Tech Question about my Linux Server

I’m not certain what impacts are expected.

Data management and migration will be the biggest hurdle I think. Are you building this on a greenfield server? Can you map the old data to the new server over NFS or CIFS? What kind of backend is the data being stored on now?

Do you already have some of the functionality up and running in Docker? I think getting familiarity with Docker is the first step which can be done with sample data.

I use docker for work … sure only one specific setup but I think I am fine with setting it up and containers and mounting in directories for the data etc. much more comfortable than I am with ansible. I previously used docker for my server before switching over to the virtual one and using plesk.

Migration is the most difficult part definitely. some of the tools I use should be easily migrated via db dumps and scp …

I have previously migrated mailserver, wordpress. Nextcloud I am not sure… most of the non-file based stuff is in the database. the files I could probably reupload or scp. It think that one just uses a directory to store the files.

The impact I most expect is that I run everything on a test domain, then migrate my data and point my main domain + subdomains at the new server and some internal configuration is forgotten and the thing instead of “mydomain.de” thinks it is called “mytestdomain.de” and foobars everything and debugging takes forever. Ideally the services are agnostic to what domain they are running on but in my experience they are not. (Wordpress is definitely guilt of this stuff, mailserver is the thing I am most afraid of)

Backend… file-system and mysql … I have some of the files on an “external” virtual drive that I might be able to remount to the new server. I am not sure. This is all virtual server stuff. I have a hard time explaining these things. Sorry -.-

Ah Grüne Wiese. Yes yes, the new server is empty for now.

Here's my plan:
1 Like

Well, the great thing about (well-designed) docker containers is that they are stateless and they only have precepts about the environment based on what you configure on the container itself. Unfortunately, a problem that stems from that is that you can configure configuration and data mounts that can contain previously configured information and data.

I think I would start with doing some dry-runs with snapshot data following official or community migration guides, and see what kind of artifacts you encounter after fake migrations.

1 Like

you’re right, I should just jump and get familiar with it all in some dry-runs and only think about migrating when I feel like I control the thing. I can reset the server as much as I like :slight_smile:

1 Like

Wait, are you telling me that I used an English compound word and then you translated it to German as two words? Thisisbackwards.

3 Likes

Specific thing with DNS and mail: turn down the DNS TTL. You need to do this at least (TTL) before it matters. Then remote servers will update more often and spot changes sooner. (Except Microsoft ones, which deliberately break the standards and hold onto cached DNS data forever, perhaps because their own DNS servers are so ghastly.)

Also, set up a secondary MX. Then if mail isn’t being accepted by the primary for some reason it’ll pile up there without you needing to do anything. Doesn’t help if the primary is saying “no, I’m not that domain’sserver” though; for that you need to change DNS.

2 Likes

Right now I need to learn or rather relearn the reverse proxy setup I need. I think the last time I ran this I was doing that with apache. But these days I think one would do it in nginx. But I am getting there. I just pointed a few subdomains at my server and I setup nginx and letsencrypt and docker/docker-compose so once I figure out a little better how to play with nginx without plesk I think I am good to go with the docker side.

Thanks @pillbox I really needed someone to tell me to just start playing.

I am keeping a protocol but I know from past attempts these are faulty and end up having holes. Which is–I know I know–where ansible would come in. And maybe I will end up using that at some point. For now I just want to see some services running…

2 Likes

First learn to do, then learn to automate the ‘do’, then learn to automate the automation of the ‘do’.

2 Likes

Also, for what it’s worth, I’m using Traefik2 for reverse proxy. I’m not even using it the best way possible, but it’s pretty neat.

1 Like

Being a lazy dev, I should know this right? Ansible seems like a huge problem when you start with it, I suspect it looks like a smaller problem when I know where I am going.

1 Like

That looks pretty neat. I think for this run I will stick with nginx as I have already started that.

But as I am reasonably sure that I want to reset the server at least once to make sure I am eliminating mistakes and failed attempts I made along the way… maybe I will try that :slight_smile: Automatic detection sounds lazy :slight_smile:

1 Like

Traefik looks very promising but I have yet to figure out https :wink:
I have managed to get it to route to a wordpress container.
The documentation leaves something to be desired it is very much the kind of tutorial that was written by someone who has no idea what people don’t know when they first start using the tool. but i found their forums (discourse what a surprise) and I’ll figure it out.

I could in theory configure nginx manually or a docker image specifically for using nginx as reverse proxy. but I doubt the nginxreverse proxy docker image is any easier to figure out.

One of the issues is that there are so many different ways to get the same result it is hard to find all the parts that belong to the same path.

2 Likes

This is the caveat I always mention when talking about the benefits of open source software. You have to curate an ecosystem; and that may take a lot of trial and error and possible major backtracking as you find the limits of the different pieces of software you are gluing together

1 Like

I was trying to figure out how to update my PHP install the other day. Gave up in the end as all the answers were contradictory. Will try again another day.

2 Likes

I got as far as beginning to understand the mailserver container…
I remember why I hate setting up mailservers and why after doing so I immediately forget everything about the mailserver. It was totally the reason that plesk seemed/seems so attractive.

Who wants to know what amavis and clamd are?
When I read the “if you do this because you want to be able to use smtp from your other docker containers you may end up creating an open relay” I just want to give up already.

At least the documentation on this container is much much more thorough than everything else.

A zoomed out screenshot of the current docker compose file oO it’s been ages since I went to bed at 2am. Need sleep now.

2 Likes

in theory I have all the containers that will give me the same functionality as my old server

  • but neither roundcube nor outlook want to connect to the mailserver something something ports… or SSL or who knows what with mailservers.
  • mailserver also needs a lot of tweaking to get our crazy mail setup right.
  • database initialization still requires me to go to adminer and input the sql script through the web console when it shouldn’t but maybe I just need to try again with the latest version and it might just work?
  • roundcube doesn’t want to use docker secrets for the database password oO

but most of it is there and requires very little manual fiddling now. and the great thing is the basic server installation remains very basic. all it needs is ssh key, ufw ports and installation of docker + docker-compose. ~20-30 commands.

Of course my docker-compose is about 400 lines long… but who cares about that. That’s gitted and automated.

2 Likes

The neverending story of how much I hate running a mailserver while it is not yet set up… once it’s done and I don’t have to touch it it’s fine…

For now… an either of you explain to me why I can connect to the server mail.mydomain.xyz with openssl fine when tls-passthrough is enabled in traefik and when I turn it off I can see that the server is sending the wrong certificate (other subdomain)?

I think the easy solution would be a *.mydomain.xyz certificate except I have had trouble with that in the past (for DNS reasons)

So I guess I better figure out how to have the server pick the mail.mydomain.xyz certificate from the storage (it should be in there or it should be created)

The best bug from yesterday was probably hunting for 2+ hours why my tcp routers didn’t appear in the traefik dashboard, only to find out that my mail container had traefik enabled like this:

  • traefik.enable=true"

And that " is not supposed to be there. Hours…

2 Likes

addendum: I found that my domain hoster has linked to a small set of scripts to help with certificates and somebody wrote a shell script specifically for that provider + letsencrypt with docker examples that I will hopefully figure out how to use to get a wildcard certificate. I understand why a DNS challenge is required for wildcard certificates but maaaaan those have been a PITA. Because I refuse to configure DNS myself I don’t understand DNS and I don’t want to. I can write dns records in the domain provider’s web interface and that is as far as I will go.

2 Likes

Solved the wildcard certificate: actually built-in dnschallenge tools for traefik can do this once correctly configured.

However: this just reveals the next error on the stack. This is the way.

PS: traefik documentation exists. however…

2 Likes

This thread is my rubber ducky I hope you don’t mind too much :slight_smile:

So now I have

  • traefik running as proxy
  • a bunch of http containers that work fine
  • a wildcard certificate
  • a mailserver in a docker container: https://docker-mailserver.github.io
  • I followed the setup instructions to the server and created users for both dovecot and postfix and I checked inside the container and they exist.
openssl s_client -connect ${DOMAINNAME}:993

And on port 465 answers with “connected” and some lengthy elaboration on the certificate which is the wildcard cert I got.

Snippet from the open ssl request because I am quite unable to understand it all but it mostly looks fine to me?
SSL handshake has read 5082 bytes and written 370 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
Docker Compose for Traefik
traefik :
    image : traefik:v2.9
    hostname: traefik
    container_name : traefik
    domainname: ${DOMAINNAME}
    command:
      - "--api.insecure=false"
      - "--api.dashboard=true"
      - "--accesslog=true"
      - "--providers.docker=true"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--entryPoints.smtp.address=:25"
      - "--entryPoints.smtp-ssl.address=:465"      
      - "--entryPoints.imap-ssl.address=:993"
      - "--entryPoints.sieve.address=:4190"
      - "--certificatesResolvers.myresolver.acme.email=XXXX"
      - "--certificatesResolvers.myresolver.acme.storage=/etc/traefik/acme.json"
      - "--certificatesResolvers.myresolver.acme.httpChallenge=true"
      - "--certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=inwx"
    environment:
      - INWX_USERNAME_FILE=/run/secrets/inwx_username
      - INWX_PASSWORD_FILE=/run/secrets/inwx_password
    restart: unless-stopped
    ports :
      - 80:80
      - 8080:8080
      - 8443:8443
      - 443:443
      - 25:25
      - 465:465
      - 993:993
      - 4190:4190
    networks:
      - frontend
    labels:      
      # define some configs
      - traefik.log.level=WARN  
      - traefik.providers.docker.network=frontend"
      - traefik.api.dashboard=true"  
      - traefik.global.checkNewVersion=true"
      - traefik.certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory" 

      # redirect to https 
      - traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)
      - traefik.http.routers.http_catchall.entrypoints=web
      - traefik.http.routers.http_catchall.middlewares=https_redirect
      - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true


      # define traefik dashboard router and service
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`) 
      - traefik.http.routers.traefik.entrypoints=websecure      
      - traefik.http.routers.traefik.tls.certResolver=myresolver      
      - traefik.http.routers.traefik.tls.domains[0].main=${DOMAINNAME}
      - traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAINNAME}
      - traefik.http.routers.traefik.middlewares=myauth
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080      
      #basic auth
      - traefik.http.middlewares.myauth.basicauth.usersfile=/etc/traefik/usersfile
      - traefik.http.middlewares.myauth.basicauth.realm=Einmal mit Profis
      - traefik.http.middlewares.myauth.basicauth.headerField=X-WebAuth-User
      - traefik.http.middlewares.myauth.basicauth.removeheader=true

    volumes :
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${DOCKERDIR}/shared/htpasswd:/etc/traefik/usersfile
      - ${DOCKERDIR}/shared/acme.json:/etc/traefik/acme.json
    secrets:
      - inwx_username
      - inwx_password
Docker Compose for mailserver
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    restart: unless-stopped 
    depends_on:
      - traefik
    hostname: mail    
    domainname: ${DOMAINNAME}
    environment:
      - TZ=${TZ}
      - LOG_LEVEL=debug
      - ENABLE_FAIL2BAN=1
      - SSL_TYPE=letsencrypt
      - SSL_DOMAIN=${DOMAINNAME}
      - PERMIT_DOCKER=host
      - ONE_DIR=1
      - ENABLE_POSTGREY=1
      - ENABLE_CLAMAV=0
      - ENABLE_SPAMASSASSIN=0
      - SPOOF_PROTECTION=1
      - POSTFIX_INET_PROTOCOLS=ipv4
      - ENABLE_AMAVIS=0
      - ENABLE_DNSBL=0
      - ENABLE_MANAGESIEVE=1
      - ENABLE_UPDATE_CHECK=0
      - ACCOUNT_PROVISIONER=FILE
    ports:
     # only non default ports need mapping 
      - 10993:993  # IMAP4 (implicit TLS)
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0    
    labels :
      - traefik.enable=true
      - traefik.docker.network=frontend
      #smtp router & service
      - traefik.tcp.routers.smtp.rule=HostSNI(`*`)
      - traefik.tcp.routers.smtp.entrypoints=smtp
      - traefik.tcp.routers.smtp.service=smtp
      - traefik.tcp.services.smtp.loadbalancer.server.port=25
      - traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1
      #smtp ssl router & service
      - traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)
      - traefik.tcp.routers.smtp-ssl.service=smtp-ssl
      - traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl
      - traefik.tcp.routers.smtp-ssl.tls=true
      - traefik.tcp.routers.smtp-ssl.tls.passthrough=false
      - traefik.tcp.routers.smtp-ssl.tls.certresolver=myresolver
      - traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465
      - traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1
      #imap ssl router & service
      - traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)
      - traefik.tcp.routers.imap-ssl.service=imap-ssl
      - traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl
      - traefik.tcp.routers.imap-ssl.tls=true
      - traefik.tcp.routers.imap-ssl.tls.passthrough=false
      - traefik.tcp.routers.imap-ssl.tls.certresolver=myresolver
      - traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993
      - traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2
      #sieve router & service
      - traefik.tcp.routers.sieve.rule=HostSNI(`*`)
      - traefik.tcp.routers.sieve.entrypoints=sieve
      - traefik.tcp.routers.sieve.service=sieve
      - traefik.tcp.services.sieve.loadbalancer.server.port=4190
    volumes:
      - ${DOCKERDIR}/containers/mail/mail-data/:/var/mail/
      - ${DOCKERDIR}/containers/mail/mail-state/:/var/mail-state/
      - ${DOCKERDIR}/containers/mail/mail-logs/:/var/log/mail/
      - ${DOCKERDIR}/containers/mail/config/:/tmp/docker-mailserver/
      - ${DOCKERDIR}/shared/acme.json:/etc/letsencrypt/acme.json:ro
      - /etc/localtime:/etc/localtime:ro
    networks: 
      - frontend

(I am quite sure there is no sensitive data in the code I posted, as I put all passwords in docker secrets files and my domain is defined in the environment)

So here’s my (current) problem:

  • I am using thunderbird to try to connect to the mailserver
  • I have checked username and password multiple times-
  • using Ports 465 / 993 with SSL/TLS
  • I’ve tried all authentication methods

The result is always the same:

mailserver    | Nov 28 17:57:10 mail postfix/smtps/smtpd[5104]: connect from [my current IP]
mailserver    | Nov 28 17:57:20 mail postfix/smtps/smtpd[5104]: SSL_accept error from [my current IP]: lost connection
mailserver    | Nov 28 17:57:20 mail dovecot: imap-login: Disconnected (no auth attempts in 10 secs): user=<>, rip= [my current IP], lip=172.26.0.2, TLS handshaking: Connection closed, session=<4kK+w4ruG8XZUV8m>
mailserver    | Nov 28 17:57:20 mail postfix/smtps/smtpd[5104]: lost connection after CONNECT from  [my current IP]
mailserver    | Nov 28 17:57:20 mail postfix/smtps/smtpd[5104]: disconnect from  [my current IP] commands=0/0

I think there are probably more SSL shenanigans going on… but I am dumbfounded for the moment.

Thanks for listening. If you have–just by chance–any ideas where my mistake lies… those would be very welcome. But I’ll just continue debugging this issue.

PS: mailservers are not my friends and this is not even the end of it as I have not even started on the customization that we need for our setup.

PPS: I turned off fail2ban, that was not it (this time)

2 Likes