years ago • 4 comments

My suggestion is to a section Traefik in NavContainerHelper.md.

My first draft would be:

Docker containers are given an internal IP address on a special internal network on the local machine and they can only be reached locally. Traefik is an application proxy that allows you to run multiple Business Central Docker on a single server and make them accessible externally. A Business Central Service such as Web Client, SOAP, OData, Dev, Snapshot Debugger, etc. will receive external names for each internal port of a service.

To make this accessible, there are two ways of providing an SSL certificate.

  • You can use Lets Encrypt. This option requires your server to be publicly accessible.
  • Or you can Bring your own certificate.

Lets Encrypt

Setup-TraefikContainerForBcContainers -ContactEMailForLetsEncrypt [email protected] -PublicDnsName dockerhub.mycompany.com

Bring your own certificate

To use an SSL certificate, you can use (OpenSSL)[https://slproweb.com/products/Win32OpenSSL.html] to to convert your PFX file into a CRT and KEY file. After installing OpenSSL, you can use the console to transfer them.

openssl pkcs12 -in "certificate.pfx" -clcerts -nokeys -out "certificate.crt"

  • Needs the pfx phase

openssl pkcs12 -in "certificate.pfx" -nocerts -out "certificate-encrypted.key"

  • Needs the passphase of the pfx
  • Set a passphase for the key file

openssl rsa -in "certificate-encrypted.key" -out "certificate.key"

  • Needs a passphase for the key file

To setup the traefik, you need to run Setup-TraefikContainerForBCContainers

Setup-TraefikContainerForBCContainers -PublicDnsName dockerhub.mycompany.com -CrtFile certificate.crt -CrtKeyFile certificate.key

After that the you need to add -useTraefik when creating a Docker Container:

$url = Get-BCArtifactUrl -select Latest -type OnPrem -country w1
$cred = Get-Credential
New-BcContainer -accept_eula -artifactUrl $url -Credential $cred -auth UserPassword -useTraefik -useSSL

What do you think and what should be added?

DanielGoehler avatar Oct 14 '23 13:10 DanielGoehler

That would have been indeed very helpful!

Some comments: passphrase I think it is ;) openSSL is part of a normal nextnextnextnext git installation - which I think almost everybody should have installed in the meantime: find it there -> C:\Program Files\Git\mingw64\bin

Anyhow, I also would like to see this whole thing shifted to traefik v2 ... the mechanics as such are almost the same, but labels have to be different, and the inital traefik yml/toml needs some love I would think?

so that would be really awesome ;)

KristofKlein avatar Oct 20 '23 08:10 KristofKlein

I totally agree with Kristof, that shifting to Traefik v2.0 would be a great thing!

DBiernat avatar Dec 11 '23 16:12 DBiernat

@KristofKlein @DBiernat Sure, but I can't really help with Traefik v2.0. Since this issue is about adding Traefik documentation, my suggestion would be to add your suggestion for switching to Traefik v2.0. Depending on the outcome, I would recommend adding the documentation for the current version or for v2.0.

DanielGoehler avatar Dec 11 '23 18:12 DanielGoehler

@DanielGoehler muuhahaha - took over the issue :D fun aside, you also asked what is missing. I think what I would have loved to know (quite a while ago) is :

  • if you are on win 11 you need to make your own traefik image such that it support process isolation (as hyperv did not work for me : no access within the container to the npipe)
  • the more clear cut between "open" machine where a lets encrypt just works fine or what it takes for a local network installation.

you do have the openssl components mentioned in here, which for me was the most confusing part how to do this in a closed, local dev machine... in fact it is as simple as just use your current hostname
[System.Net.Dns]::GetHostByName($env:computerName).HostName which you can use also with openssl to create a certificate just for your host:

# make key
openssl.exe genrsa -des3 -out server.key 2048
# rsa the key
openssl.exe rsa -in server.key -out server.key
# create csr with key and CN
openssl.exe req -sha256 -new -key server.key -out server.csr -subj "/CN=YOURHOSTNAMEHERE"
# create crt file
openssl.exe x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

KristofKlein avatar Dec 12 '23 14:12 KristofKlein

@DBiernat @KristofKlein @kine Please open a separate issue for your unrelated but perfectly valid issues that are not related to my Traefik documentation proposal.

DanielGoehler avatar May 25 '24 13:05 DanielGoehler