[REQUEST] Traefik reverse proxy


Recommended Posts

So I got it to work. And it is very nice.

 

Install traefik plugin form:

https://github.com/yaskor/unraid-docker-templates

 

Then download this file: traefik.toml <- click to download

 

replace: 

<your-email> with your email

<your-domain> with your domain (duckdns)

 

then copy it to /mnt/user/appdata/traefik/

 

Now (re)start the traefik container via unraid!

 

Now go to the docker image you want to access from outside and put following

as extra Argument (Unraid - Advanced View)

 

--label="traefik.enable=true" --label="traefik.port=<port>" --label="traefik.frontend.rule=Host:<container-name>.<your-domain>.duckdns.org"

 

replace:

<container-name> with a name of your choosing (the name of the container)

<your-domain> with your domain

<port> with the internal port of the container !!!Attention: not the port which is mapped!!!

 

Restart container. Now it should working

 

Edited by kale-samil
  • Like 2
Link to comment

@airbillion

I don't think thats possible :-) Or I don't understand what you mean.

 

Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000...

 

@All

 

I hope my description above is usefull, I think I can do better (tell me if you want a better explanation)

 

The above configuration start traefik with automatic lets-encript certificates.

 

 

Link to comment
31 minutes ago, kale-samil said:

@airbillion

I don't think thats possible :-) Or I don't understand what you mean.

 

Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000...

 

@All

 

I hope my description above is usefull, I think I can do better (tell me if you want a better explanation)

 

The above configuration start traefik with automatic lets-encript certificates.

 

 

Can you give me a hand on how to install from https://github.com/yaskor/unraid-docker-templates

 

I already added that URL to my Docker Repositories (at the bottom of the Unraid Docker page), then I click "add container", and see Traefik listed as an option under your Repository.......I click on Traefik, but it fails to install. Error message below. I think something is wrong in your xml or I am installing this wrong.

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Traefik' --net='bridge' --privileged=true -e TZ="America/New_York" -e HOST_OS="unRAID" -p '6080:80/tcp' -p '6443:443/tcp' -p '6888:8080/tcp' -v '/mnt/user/appdata/traefik':'/etc/traefik/':'rw' -v '/var/run/docker.sock':'/var/run/docker.sock':'rw' 'traefik --api --docker'
/usr/bin/docker: invalid reference format.
See '/usr/bin/docker run --help'.

The command failed.

 

I think the problem is you have Repository marked as "traefik --api --docker". But I'm noob at this stuff so I really don't know.

Edited by Stupifier
Link to comment

@Stupifier

Hi, hmm thats strange. It should be:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik

you have that single-quotes everywhere, which unraid version are you using?

PS: I've updated my xml and removed --api --docker please update

And please download the new traefik.toml from above (the tutorial on top of this page)

Edited by kale-samil
Link to comment
51 minutes ago, kale-samil said:

@Stupifier

Hi, hmm thats strange. It should be:


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik

you have that single-quotes everywhere, which unraid version are you using?

PS: I've updated my xml and removed --api --docker please update

And please download the new traefik.toml from above (the tutorial on top of this page)

 

Ok, Works. Remembered I needed to stop my NGINX docker container before doing this stuff. After that it worked....sort of. I get something about the https://container.domain.blah.blah being not secure....but I think that is because I had not revoked my LetsEncrypt Certificates from my NGINX Docker container instance. Not entirely sure how to revoke LetsEncrypt certificates. I imagine that is probably why, right? Traefik is trying to grab new certs for my Domain which is already setup by NGINX.

Link to comment
  • 2 weeks later...

I'm having difficulty getting this one to work. I end up unable to access the Dockers remotely from the WAN.

First, I forwarded ports in my firewall:

1.thumb.gif.8dbbb53b52b2c370fa50fda16f280c7f.gif

 

Then I have installed and configured traefik with this traefik.toml config:

defaultEntryPoints = ["http", "https"]
traefikLogsFile = "/etc/traefik/traefik.log"

[web]
address = ":8080"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]
email = "[email protected]"
storageFile = "/etc/traefik/acme.json"
acmeLogging = true
entryPoint = "https"
onDemand = false
OnHostRule = true
[[acme.domains]]
  main = "mydomain.com"
 [acme.dnsChallenge]
 provider = "cloudflare"
 
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
exposedbydefault = false

I had to use dns instead of http for letsencrypt because my ISP blocks it, so I have my own domain name pointed to cloudflare and have created the appropriate subdomains. I then entered the cloudflare email username and API key as environment variables in the Traefik container. This appears to work according to the Traefik container's logs.

So I have these dockers running:

3.gif.80bc2d053d27d8256131ec71e0b8d6d5.gif

 

And then here's what I see in Traefik's Web UI:

2.thumb.gif.09921be1077e97f850481081877eb403.gif

 

But I still can't get to the dockers from the WAN. Trying to get to the NextCloud and Minio dockers using the host addresses listed in Traefik (e.g. https://nextcloud.mydomain.com) without success.

What am I missing here?

 

Thanks,

Ari

Link to comment
  • 3 weeks later...

adoucette: the linuxserver nextcloud container only exposes the tls port (443), are you sure you can use port 80?

 

In order to get my services set up with Traefik I had to add this to traefik.toml (top level) in order to allow self signed certs in the containers running on https

insecureSkipVerify = true

 

You will also have to set the labels for the service

traefik.protocol=https

traefik.port=443

Edited by JimL
Link to comment

Hi Guys,

 

I have a couple of questions please. I have an Apache docker with working LetsEncrypt that I use to access my other dockers from the outside with reverse proxy. I also have a couple of custom web sites hosted for my personal use.

 

With this; would I simply go back to plain Apache (no reverse proxies) and without LetsEncrypt?

 

If Traefik is properly configured, could I access my Dockers from the outside world?

 

I have my own registered full domain name. My ISP is dynamic IP, and I use no-ip.

 

All examples I see use duckdns. Will this work with my setup? What port do I open in my router?

 

Thanks,

 

H.

 

Link to comment
8 hours ago, NAS said:

https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html

 

Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution.

There is a good number of users here who appear to be using traefik (or letsencerypt) docker containers as a reverse proxy to expose other docker containers to the WAN through SSL. (e.g. nextcloud, sickbeard, plex, etc)

Does the linked page about dockers having access through the docker socket to the host root - and thus potential breakout of container to root access - imply that this is a security hole for these users? (I ask because I genuinely do not know.)

 

Link to comment

If that is the case, then doesn't this apply broadly/generally to all docker containers? So the letsencrypt container would suffer same inherent possibility of rooting as traefik, and so would any other containers accessed through their reverse proxies like nextcloud or plex?

So I have to think we're depending on the containers to be free of exploits.

I had assumed that docker was like a sandbox in that containers could not break out of what's provided them (e.g. the app data and any other data storage paths). Is there a way to run docker more securely on unRAID?

Link to comment
1 minute ago, NAS said:

No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual.

Should we imply then that letsencrypt (and the other containers above mentioned like nextcloud, plex, and sickbeard) do not activate the docker socket and so do not share the risk of breakout from the containers to host root access?

  • Like 1
Link to comment

There is always a risk of breakout of any container but this is the holy grail hack of such a system.

 

But to be clear what this sock feature does. Essentially it gives the container root access as a member of the docker group on the HOST machine.... not the container... the host.

 

This is a specific feature required by the traefik container and not required by almost any other container. It is very very very rare and for good reason.

 

Link to comment

I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly.

Edited by Luqq
Link to comment
2 hours ago, Luqq said:

I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly.

 

Link to comment

Before everyone jumps ship from traefik here, I want to chime in and say that i believe there is a way to shore up the security to an acceptable level. Unfortunately i haven't gotten it to work quite yet. I believe the key lies in a program called docker-proxy-acl which provides can restrict access to certain endpoints on the docker socket. At the moment traefik does not function correctly through this proxy but I hopeful that the issue can be fixed in short order.

Link to comment

Sorry for any dumb questions in advance, still learning here.

 

I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? No need to divert data over WAN when sitting next to server?

And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https?

Link to comment
12 hours ago, thostr said:

I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet?

Yes it is, the "traefik.frontend.rule" label can take multiple host names in the form "Host:subdomian1.domain1.com,subdomian1.domain2.local"

 

12 hours ago, thostr said:

 

And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https?

Though i havent tried it myself I believe it does have a setting to allow redirecting http -> https

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.