From eacadab501736ea042740fb44b03eb3714ef19d4 Mon Sep 17 00:00:00 2001
From: cguentherTUChemnitz <cguenther.tu.chemnitz@gmail.com>
Date: Fri, 7 Jun 2019 13:26:43 +0200
Subject: [PATCH] Create traefik-proxy-subdomain.md

---
 examples/traefik-proxy-subdomain.md | 73 +++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 examples/traefik-proxy-subdomain.md

diff --git a/examples/traefik-proxy-subdomain.md b/examples/traefik-proxy-subdomain.md
new file mode 100644
index 0000000..69ffe16
--- /dev/null
+++ b/examples/traefik-proxy-subdomain.md
@@ -0,0 +1,73 @@
+Situation and motivation:
+---
+* running the kopano stack behind an ssl-terminating proxy
+* as less as possible mantainence affort --> run the kopano stack as close as possible at the default configuration
+* using the kopano-stack to provide a central ldap authentication for the domain, but running the frontents using a subdomain
+
+Way to go:
+--
+1. initial clean **setup of kopano stack** --> follow the documentation of https://github.com/zokradonh/kopano-docker/blob/master/README.md
+    1. clone the repo https://github.com/zokradonh/kopano-docker
+    2. run the setup.sh (only steps, necessary for the configuration is shown here)
+       1. Name of the Organisation for LDAP `mydomain.com`
+       2. FQDN to be used (for reverse proxy) `kopano.mydomain.com`
+       3. Email address to use for Lets Encrypt. `self_signed`
+       4. Name of the BASE DN for LDAP `dc=mydomain,dc=com`
+       5. E-Mail Address displayed for the 'postmaster' `postmaster@mydomain.com`
+
+2. ensure ldap and reverse-proxy domain is splitted correctly in generated `.env` file:
+```
+LDAP_DOMAIN=mydomain.com
+LDAP_BASE_DN=dc=mydomain,dc=com
+
+FQDN=kopano.mydomain.com
+```
+
+3. ensure kwmserver is able to connect through an enpoint with valid ssl-certificate
+```
+FQDNCLEANED=somethingInvalidToEnforceConnectionFromOutsideEndpoint
+```
+
+4. ensure your traefik instance outside of the kopano-stack does allow **proxying to self-signed certificates**:
+```
+command: --insecureSkipVerify=true
+```
+
+5. disable the docker-host portmapping of the kopano-caddy proxy in `docker-compose.yml` to not interference with your traefik proxy
+```
+services:
+  web:
+...
+#    ports:
+#      - "${CADDY:-2015}:2015"
+#      - "${HTTP:-80}:80"
+#      - "${HTTPS:-443}:443"
+```
+
+6. make the self-signed kopano reverse-proxy available in traeffik via `docker-compose.override.yml`
+```
+version: "3.5"
+
+services:
+  web:
+    networks:
+      proxy-net:
+    labels:
+      traefik.enable: true 
+      traefik.frontend.rule: "Host:${FQDN}"
+      traefik.port: 2015
+      traefik.protocol: https
+      traefik.docker.network: "proxy-net"
+      traefik.frontend.headers.forceSTSHeader: true
+      traefik.frontend.headers.STSSeconds: 315360000
+      traefik.frontend.headers.STSIncludeSubdomains: true
+      traefik.frontend.headers.STSPreload: true
+
+networks:
+  proxy-net:
+    external: true
+  ldap-net:
+    name: ldap-net
+```
+
+Everything else should be configurable as normal. My test-setup showed a functional active-sync connection using the mdm plugin in the webapp, as well as screensharing via kopano-meet.