3.9 KiB
title | sidebar_label | description | slug | image |
---|---|---|---|---|
Web App Features | Web Apps | Learn how to turn your Install Doctor managed device into a secure, full-fledged web app server with endpoints protected by SSO and CloudFlare. | /customization/web-apps | /docs/img/og/web-apps.png |
The default configuration of Install Doctor includes launching multiple services that are available as either web applications or as services that are available on specific ports. These web applications are either run as services or launched as web applications via Docker (i.e. docker-compose.yml
).
SSO-Protected Publicly Accessible Web Services
Whenever possible, we make the services available via an FQDN of your choice. By providing the PUBLIC_SERVICES_DOMAIN
environment variable (or storing it in your encrypted secrets) before running the kickstart script, Install Doctor will automatically use cloudflared
to create publicly accessible web apps by using the PUBLIC_SERVICES_DOMAIN
as a base domain. All of the publicly accessible services can have their:
- IP address protected by CloudFlare
- Can be protected by Single Sign-On by leveraging CloudFlare Teams (also known as CloudFlare Zero Trust)
- Be accessible over the web via domains created using the format of
service-slug.hostname.public-services-domain.com
Example
export PUBLIC_SERVICES_DOMAIN="install.doctor"
bash <(curl -sSL https://install.doctor/start)
Will create the following publicly accessible web services assuming the hostname is webdev1
and the PUBLIC_SERVICES_DOMAIN
is example.com
:
Service | Domain |
---|---|
SSH | ssh.webdev1.example.com |
Remote Desktop Protocol | rdp.webdev1.example.com |
Samba | samba.webdev1.example.com |
SFTP | sftp.webdev1.example.com |
SFTPGo Web Portal | sftpgo.webdev1.example.com |
VNC | vnc.webdev1.example.com |
Dagu | dagu.webdev1.example.com |
rsyslog | rsyslog.webdev1.example.com |
Netdata | netdata.webdev1.example.com |
Rundeck | rundeck.webdev1.example.com |
Portainer | portainer.webdev1.example.com |
cloudflared
Configuration
The services detailed in the chart above are installed in the default configuration. After they are installed, the cloudflared
daemon is launched with a configuration that defines the data shown in the chart above. With cloudflared
proxying the requests, all of these services are available on port 443 (HTTPS) using their defined domain names.
Customization
Customizing the ports that need to be proxied to from the cloudflared
daemon are all dependent on the configurations of each specific app. The sftpgo
configuration is here, for instance.
Besides modifying individual app configurations, if you need to debug anything, you can find the cloudflared
initialization logic in the software.yml
file (by searching for cloudflared
). During the provisioning started by the kickstart script, the installx
program will install all the various applications and run their _post
installation scripts afterwards which includes the initialization logic for both cloudflared
and all of the individual programs (which may need their configurations copied to specific system locations).