Expose Rancher API but not main URL?

Hi all,

Just starting out with Rancher, loving it so far. Very slick tool! I am running it locally for now, on a machine at home with a port forward setup. Externally I expose (via NoIP) port 9000, which routes internally to port 8080, which is then Docker port forwarded to the Rancher docker instance.

I want to deploy locally first, which I have followed the instructions with running rancher-agent locally and I can see in my rancher UI the Rancher docker instance as well as my initial start of my architecture.

I also set up a Digital Ocean account. Initially I manually created the Digital Ocean from Ubuntu 16.04, then installed Docker on it myself (via ssh). However, I want to manage all this from Rancher, so that I can hopefully deploy my stack locally, then just as easily deploy it (with more scaling options) to Digital Ocean. I sure hope this is possible (is it?).

With that in mind, I created a Host to Digital Ocean, and that worked, but it only had the option of Ubuntu 14.04. Wondering how I can get the updated 16.04 as an option for host installation?

Anyway, the main issue is that during host installation it says make sure your port forwarding is set up so that the digital ocean instance of Docker/Ranchger-agent can report back. Well, I finally got that set up through my router/firewall at home, but the problem to me is, the port maps to the Rancher UI application. It says do not add the /v1/ to the base URL. But I dont want to expose my Rancher UI to the world. I guess the first issue is, how do I secure this locally? Second, is there a way to map to the API only, and not the UI, so that someone browsing around doesnt gain access to my Rancher UI? Or is the only way around this to secure it locally?

One last thing regarding this… ultimately I would much rather ran Rancher in the cloud, so that it is scalable (if need be), backed up, and I dont need to do all this NoIP/port fowarding stuff at home. Is this as simple as installing it in a container (er… Droplet) at Digital Ocean? I ultimately do not want to have to pay for several Droplets just to run Rancher, I am hoping I can do so with a single $5 to $10 a month Droplet if possible. Any info on this (and securing it via whatever mechanism) would be greatly appreciated.

16.04 didn’t work with the version of docker-machine that is packaged in Rancher 1.1.x; we’ll look at it again for 1.2. You can also just create a Droplet manually/via their API and then run the one-line add custom host command.

There is no “UI application”… The rancher/server container listens on 8080 and responds to various paths, like /v1, /v1-catalog and various others. Any path that is not “special” gets served the UI HTML. The UI is 100% static-files and driven by the API. So there is no such thing as separating the API from the UI.

The “do not add /v1 to the base URL” thing is just because we want to know your part of the URL (host, port, protocol) and the agent makes it’s own decision about what API version to use (which is currently /v1).

Yes you can just run the server in DigitalOcean; The same droplet can also be registered to itself as an agent so you can use it as a host. rancher/server needs ~1gb of RAM for itself (including the embedded MySQL DB) so a 2GB droplet would be preferable if you want to run anything of significance on it.

To secure it (regardless of where it’s installed) you can turn on one of the various forms of access control and setup SSL-termination in front of the server container with something like nginx in software, or provider-specific balancers (like Amazon ELB; DigitalOcean doesn’t have one…).