This page permanently redirects to gemini://m0yng.uk/2020/08/Owntracks-in-Docker/.

Owntracks in Docker - M0YNG.uk

Created 2020-08-03

Modified 2021-01-05

=> Tagged

• Docker
• Self Hosting

For a while I've used Traccar[1] for friendly stalking of things, and it works well. But it is very feature rich, which isn't always what you want.

=> 1: https://www.traccar.org/

I'd heard good things about Owntracks[2], and it seemed to have a good balance of features and performance.

=> 2: https://owntracks.org/

However, the documentation is as far as I can tell mostly a list of things you can do, rather than details of how to actually set anything up, and the project appears to be a collection of technologies rather than one coherent offering.

I have got the thing working, but it was a pain, so I've tried to write it down here, so I can try and do it again later.

• NOTE!* I have not tested this - just written down the config I ended up with, so it might not work, or may need steps doing in a different order.

What we're going to do

I've used a €2 VPS running Debian 10 for this, but it should work on other similar setups.

At the end of the day we should have:

• Multiple Android phones
• Who can see the location of each other
• A web UI where we can see history of locations

We'll need to setup;

• MQTT in docker-compose
• Owntracks Recorder in docker-compose
• Owntracks UI in docker-compose
• nginx proxying HTTP
• Encrypted connections using Let's Encrypt
• User accounts for access to the web UI and for the clients
• Created some "user cards"

I assume you can / have already:

• Setup your server with Debian
• Installed docker-compose
• Installed nginx
• Setup your domain
• Installed Certbot[3]

=> 3: https://certbot.eff.org/lets-encrypt/debianbuster-nginx

nginx + reverse proxy + basic auth + certificates

There isn't much to getting certificates, just use certbot to get the certificate for your domain.

I use nginx to reverse proxy the docker containers, but also provide some security because the owncloud services don't have any concept of what a user is (MQTT does), so we'll use basic auth to stop anyone we don't want seeing our location. Some guides put this just on the API, but I want it on the entire domain. This also gives us https, which we'd not get otherwise.

All of this config was put in the default site, at /etc/nginx/sites-available/default

server {
  auth_basic              "OwnTracks";
  auth_basic_user_file    /usr/local/etc/nginx/owntracks.htpasswd;

To create the first user run

htpasswd -c /usr/local/etc/nginx/owntracks.htpasswd christopher

To add more users, drop -c so:

htpasswd /usr/local/etc/nginx/owntracks.htpasswd anotheruser

You may need to apt install apache2-utils to get the htpasswd command.

The following configuration was tweaked from elsewhere, but I can't remember which guide now (I went through a lot!)

location /owntracks/ws {
    rewrite ^/owntracks/(.*)    /$1 break;
    proxy_pass      http://127.0.0.1:8083;
    proxy_http_version  1.1;
    proxy_set_header    Upgrade $http_upgrade;
    proxy_set_header    Connection "upgrade";
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
    proxy_pass http://127.0.0.1:8080/;

    proxy_http_version  1.1;
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
}

location /owntracks/ {
    proxy_pass      http://127.0.0.1:8083/;
    proxy_http_version  1.1;
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
}

# OwnTracks Recorder Views
location /owntracks/view/ {
      proxy_buffering         off;            # Chrome
      proxy_pass              http://127.0.0.1:8083/view/;
      proxy_http_version      1.1;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Real-IP $remote_addr;
}
location /owntracks/static/ {
      proxy_pass              http://127.0.0.1:8083/static/;
      proxy_http_version      1.1;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Real-IP $remote_addr;
}
# HTTP Mode
location /owntracks/pub {
    proxy_pass              http://127.0.0.1:8083/pub;
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Real-IP $remote_addr;

    # Optionally force Recorder to use username from Basic
    # authentication user. Whether or not client sets
    # X-Limit-U and/or uses ?u= parameter, the user will
    # be set to $remote_user.
    proxy_set_header        X-Limit-U $remote_user;
}

Dock some containers

Awesome, let's get the actual stuff running.

Owntracks is a bit of a veneer, mostly the work is done by MQTT which handles all the location data, and passes it between clients, etc.

I'd suggest creating a directory for all of this, and then make a few directories to put stuff into;

mkdir recorder-data ui-data mosquitto-data

Then we'll need a docker-compose.yml file has three containers, one for the recorder (which records locations), one for mosquitto (which is MQTT and gets and shares locations), and one for the fancy UI (which has more features that the recorder UI);

version: "3"

services:
  otrecorder:
    image: owntracks/recorder
    ports:
      - 127.0.0.1:8083:8083 # only expose the unencrypted connection locally (so we can proxy it)
    volumes:
      - ./recorder-data/config:/config
      - ./recorder-data/store:/store
    restart: unless-stopped

  mosquitto:
    image: eclipse-mosquitto
    ports:
      - 8883:8883 # expose the TLS port to the world
    volumes:
      - ./mosquitto-data/data:/mosquitto/data
      - ./mosquitto-data/logs:/mosquitto/logs
      - ./mosquitto-data/conf:/mosquitto/config
      - /etc/letsencrypt:/mosquitto/certs #this lets us use the let's encrypt certs directly
    restart: unless-stopped

  owntracks-ui:
    image: owntracks/frontend
    ports:
      - 127.0.0.1:8080:80 # only expose the unencrypted connection locally (so we can proxy it)
    volumes:
      - ./ui-data/config.js:/usr/share/nginx/html/config/config.js
    environment:
      - SERVER_HOST=otrecorder # the UI needs to know where the recorder is
      - SERVER_PORT=8083
    restart: unless-stopped

We'll need to create some configs to get us going too;

recorder-data/confg/recorder.conf

#(@)ot-recorder.default
#
# Specify global configuration options for the OwnTracks Recorder
# and its associated utilities to override compiled-in defaults.

OTR_TOPICS = "owntracks/#"
OTR_HTTPHOST = "0.0.0.0" # ideally this would be IPv6 too...
OTR_HOST = "your.domain.here"
OTR_PORT = 8883
OTR_USER = "recorder" # the user for connecting to mosquitto
OTR_PASS = "password" # the password for that user
OTR_CAPATH = "/etc/ssl/certs/" # where can it find a root certificate to connect using TLS?

mosquitto-data/conf/mosquitto.conf

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log

allow_anonymous false # require the user to log in
password_file /mosquitto/config/passwd # where to find the users/passwords

listener 8883 # set the listener on the default TLS port
cafile /mosquitto/certs/live/tracks.your.domain/chain.pem
certfile /mosquitto/certs/live/tracks.your.domain/cert.pem
keyfile /mosquitto/certs/live/tracks.your.domain/privkey.pem

ui-data/config.js

(I don't use this, but you might want to)

// Here you can overwite the default configuration values
window.owntracks = window.owntracks || {};
window.owntracks.config = {};

The first run will probably fail, because we haven't created our recorder user in mosquitto yet.

There are two ways to do that, both are a pain.

1. Run the mosquitto container, and then exec into it, and create the user there

2. Install required software outside the container, and create the user outside

Create Users

Let's create some users so we can record and read locations, we'll do this inside the mosquitto container, so run:

docker-compose exec mosquitto sh

Then we can create our first user with:

mosquitto_passwd -c /mosquitto/config/passwd recorder

Like with htpasswd we need to use -c to create the file the first time, then drop it for more users

mosquitto_passwd /mosquitto/config/passwd christopher

To be sure, I'd suggest grabbing a copy of the generated file just in case docker doesn't magic it outside the container correctly, just run this and copy and paste the output somewhere.

cat /mosquitto/config/passwd

Be sure to put the new password for the recorder user in the config file.

You will need to completely restart the containers when config files are changed, I do that with this incantation:

docker-compose down && docker-compose up -d && docker-compose logs -f

Which means I can be sure everything shuts down, then starts up fresh (as a daemon with -d), but I can still see the logs. Crucially I can stop seeing the logs without stopping the containers.

If we want the users to be able to use the UI we'll also need to create accounts for nginx, so don't forget to do that if you haven't already.

Setup Android clients

It's not obvious how to configure your client apps to connect, so for quick reference:

1. Install and open the "Owntracks" app

2. Open the menu in the left

3. Select "Preferences"

4. Select "Connection"

5. Set "Mode" to "MQTT"

6. Set "Host" to

1. host: your full domain

2. port 8883

3. do not use websockets

7. Set "Identification" to

1. username and password as you configured for mosquitto

2. "device ID" something like "phone" (it will become the full user/id e.g. christopher/phone)

3. "tracker ID" whatever you like, maybe an initial and number, e.g. "c1"

8. Set "Security" to TLS, but leave the rest blank (our phone should trust Let's Encrypt certificates)

9. Leave "Parameters" empty

10. Tap the i icon to see any status / error messages

• Note:* Some guides say to use HTTP for connection from the android app. This does work, but it does not let you see the location of other users in the app. This was the key feature I needed, so wasted time trying to work out why it didn't work.

Make users look nice

In theory, at this point we should be able to see locations on the UI, and on the app. But it won't be pretty, just c1 or similar.

However, we can create "cards" that represent our users in a nicer way. We'll want an image, and the image2card script:

wget https://github.com/owntracks/recorder/raw/master/contrib/faces/image2card.sh
./image-card.sh user-image.png UserName > username-card.json
mosquitto_pub -t owntracks/user/phone -f username-card.json -r -p 8883 --capath /etc/ssl/certs -h yourtracker.url -u recorder -P recorderpassword

The end bit

Hopefully you should now have the ability to see where you are, and where other people are too. Yay!

If not, sorry. Maybe I missed something, maybe I screwed up an instruction. I've not actually tested this guide, just extracted what I have that does work.

-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-

🖤 Black Lives Matter

💙🤍💜 Trans Rights are Human Rights

❤️🧡💛💚💙💜 Love is Love

Copyright © 2024 Christopher M0YNG - It is forbidden to use any part of this site for crypto/NFT/AI related projects.

=> Code snippets are licenced under the Hippocratic License 3.0 (or later.)

Page generated 2024-12-13 by Complex 19