In today’s dynamic IT landscape, deploying web applications with security and scalability at the forefront is paramount. WordPress, being one of the most popular Content Management Systems (CMS), often becomes a prime target for malicious activities. Therefore, it’s crucial to implement robust security measures without sacrificing performance or flexibility. In this technical guide, we’ll explore how to Deploy WordPress on Docker securely using Traefik and CrowdSec.
Why Docker?
Docker has revolutionized the way we package, distribute, and deploy applications. Its lightweight containerization ensures consistency across various environments, simplifies dependency management, and facilitates seamless scaling. By encapsulating WordPress and its dependencies within containers, we isolate the application environment, making it easier to manage and deploy consistently.
Traefik: The Swiss Army Knife of Reverse Proxies
Traefik acts as a dynamic reverse proxy and load balancer, capable of routing traffic to different backend services based on defined rules. Its native support for Docker makes it an ideal choice for containerized environments. Traefik simplifies SSL/TLS termination, automatic certificate provisioning, and traffic routing, enhancing both security and performance. Leveraging Traefik, we can achieve HTTPS encryption for our WordPress deployment effortlessly.
Enhancing Security with CrowdSec
CrowdSec is an open-source security solution designed to protect servers, services, containers, VMs, or any exposed web service from brute-force attacks, distributed denial-of-service (DDoS) attacks, and other types of malicious activities. It operates by analyzing incoming traffic and blocking suspicious IPs in real-time, based on predefined scenarios and community-driven threat intelligence. Integrating CrowdSec with our WordPress deployment adds an extra layer of security, mitigating potential threats before they escalate.
Deploying WordPress with Docker, Traefik, and CrowdSec
- Prepare the Environment: Ensure Docker and Docker Compose are installed on your host system. Set up a directory structure for your WordPress deployment, including directories for Traefik and CrowdSec configurations.
- Configure Traefik: Define Traefik’s configuration (traefik.yml) to enable Docker integration, SSL termination, and certificate provisioning using Let’s Encrypt.
- Deploy CrowdSec: Set up CrowdSec within a Docker container, configuring the appropriate parsers and scenarios for WordPress security.
- Deploy WordPress: Create a Docker Compose file (docker-compose.yml) to orchestrate the deployment of WordPress, specifying Traefik labels for routing and SSL termination. Ensure WordPress containers are linked to Traefik’s network.
- Testing and Monitoring: Verify the deployment by accessing the WordPress site via HTTPS. Monitor Traefik logs for SSL certificate provisioning and CrowdSec logs for IP blocking events.
- Continuous Optimization: Regularly update Traefik, WordPress, and CrowdSec configurations to incorporate the latest security patches and enhancements. Analyze logs and metrics to identify and mitigate potential security risks proactively.
Prepare the Environment – Installing Docker
The Docker installation package provided in the official Ubuntu repository might not be the most up-to-date version. To guarantee access to the latest version, we’ll opt to install Docker from the official Docker repository. This involves adding a new package source, incorporating the GPG key from Docker to validate the downloads, and proceeding with the package installation.
Before installing Docker, update your list of packages with the following command:
sudo apt update
Next, you’ll need to install a few prerequisite packages that let apt use packages over HTTPS. These packages are apt-transport-https, ca-certificates, curl, and software-properties-common.
sudo apt install apt-transport-https ca-certificates curl software-properties-common
Then add the GPG key for the official Docker repository to your system:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
Add the Docker repository to APT sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update your existing list of packages again for the addition to be recognized:
sudo apt update
If you want to install Docker from the official Docker repository, you need to add the repository to your APT sources. To verify that you are about to install from the Docker repo instead of the default Ubuntu repo, run this command:
apt-cache policy docker-ce
The output of Docker version will look like this, but the Docker version number may be different:
docker-ce:
Installed: (none)
Candidate: 5:26.1.3-1~ubuntu.22.04~jammy
Version table:
5:26.1.3-1~ubuntu.22.04~jammy 500
500 https://download.docker.com/linux/ubuntu jammy/stable amd64 Packages
5:26.1.1-1~ubuntu.22.04~jammy 500
500 https://download.docker.com/linux/ubuntu jammy/stable amd64 Packages
The output of “docker version” will show the Docker version, which may be different from the one in the example. Notice that docker-ce is not installed, but the candidate for installation is from the Docker repository for Ubuntu 22.04 (jammy).
Finally, install Docker:
sudo apt install docker-ce
Docker should now be installed, the daemon started, and the process enabled to start on boot. To check that it’s running, enter the following command:
sudo systemctl status docker
The output should look something like this, indicating that the service is active and running:
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-05-14 13:59:22 EDT; 29 seconds ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 246185 (dockerd)
Tasks: 140
Memory: 86.7M
CPU: 5min 14.734s
CGroup: /system.slice/docker.service
├─246185 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
Installing Docker now gives you not just the Docker service (daemon) but also the docker
command line utility, or the Docker client. We’ll explore how to use the docker
command later in this tutorial.
Run Docker Commands Without sudo Privileges
By default, the docker command can only be run by the root user or by a user in the docker group, which is created during Docker’s installation. If you try to run the docker command without prefixing it with sudo or without being in the docker group, you’ll get an error message:
sudo usermod -aG docker ${USER}
Log out of the server and log back in, or type the following to apply the new group membership:
su - ${USER}
You will be prompted to enter your user’s password to continue. Then, confirm that your user is now added to the docker group by typing:
groups
Output:
peter sudo docker
Installing Docker Compose
To download Docker Compose, use the following commands:
mkdir -p ~/.docker/cli-plugins/
curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
Next, set the correct permissions so that the docker compose
command is executable:
chmod +x ~/.docker/cli-plugins/docker-compose
To verify that the Docker Compose installation was successful, run the following command:
docker compose version
Output:
Docker Compose version v2.27.0
Conclusion:
This guide walks you through the installation of Docker, enabling you to deploy WordPress securely. With Docker in place, you can ensure a scalable and resilient architecture for your WordPress hosting needs. Additionally, Docker simplifies deployment and management tasks, making it easier to maintain your WordPress environment.
Check out part 2 of this series – Deploy WordPress with Docker, Traefik, and CrowdSec for Enhanced Security – Part 2