This guide will create a running Owncloud Docker container with SSL certificates using Traefik.

Create owncloud directory and files:

mkdir owncloud; cd owncloud
touch docker-compose.yml

docker-compose file

version: '3.7'

volumes:
  files:
    driver: local
  mysql:
    driver: local
  backup:
    driver: local
  redis:
    driver: local

services:
  owncloud:
    image: "owncloud/server:latest"
    container_name: "owncloud"
    restart: unless-stopped
    depends_on:
      - db
      - redis
    environment:
      - OWNCLOUD_DOMAIN=owncloud.mycooldomain.com
      - OWNCLOUD_DB_TYPE=mysql
      - OWNCLOUD_DB_NAME=owncloud
      - OWNCLOUD_DB_USERNAME=owncloud
      - OWNCLOUD_DB_PASSWORD=yourpassword<-- same as "MARIADB_PASSWORD"
      - OWNCLOUD_DB_HOST=db
      - OWNCLOUD_ADMIN_USERNAME=admin
      - OWNCLOUD_ADMIN_PASSWORD=owncloudadminpassword <--change
      - OWNCLOUD_UTF8MB4_ENABLED=true
      - OWNCLOUD_REDIS_ENABLED=true
      - OWNCLOUD_REDIS_HOST=redis
    networks:
      - proxy
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.owncloud-secure.entrypoints=websecure"
      - "traefik.http.routers.owncloud-secure.rule=Host(`cloud.mycooldomain.net`)"
        #- "traefik.http.services.owncloud-service.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - files:/mnt/data
  db:
   image: webhippie/mariadb:latest
   restart: unless-stopped
   environment:
     - MARIADB_ROOT_PASSWORD=myrootpassword <--change
     - MARIADB_USERNAME=owncloud
     - MARIADB_PASSWORD=yourpassword <--change
     - MARIADB_DATABASE=owncloud
     - MARIADB_MAX_ALLOWED_PACKET=128M
     - MARIADB_INNODB_LOG_FILE_SIZE=64M
     - MARIADB_INNODB_LARGE_PREFIX=ON
     - MARIADB_INNODB_FILE_FORMAT=Barracuda
   healthcheck:
     test: ["CMD", "/usr/bin/healthcheck"]
     interval: 30s
     timeout: 10s
     retries: 5
   volumes:
     - mysql:/var/lib/mysql
     - backup:/var/lib/backup
   networks:
     - internal

  redis:
    image: webhippie/redis:latest
    container_name: "redis"
    restart: unless-stopped
    environment:
      - REDIS_DATABASES=1
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
        - redis:/var/lib/redis
    networks:
      - internal

networks:
  proxy:
    external: true
  internal:

As you can see from the above example docker-compose.yml file, we will be utilizing the "internal" network for communication to our mysql container with our owncloud container as well as our standard "proxy" network for communication to traefik. This will ensure that our mysql container is not able to be reached externally from outside our local area network while allowing our owncloud container to be reached externally.

You'll want to ensure that your "OWNCLOUD_DB_PASSWORD" matches the "MARIADB_PASSWORD" in this file so that owncloud can access its database files properly. Be sure to alter each password with something of your own before running this container.

We have also made a volume declaration at the top of this docker-compose file to state that we would like to use the docker host's volume creation for our owncloud and database files. You can also use local paths if you would prefer to. Just be sure to remove the volume statement at the top of the docker-compose file before running it.

Last, but not least, we've added labels to communicate with our traefik container that direct us to only use HTTPS protocol with owncloud externally and HTTP protocol internally as well as create our own sub domain to access. In the above example file, we've chosen the sub domain "cloud.mycooldomain.net".

Create the container

docker-compose up -d

We'll need to give docker some time to download all the necessary images as well as the owncloud container to run its initial configuration process. Once ready, you should be able to access your owncloud web UI and login with the credentials you saved in the docker-compose file. For more information regarding configuring your Owncloud Server, see their documentation page.

The goal I had in mind when creating this site was to document all of my current works as well as make an easy to follow set of guides for anyone, with any skill set, to replicate. Nearly ALL of my guides will be utilizing the Traefik Docker Container, in Docker with Docker-Compose, as a baseline configuration so you'll need to get this running first before proceeding with any other guides. Once this is working, all you'll need to do is follow any other guide to create your desired container's docker-compose.yml file and run it for seamless integration without the need for any service restarts or configuration file updates to Traefik or Docker.

I'll do my best to keep these guides updated with any new changes or version releases going forward. Please feel free to leave a comment if something isn't working properly or you'd like to provide feedback on my methods as I am always willing to learn a better way.

In this guide we'll be creating a docker container for Wordpress with some added flags in our docker-compose.yml file for Traefik to automatically see, generate certs, and start routing to. If you have not configured Traefik yet, please use my Traefik Configs guide before proceeding.

We'll be using mysql and wordpress in our docker-compose.yml file. We'll also use the "proxy" network to communicate with our Traefik container as well as create the "wordpress" network that the wordpress container will use to communicate with its mysql instance so that mysql isn't exposed externally to anything.

Create the "wordpress" network

docker network create wordpress

Then create your docker-compose.yml with your favorite text editor

vim docker-compose.yml

Paste the below configs

version: '3.7'

services:
  db:
    image: "sql:8.0.22"
    container_name: "db"
    restart: unless-stopped
    env_file: .env
    environment:
      - MYSQL_DATABASE=db
      - MYSQL_ROOT_PASSWORD=changeme
      - MYSQL_USER=db
      - MYSQL_PASSWORD=changeme
    volumes:
      - "path/to/db/files":/var/lib/mysql
    command: '--default-authentication-plugin=sql_native_password'
    networks:
      - wordpress

  wordpress:
    depends_on:
      - db
    image: "wordpress:latest"
    container_name: "db"
    restart: unless-stopped
    environment:
      - WORDPRESS_DB_HOST=db:3306
      - WORDPRESS_DB_USER=db
      - WORDPRESS_DB_PASSWORD=changeme
      - WORDPRESS_DB_NAME=db
    volumes:
      - "path/to/html/files":/var/www/html
      - "path-to-file"/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
    networks:
      - proxy
      - wordpress
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.wordpress-secure.entrypoints=websecure"
      - "traefik.http.routers.wordpress-secure.rule=Host(`yourdomain`)"
      - "traefik.http.routers.wordpress-secure.tls.certresolver=letsencrypt"
networks:
  proxy:
    external: true
  wordpress:

Now we just run

docker-compose up -d

And...That's it!

After some time, you should be able to navigate to https://yourdomain/wp-admin in your browser to finish your new Wordpress setup with a shiny new SSL certificate already in use.

Notes:

In this file we've added a volume for the "uploads.ini" file. The reason for this is so you don't have any issues with uploading images to your website that are over the (very small) default limit.

uploads.ini

file_uploads = On
memory_limit = 500M
upload_max_filesize = 500M
post_max_size = 500M
max_execution_time = 600

The configuration above will allow up to 500Mb files to be uploaded to your site. You probably don't need anything that large uploaded, so feel free to adjust to your needs.

You'll also want to ensure that you update the "yourdomain" and "path-to.." sections to match your installation.

This guide will configure and start a working docker image with BitWarden. BitWarden is a fully-loaded password management suite that I have used for a few years now. It has browser/phone compatibility and will auto fill any password that I store into it for me. It's essentially is the paid version of Last Pass but free (open source). I would encourage you to check out their site for a complete list of services they offer here. This guide will just get the implementation running and ready for use. Any further customization's should be referenced from BitWarden's site for accuracy and instruction.

Make a directory for your BitWarden files, create the docker-compose.yml file and paste in the configuration after updating the necessary fields for your installation

mkdir -p bitwarden/bw-data; cd bitwarden/bw-data
vim docker-compose.yml

version: '3.7'

services:
  bitwarden:
    image: "vaultwarden/server:latest"
    container_name: "bitwarden"
    restart: always
    volumes:
      - ./bw-data:/data
    environment:
      - WEBSOCKET_ENABLED=true
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      # Entry Point for https
      - "traefik.http.routers.bitwarden-secure.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-secure.rule=Host(`bw.yourdomain`)"
      - "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
      # websocket
      - "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-ws.rule=Host(`bw.yourdomain`) && Path(`/notifications/hub`)"
      - "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
      - "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
      - "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012"
      
networks:
  proxy:
    external: true

In this file you'll just need to update the lines that contain "bw.yourdomain" with your domain name. I've added a sample docker-compose.yml file for reference of what the file should look like once completed:

version: '3.7'

services:
  bitwarden:
    image: "vaultwarden/server:latest"
    container_name: "bitwarden"
    restart: always
    volumes:
      - ./bw-data:/data
    environment:
      - WEBSOCKET_ENABLED=true
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      # Entry Point for https
      - "traefik.http.routers.bitwarden-secure.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-secure.rule=Host(`bw.mycooldomain.net`)"
      - "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
      # websocket
      - "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-ws.rule=Host(`bw.mycooldomain.net`) && Path(`/notifications/hub`)"
      - "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
      - "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
      - "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012"
      
networks:
  proxy:
    external: true

Run

docker-compose up -d

Give the installation about 10 minutes to complete before attempting to access your portal. One way to check whether the services have started is to open your traefik dashboard and watch for your "routers" and "services" sections to go up in count:

In the mean time, we'll need to make some changes to the config.json file. Within the "bitwarden/bw-data" path we just created. Below is the sample configuration for bw.mycooldomain.net:

  "domain": "http://bw.mycooldomain.net", #<--change
  "sends_allowed": true,
  "disable_icon_download": false,
  "signups_allowed": true,
  "signups_verify": false,
  "signups_verify_resend_time": 3600,
  "signups_verify_resend_limit": 6,
  "invitations_allowed": true,
  "password_iterations": 100000,
  "show_password_hint": false,
  "admin_token": "", #<---------------------Add token hash
  "invitation_org_name": "bw.mycooldomain", #<--change
  "ip_header": "X-Real-IP",
  "icon_cache_ttl": 2592000,
  "icon_cache_negttl": 259200,
  "icon_download_timeout": 10,
  "icon_blacklist_non_global_ips": true,
  "disable_2fa_remember": false,
  "authenticator_disable_time_drift": false,
  "require_device_email": false,
  "reload_templates": false,
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "disable_admin_token": false,
  "_enable_yubico": true,
  "_enable_duo": false,
  "_enable_smtp": true,
  "smtp_host": "",
  "smtp_ssl": true,
  "smtp_explicit_tls": false,
  "smtp_port": ,
  "smtp_from": "",
  "smtp_from_name": "",
  "smtp_username": "",
  "smtp_password": "",
  "smtp_auth_mechanism": "",
  "smtp_timeout": 15,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "_enable_email_2fa": true,
  "email_token_size": 6,
  "email_expiration_time": 600,
  "email_attempts_limit": 3
}

Create another password hash

htpasswd -nb admin <password>

Example

htpasswd -nb admin mypassword
admin:$apr1$bDYpIv27$D8nt54IltqswqV/K5s8g20

Remember that we only need the password hash here so remove the

admin:

that precedes the hash before pasting it into your configuration.

Save the file and restart BitWarden to login to the portal with your new password hash at bw.yourdomain/admin in your browser. From here, you'll need to add smtp information to send out email invitations as well as email confirmations for new account creation. I use Google's SMTP services for my configuration. Once you're through, test the email settings to just added and verify email receipt.

You are now ready to access your BitWarden Portal and register for an account! Go to https://bw.yourdomain (without the "/admin") to create your account. Your BitWarden Server will send out a confirmation email using the smtp server you just created so you can confirm and login. If you already have a BitWarden account, you can export your entire password vault and import it here (like I did) to start using your own server instead of BitWarden's public servers. Refer to BitWarden's documentation for instructions on this process (linked above) if you are unsure how to accomplish this.