Intro

Following on from my previous blog posts How to setup a Linux machine with Docker on DigitalOcean for $5 and Getting started with Traefik as an alternative and easy to use reverse proxy. This is a follow up on how it’s possible to host multiple Ghost blogs under one machine. And yes, you can have multiple domain names. All pointing to a single machine. This is all achievable with Traefik and Docker.

I’ve managed to pull this off with this blog chlee.co and my other blog chuenl.com and another side project blog.officemixer.app

This is a great way to save money if you ever have the need of hosting multiple ghost blogs for a single machine.

Ghost-Multiple-blogs-with-Traefik-1

Prerequisites

  • You will need a machine, VPC, or server. I’m currently using DigitalOcean as it’s relatively cheap at just $5 per month. Feel free to use my referral code, which should give you $100 in credit to get you started.
  • Docker and Docker Compose installed. DigitalOcean makes this easy with their pre-made droplets. You can follow instructions on How to set up a Linux machine with Docker on DigitalOcean for $5

TLDR

Feel free to jump to the final configuration section to view the final product.

Alternatively, they are available on my GiHub repo

Create a Docker network

We need to create a Docker network so that all containers share the same network.

docker network create web

To confirm and the network has been created, you can list the networks using the following command.

docker network list

Configure and get Traefik up and running

Create a docker compose file such as docker-compose-traefik.yml with the following contents.

version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:  
      # enable insecure api. Only for testing. You can access it via http://the-ip-address:8080 
      - --api.insecure=true

      # enable dashboard api
      - --api 

      # enable docker as a provider
      - --providers.docker=true                  
      
      # set to false to not expose all docker containers to traefik
      - --providers.docker.exposedbydefault=false

      # set this to the 'web' network
      - --providers.docker.network=web
      
      # enable default http port 80
      - --entrypoints.web.address=:80                                             
      
    ports:
      # This is the default port http
      - "80:80"

      # The default port to access Traefik's monitoring dashboard
      - "8080:8080"                                                               

   # add the 'web' network
    networks:
     - web                                                                        
   

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"                           

    labels:
      - "traefik.enable=true"                                                     
      
networks:
  web:
    external: true

This is a basic Traefik Docker Compose configuration which we will build on. In the configuration above, we are enabling the inbuilt web dashboard, opening ports 80, and 8080, associating the web docker network we created earlier, and enabling Traefik to use Docker containers.

Start Traefik

We can start Traefik with the following Docker Compose command.

docker-compose -f docker-compose-traefik.yml up -d 

You can navigate to Traefik’s web dashboard using http://161.35.42.117:8080

Setting up SSL with Let’s Encrypt

Create a file called acme.json. Traefik needs this so that it can create and rotate certificates with Let’s Encrypt on your behalf.

Create a folder called in a desired location called letsencrypt.

mkdir letsencrypt

Navigate to this new directory.

cd letsencrypt

Create a file an empty file called acme.json within letsencrypt.

touch acme.json

Provide specific permission to the file.

chmod 600 acme.json

Modify Traefik to enable SSL

Next, we now need to modify the Traefik Docker Compose file to enable SSL and reference the acme.json file we just create in setting up SSL with Let’s Encrypt

See the modified configuration below.

version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:  
      - --api.insecure=true
      - --api               
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=web
      - --entrypoints.web.address=:80
      
      ## Additional changes to enable SSL and Let's Encrypt.

      # define an entry point for SSL with the name of 'websecure'
      - --entrypoints.websecure.address=:443

      # define a http redirection entrypoint to use SSL i.e. 'websecure'
      - --entrypoints.web.http.redirections.entryPoint.to=websecure

      # define a http redirection scheme to be https
      - --entrypoints.web.http.redirections.entryPoint.scheme=https

      # define a certificate resolver called 'myresolver' and to use tls challenge to obtain ssl certificates
      - --certificatesresolvers.myresolver.acme.tlschallenge=true

      # set a valid email address for the certificate resolver.
      - --certificatesresolvers.myresolver.acme.email=your-email-adress@email.com
      
      # Set the path of the acme.json file. Mine is located relative to where this docker compose file is located.
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      

    ports:
      - "80:80
      - "8080:8080"

      # enable portt 443 for SSL
      - "443:443"

    networks:
     - web
   
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

      # Map the letsencrypt folder
      - "./letsencrypt:/letsencrypt"

    labels:
      - "traefik.enable=true"
networks:
  web:
    external: true

Restarting Traefik with SSL

If you have Traefik running already running from the earlier steps, we need to stop and start it so that is uses the latest configuration.

To stop Traefik we can use the down command.

docker-compose -f docker-compose-traefik.yml up down

To start Traefik, we can use the up command again.

docker-compose -f docker-compose-traefik.yml up -d

Configure a Ghost blog

To make things simple, we will use Ghost’s sqlite3 database configuration. This means we don’t have to set up another docker container with mysql. We’ll then map Ghost’s content to the host so that if there are any restarts required, the content will not be lost.

Create a Docker Compose file called docker-compose-blog1.yml

version: "3.3"

services:

  example1_blog:
  
    # We are specifying the Ghost Image to run
    image: ghost:4.3.3-alpine

    
    # map host port 9198 (external) to Ghost's default internal port 2368
    ports:
      - 9198:2368

    environment:
      # the url of your blog. 
      url: https://example1.com                                            

    labels:
     # tells Traefik to detect this docker container
     - traefik.enable=true

     # tells Traefik to look and match the host name example1.com
     - traefik.http.routers.example1_blog.rule=Host(`example1.com`)

     # tells Traefik to use the 'websecure' http router entry point.
     - traefik.http.routers.example1_blog.entrypoints=websecure

     # tells Traefik what certificate resolver to use - 'myresolver'
     - traefik.http.routers.example1_blog.tls.certresolver=myresolver

    volumes:

      # maps Ghost's data directory to the hosts directory.
      - /home/deploy/ghost_data/example1_blog/data:/var/lib/ghost/content
 
    networks:
     - web


networks:
  web:
    external: true

Take note of the use of the port mapping. We are using an external port of 9198 (this can be anything so long it’s not used). But it must map to Ghost’s default internal port of 2368.

Start it up

docker-compose -f docker-compose-blog1.yml up -d

Setup your DNS for your first blog

Now it’s time to set up your DNS. Make an A record with the ip address of where the server is located. If you server ip address is say 169.36.58.110. Then the DNS entries would look something like this:

TypeNamecontent
Achlee.co169.36.58.110
Awww169.36.58.110

As with DNS, it may take a few hours or even 24 hours. I generally use Cloudflare for DNS management. I find it easier and it’s free!

Configure another Ghost blog

Just like the first configuration, to have another or additional Ghost blog running on the same machine, we just need to expose it with another unused port. So in the configuration below, we are using port 9199. Whereas in the previous configuration we were using 9198. And we keep Ghost’s default port of 2368. That is the magical part.

version: "3.3"

services:

  example2_blog:

    image: ghost:4.3.3-alpine

    # map host port 9199 (external) to Ghost's default internal port 2368
    ports:
      - 9199:2368

    environment:
      # the url of your other blog. 
      url: https://example2.com                                           

    labels:
     # tells Traefik to detect this docker container
     - traefik.enable=true

     # tells Traefik to look and match the host name chuenl.com
     - traefik.http.routers.example2_blog.rule=Host(`example2.com`)

     # tells Traefik to use the 'websecure' http router entry point.
     - traefik.http.routers.example2_blog.entrypoints=websecure

     # tells Traefik what certificate resolver to use - 'myresolver'
     - traefik.http.routers.example2_blog.tls.certresolver=myresolver

    volumes:
      # maps Ghost's data directory to the hosts directory.
      - /home/deploy/ghost_data/example2_blog/data:/var/lib/ghost/content

    networks:
     - web

networks:
  web:
    external: true

Setup your DNS for your second blog

Now it’s time to setup your DNS for the second blog. Just like the first time around, make an A record with the ip address of where the server is located.

TypeNamecontent
Achuenl.com169.36.58.110
Awww169.36.58.110

Disable Traefik Monitoring dashboard (optional)

This is optional. If you do not require Traefik’s fancy monitoring dashboard, you can simply turn it off. You can see that both --api.insecure= and --api are commented out below.

    command:  
      #- --api.insecure=true                                             # disabled                  
      #- --api                                                           # disabled
      - --providers.docker=true                                          # enable docker as provider

Enable Auth on Traefik Monitoring dashboard (optional)

If on the other hand, you do like the Traefik Monitoring dashboard, it’s best to put it behind a password so it’s protected. This is optional of course. To do this, we need to enable basic HTTP authentication and create a username and password.

Create a username and password using htpasswd

1. Check if htpasswd is installed

htpasswd

2. Install htpasswd

sudo apt install apache2-utils

3. Create a username and password. To create a username of say admin and the password of password123, the command will be like so:

htpasswd -nb admin password123

You should see something like this generated.

admin:$apr1$M/tkVVQs$.s3kR09/L5pWnPZDxM1PG.

Make a note of the above as we will use it next.

Add Basic auth to Traefik and provide username and password

With the username and password generated from [](#Create a username and password using htpasswd). We can modify the Traefik Docker Compose file with the following labels.

IMPORTANT NOTE With the password generated, if there are any dollar signs, they need to be escaped with an additional dollar sign.

so this:

admin:$apr1$M/tkVVQs$.s3kR09/L5pWnPZDxM1PG.

becomes this

admin:$$apr1$$M/tkVVQs$$.s3kR09/L5pWnPZDxM1PG.

The additional configuration is needed.

...
    command:  

      # disable access to api via http
      #- --api.insecure=true

      # enable dashboard api for use when ssl is configured.
      - --api       

...
    labels:
      - "traefik.enable=true"

      # Enabling the api to be a service 
      - "traefik.http.routers.api.service=api@internal"

      # set authentication mode for access to traefiks api dashboard
      - "traefik.http.routers.api.middlewares=auth"

      # enable basic auth and provide username and hashed password generated by htpasswd
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$M/tkVVQs$$.s3kR09/L5pWnPZDxM1PG." 

Assign a domain or sub-domain name and SSL on Traefik Monitoring Dashboard (optional)

If you would like to access Trafik via a domain name or even sub-domain, just add the following labels. You will need to add the relevant A record or CNAME.


...
    labels:
      - "traefik.enable=true"

      # set a domain or sub-domain name to access traefiks monitoring dashboard.
      - "traefik.http.routers.api.rule=Host(`monitor.your-domain.com`)"

      # tells traefik to use the 'certrersolver' to enable and use SSL
      - "traefik.http.routers.api.tls.certresolver=myresolver"

The final config

This is the final config for Traefik, with SSL, a sub-domain to access the monitoring dashboard with basic authentication enabled.

version: "3.3"

services:

  traefik:
    image: "traefik:v2.4"
    container_name: "traefik"
    command:                
      # enable insecure api. Only for testing. You can access it via http://the-ip-address:8080 
      #- --api.insecure=true

      # enable dashboard api
      - --api

      # enable docker as a provider
      - --providers.docker=true
      
      # set to false to not expose all docker containers to traefik
      - --providers.docker.exposedbydefault=false

      # set this to the 'web' network
      - --providers.docker.network=web
      
      # enable default http port 80
      - --entrypoints.web.address=:80

      # define an entry point for SSL with the name of 'websecure'
      - --entrypoints.websecure.address=:443

      # define a http redirection entrypoint to use SSL i.e. 'websecure'
      - --entrypoints.web.http.redirections.entryPoint.to=websecure

      # define a http redirection scheme to be https
      - --entrypoints.web.http.redirections.entryPoint.scheme=https

      # define a certificate resolver called 'myresolver' and to use tls challenge to obtain ssl certificates
      - --certificatesresolvers.myresolver.acme.tlschallenge=true

      # set a valid email address for the certificate resolver.
      - --certificatesresolvers.myresolver.acme.email=your-email-adress@email.com
      
      # Set the path of the acme.json file. Mine is located relative to where this docker compose file is located.
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      

    ports:
      # This is the default port http
      - "80:80"

      # The default port to access Traefik's monitoring dashboard
      - "8080:8080"     

      # enable portt 443 for SSL
      - "443:443"

    networks:
     - web
   
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

      # Map the letsencrypt folder
      - "./letsencrypt:/letsencrypt"

    labels:
      - "traefik.enable=true"

      # Enabling the api to be a service 
      - "traefik.http.routers.api.service=api@internal"

      # set authentication mode for access to traefiks api dashboard
      - "traefik.http.routers.api.middlewares=auth"

      # enable basic auth and provide username and hashed password generated by htpasswd
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$M/tkVVQs$$.s3kR09/L5pWnPZDxM1PG." 
      
      # set a domain or sub-domain name to access traefiks monitoring dashboard.
      - "traefik.http.routers.api.rule=Host(`monitor.your-domain.com`)"

      # tells traefik to use the 'certrersolver' to enable and use SSL
      - "traefik.http.routers.api.tls.certresolver=myresolver"

networks:
  web:
    external: true

This is an example of a Ghost blog configuration.

version: "3.3"

services:

  example1_blog:
  
    # We are specifying the Ghost Image to run
    image: ghost:4.3.3-alpine

    
    # map host port 9198 (external) to Ghost's default internal port 2368
    ports:
      - 9198:2368

    environment:
      # the url of your blog. 
      url: https://example1.com                                            

    labels:
     # tells Traefik to detect this docker container
     - traefik.enable=true

     # tells Traefik to look and match the host name example1.com
     - traefik.http.routers.example1_blog.rule=Host(`example1.com`)

     # tells Traefik to use the 'websecure' http router entry point.
     - traefik.http.routers.example1_blog.entrypoints=websecure

     # tells Traefik what certificate resolver to use - 'myresolver'
     - traefik.http.routers.example1_blog.tls.certresolver=myresolver

    volumes:

      # maps Ghost's data directory to the hosts directory.
      - /home/deploy/ghost_data/example1_blog/data:/var/lib/ghost/content
 
    networks:
     - web


networks:
  web:
    external: true

This is an example of a second Ghost blog configuration.

version: "3.3"

services:

  example2_blog:

    image: ghost:4.3.3-alpine

    # map host port 9199 (external) to Ghost's default internal port 2368
    ports:
      - 9199:2368

    environment:
      # the url of your other blog. 
      url: https://example2.com                                           

    labels:
     # tells Traefik to detect this docker container
     - traefik.enable=true

     # tells Traefik to look and match the host name chuenl.com
     - traefik.http.routers.example2_blog.rule=Host(`example2.com`)

     # tells Traefik to use the 'websecure' http router entry point.
     - traefik.http.routers.example2_blog.entrypoints=websecure

     # tells Traefik what certificate resolver to use - 'myresolver'
     - traefik.http.routers.example2_blog.tls.certresolver=myresolver

    volumes:
      # maps Ghost's data directory to the hosts directory.
      - /home/deploy/ghost_data/example2_blog/data:/var/lib/ghost/content

    networks:
     - web

networks:
  web:
    external: true

Summary

I hope that has helped and if you want to backup your Ghost blog, feel free to check out my other post on how to automatically backup a self-hosted Ghost blog

The full example is available on my my GiHub repo

Enjoy!