kale-samil Posted April 27, 2018 Share Posted April 27, 2018 If someone is interessted. I have a Plugin for it: https://github.com/yaskor/unraid-docker-templates but warning, it will change while I progress (so its beta I guess)... Quote Link to comment
kale-samil Posted April 27, 2018 Share Posted April 27, 2018 (edited) So I got it to work. And it is very nice. Install traefik plugin form: https://github.com/yaskor/unraid-docker-templates Then download this file: traefik.toml <- click to download replace: <your-email> with your email <your-domain> with your domain (duckdns) then copy it to /mnt/user/appdata/traefik/ Now (re)start the traefik container via unraid! Now go to the docker image you want to access from outside and put following as extra Argument (Unraid - Advanced View) --label="traefik.enable=true" --label="traefik.port=<port>" --label="traefik.frontend.rule=Host:<container-name>.<your-domain>.duckdns.org" replace: <container-name> with a name of your choosing (the name of the container) <your-domain> with your domain <port> with the internal port of the container !!!Attention: not the port which is mapped!!! Restart container. Now it should working Edited April 27, 2018 by kale-samil 2 Quote Link to comment
Stupifier Posted April 27, 2018 Share Posted April 27, 2018 @kale-samil I'll try that out, THANKS! Quote Link to comment
airbillion Posted April 27, 2018 Share Posted April 27, 2018 I would like to try this also... What happens if two dockers share the same container port though? Quote Link to comment
kale-samil Posted April 27, 2018 Share Posted April 27, 2018 @airbillion I don't think thats possible :-) Or I don't understand what you mean. Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000... @All I hope my description above is usefull, I think I can do better (tell me if you want a better explanation) The above configuration start traefik with automatic lets-encript certificates. Quote Link to comment
Stupifier Posted April 27, 2018 Share Posted April 27, 2018 (edited) 31 minutes ago, kale-samil said: @airbillion I don't think thats possible :-) Or I don't understand what you mean. Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000... @All I hope my description above is usefull, I think I can do better (tell me if you want a better explanation) The above configuration start traefik with automatic lets-encript certificates. Can you give me a hand on how to install from https://github.com/yaskor/unraid-docker-templates I already added that URL to my Docker Repositories (at the bottom of the Unraid Docker page), then I click "add container", and see Traefik listed as an option under your Repository.......I click on Traefik, but it fails to install. Error message below. I think something is wrong in your xml or I am installing this wrong. root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Traefik' --net='bridge' --privileged=true -e TZ="America/New_York" -e HOST_OS="unRAID" -p '6080:80/tcp' -p '6443:443/tcp' -p '6888:8080/tcp' -v '/mnt/user/appdata/traefik':'/etc/traefik/':'rw' -v '/var/run/docker.sock':'/var/run/docker.sock':'rw' 'traefik --api --docker' /usr/bin/docker: invalid reference format. See '/usr/bin/docker run --help'. The command failed. I think the problem is you have Repository marked as "traefik --api --docker". But I'm noob at this stuff so I really don't know. Edited April 27, 2018 by Stupifier Quote Link to comment
kale-samil Posted April 27, 2018 Share Posted April 27, 2018 (edited) @Stupifier Hi, hmm thats strange. It should be: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik you have that single-quotes everywhere, which unraid version are you using? PS: I've updated my xml and removed --api --docker please update And please download the new traefik.toml from above (the tutorial on top of this page) Edited April 27, 2018 by kale-samil Quote Link to comment
Stupifier Posted April 27, 2018 Share Posted April 27, 2018 51 minutes ago, kale-samil said: @Stupifier Hi, hmm thats strange. It should be: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik you have that single-quotes everywhere, which unraid version are you using? PS: I've updated my xml and removed --api --docker please update And please download the new traefik.toml from above (the tutorial on top of this page) Ok, Works. Remembered I needed to stop my NGINX docker container before doing this stuff. After that it worked....sort of. I get something about the https://container.domain.blah.blah being not secure....but I think that is because I had not revoked my LetsEncrypt Certificates from my NGINX Docker container instance. Not entirely sure how to revoke LetsEncrypt certificates. I imagine that is probably why, right? Traefik is trying to grab new certs for my Domain which is already setup by NGINX. Quote Link to comment
adoucette Posted May 9, 2018 Share Posted May 9, 2018 I'm having difficulty getting this one to work. I end up unable to access the Dockers remotely from the WAN. First, I forwarded ports in my firewall: Then I have installed and configured traefik with this traefik.toml config: defaultEntryPoints = ["http", "https"] traefikLogsFile = "/etc/traefik/traefik.log" [web] address = ":8080" [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [acme] email = "[email protected]" storageFile = "/etc/traefik/acme.json" acmeLogging = true entryPoint = "https" onDemand = false OnHostRule = true [[acme.domains]] main = "mydomain.com" [acme.dnsChallenge] provider = "cloudflare" [docker] endpoint = "unix:///var/run/docker.sock" domain = "mydomain.com" watch = true exposedbydefault = false I had to use dns instead of http for letsencrypt because my ISP blocks it, so I have my own domain name pointed to cloudflare and have created the appropriate subdomains. I then entered the cloudflare email username and API key as environment variables in the Traefik container. This appears to work according to the Traefik container's logs. So I have these dockers running: And then here's what I see in Traefik's Web UI: But I still can't get to the dockers from the WAN. Trying to get to the NextCloud and Minio dockers using the host addresses listed in Traefik (e.g. https://nextcloud.mydomain.com) without success. What am I missing here? Thanks, Ari Quote Link to comment
JimL Posted May 27, 2018 Share Posted May 27, 2018 (edited) adoucette: the linuxserver nextcloud container only exposes the tls port (443), are you sure you can use port 80? In order to get my services set up with Traefik I had to add this to traefik.toml (top level) in order to allow self signed certs in the containers running on https insecureSkipVerify = true You will also have to set the labels for the service traefik.protocol=https traefik.port=443 Edited May 27, 2018 by JimL Quote Link to comment
hernandito Posted May 30, 2018 Share Posted May 30, 2018 Hi Guys, I have a couple of questions please. I have an Apache docker with working LetsEncrypt that I use to access my other dockers from the outside with reverse proxy. I also have a couple of custom web sites hosted for my personal use. With this; would I simply go back to plain Apache (no reverse proxies) and without LetsEncrypt? If Traefik is properly configured, could I access my Dockers from the outside world? I have my own registered full domain name. My ISP is dynamic IP, and I use no-ip. All examples I see use duckdns. Will this work with my setup? What port do I open in my router? Thanks, H. Quote Link to comment
Stupifier Posted May 31, 2018 Share Posted May 31, 2018 Traefik is ONLY an automated Reverse Proxy system. It is not a webserver. Apache and NGINX are Webserver AND Reverse Proxy capable. Quote Link to comment
NAS Posted May 31, 2018 Share Posted May 31, 2018 https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution. Quote Link to comment
adoucette Posted May 31, 2018 Share Posted May 31, 2018 8 hours ago, NAS said: https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution. There is a good number of users here who appear to be using traefik (or letsencerypt) docker containers as a reverse proxy to expose other docker containers to the WAN through SSL. (e.g. nextcloud, sickbeard, plex, etc) Does the linked page about dockers having access through the docker socket to the host root - and thus potential breakout of container to root access - imply that this is a security hole for these users? (I ask because I genuinely do not know.) Quote Link to comment
NAS Posted May 31, 2018 Share Posted May 31, 2018 Long story short if someone roots a container with docker socket enabled its pretty much game over. This is why, much as I think traefik is a beautiful piece of engineering, is build on a hill of sand. Quote Link to comment
adoucette Posted May 31, 2018 Share Posted May 31, 2018 If that is the case, then doesn't this apply broadly/generally to all docker containers? So the letsencrypt container would suffer same inherent possibility of rooting as traefik, and so would any other containers accessed through their reverse proxies like nextcloud or plex? So I have to think we're depending on the containers to be free of exploits. I had assumed that docker was like a sandbox in that containers could not break out of what's provided them (e.g. the app data and any other data storage paths). Is there a way to run docker more securely on unRAID? Quote Link to comment
NAS Posted May 31, 2018 Share Posted May 31, 2018 No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual. Quote Link to comment
adoucette Posted May 31, 2018 Share Posted May 31, 2018 1 minute ago, NAS said: No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual. Should we imply then that letsencrypt (and the other containers above mentioned like nextcloud, plex, and sickbeard) do not activate the docker socket and so do not share the risk of breakout from the containers to host root access? 1 Quote Link to comment
NAS Posted May 31, 2018 Share Posted May 31, 2018 There is always a risk of breakout of any container but this is the holy grail hack of such a system. But to be clear what this sock feature does. Essentially it gives the container root access as a member of the docker group on the HOST machine.... not the container... the host. This is a specific feature required by the traefik container and not required by almost any other container. It is very very very rare and for good reason. Quote Link to comment
adoucette Posted May 31, 2018 Share Posted May 31, 2018 Hmm. Thank you for pointing that out and then for clarifying. Will remove Traefik from my system for this reason. Quote Link to comment
Luqq Posted June 2, 2018 Share Posted June 2, 2018 (edited) I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly. Edited June 2, 2018 by Luqq Quote Link to comment
JonathanM Posted June 2, 2018 Share Posted June 2, 2018 2 hours ago, Luqq said: I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly. Quote Link to comment
primeval_god Posted June 2, 2018 Share Posted June 2, 2018 Before everyone jumps ship from traefik here, I want to chime in and say that i believe there is a way to shore up the security to an acceptable level. Unfortunately i haven't gotten it to work quite yet. I believe the key lies in a program called docker-proxy-acl which provides can restrict access to certain endpoints on the docker socket. At the moment traefik does not function correctly through this proxy but I hopeful that the issue can be fixed in short order. Quote Link to comment
thostr Posted June 6, 2018 Share Posted June 6, 2018 Sorry for any dumb questions in advance, still learning here. I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? No need to divert data over WAN when sitting next to server? And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https? Quote Link to comment
primeval_god Posted June 7, 2018 Share Posted June 7, 2018 12 hours ago, thostr said: I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? Yes it is, the "traefik.frontend.rule" label can take multiple host names in the form "Host:subdomian1.domain1.com,subdomian1.domain2.local" 12 hours ago, thostr said: And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https? Though i havent tried it myself I believe it does have a setting to allow redirecting http -> https Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.