April 27, 20188 yr If someone is interessted. I have a Plugin for it: https://github.com/yaskor/unraid-docker-templates but warning, it will change while I progress (so its beta I guess)...
April 27, 20188 yr So I got it to work. And it is very nice. Install traefik plugin form: https://github.com/yaskor/unraid-docker-templates Then download this file: traefik.toml <- click to download replace: <your-email> with your email <your-domain> with your domain (duckdns) then copy it to /mnt/user/appdata/traefik/ Now (re)start the traefik container via unraid! Now go to the docker image you want to access from outside and put following as extra Argument (Unraid - Advanced View) --label="traefik.enable=true" --label="traefik.port=<port>" --label="traefik.frontend.rule=Host:<container-name>.<your-domain>.duckdns.org" replace: <container-name> with a name of your choosing (the name of the container) <your-domain> with your domain <port> with the internal port of the container !!!Attention: not the port which is mapped!!! Restart container. Now it should working Edited April 27, 20188 yr by kale-samil
April 27, 20188 yr I would like to try this also... What happens if two dockers share the same container port though?
April 27, 20188 yr @airbillion I don't think thats possible :-) Or I don't understand what you mean. Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000... @All I hope my description above is usefull, I think I can do better (tell me if you want a better explanation) The above configuration start traefik with automatic lets-encript certificates.
April 27, 20188 yr 31 minutes ago, kale-samil said: @airbillion I don't think thats possible :-) Or I don't understand what you mean. Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000... @All I hope my description above is usefull, I think I can do better (tell me if you want a better explanation) The above configuration start traefik with automatic lets-encript certificates. Can you give me a hand on how to install from https://github.com/yaskor/unraid-docker-templates I already added that URL to my Docker Repositories (at the bottom of the Unraid Docker page), then I click "add container", and see Traefik listed as an option under your Repository.......I click on Traefik, but it fails to install. Error message below. I think something is wrong in your xml or I am installing this wrong. root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Traefik' --net='bridge' --privileged=true -e TZ="America/New_York" -e HOST_OS="unRAID" -p '6080:80/tcp' -p '6443:443/tcp' -p '6888:8080/tcp' -v '/mnt/user/appdata/traefik':'/etc/traefik/':'rw' -v '/var/run/docker.sock':'/var/run/docker.sock':'rw' 'traefik --api --docker' /usr/bin/docker: invalid reference format. See '/usr/bin/docker run --help'. The command failed. I think the problem is you have Repository marked as "traefik --api --docker". But I'm noob at this stuff so I really don't know. Edited April 27, 20188 yr by Stupifier
April 27, 20188 yr @Stupifier Hi, hmm thats strange. It should be: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik you have that single-quotes everywhere, which unraid version are you using? PS: I've updated my xml and removed --api --docker please update And please download the new traefik.toml from above (the tutorial on top of this page) Edited April 27, 20188 yr by kale-samil
April 27, 20188 yr 51 minutes ago, kale-samil said: @Stupifier Hi, hmm thats strange. It should be: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik you have that single-quotes everywhere, which unraid version are you using? PS: I've updated my xml and removed --api --docker please update And please download the new traefik.toml from above (the tutorial on top of this page) Ok, Works. Remembered I needed to stop my NGINX docker container before doing this stuff. After that it worked....sort of. I get something about the https://container.domain.blah.blah being not secure....but I think that is because I had not revoked my LetsEncrypt Certificates from my NGINX Docker container instance. Not entirely sure how to revoke LetsEncrypt certificates. I imagine that is probably why, right? Traefik is trying to grab new certs for my Domain which is already setup by NGINX.
May 9, 20188 yr I'm having difficulty getting this one to work. I end up unable to access the Dockers remotely from the WAN. First, I forwarded ports in my firewall: Then I have installed and configured traefik with this traefik.toml config: defaultEntryPoints = ["http", "https"] traefikLogsFile = "/etc/traefik/traefik.log" [web] address = ":8080" [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [acme] email = "[email protected]" storageFile = "/etc/traefik/acme.json" acmeLogging = true entryPoint = "https" onDemand = false OnHostRule = true [[acme.domains]] main = "mydomain.com" [acme.dnsChallenge] provider = "cloudflare" [docker] endpoint = "unix:///var/run/docker.sock" domain = "mydomain.com" watch = true exposedbydefault = false I had to use dns instead of http for letsencrypt because my ISP blocks it, so I have my own domain name pointed to cloudflare and have created the appropriate subdomains. I then entered the cloudflare email username and API key as environment variables in the Traefik container. This appears to work according to the Traefik container's logs. So I have these dockers running: And then here's what I see in Traefik's Web UI: But I still can't get to the dockers from the WAN. Trying to get to the NextCloud and Minio dockers using the host addresses listed in Traefik (e.g. https://nextcloud.mydomain.com) without success. What am I missing here? Thanks, Ari
May 27, 20188 yr adoucette: the linuxserver nextcloud container only exposes the tls port (443), are you sure you can use port 80? In order to get my services set up with Traefik I had to add this to traefik.toml (top level) in order to allow self signed certs in the containers running on https insecureSkipVerify = true You will also have to set the labels for the service traefik.protocol=https traefik.port=443 Edited May 27, 20188 yr by JimL
May 30, 20188 yr Hi Guys, I have a couple of questions please. I have an Apache docker with working LetsEncrypt that I use to access my other dockers from the outside with reverse proxy. I also have a couple of custom web sites hosted for my personal use. With this; would I simply go back to plain Apache (no reverse proxies) and without LetsEncrypt? If Traefik is properly configured, could I access my Dockers from the outside world? I have my own registered full domain name. My ISP is dynamic IP, and I use no-ip. All examples I see use duckdns. Will this work with my setup? What port do I open in my router? Thanks, H.
May 31, 20188 yr Traefik is ONLY an automated Reverse Proxy system. It is not a webserver. Apache and NGINX are Webserver AND Reverse Proxy capable.
May 31, 20188 yr https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution.
May 31, 20188 yr 8 hours ago, NAS said: https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution. There is a good number of users here who appear to be using traefik (or letsencerypt) docker containers as a reverse proxy to expose other docker containers to the WAN through SSL. (e.g. nextcloud, sickbeard, plex, etc) Does the linked page about dockers having access through the docker socket to the host root - and thus potential breakout of container to root access - imply that this is a security hole for these users? (I ask because I genuinely do not know.)
May 31, 20188 yr Long story short if someone roots a container with docker socket enabled its pretty much game over. This is why, much as I think traefik is a beautiful piece of engineering, is build on a hill of sand.
May 31, 20188 yr If that is the case, then doesn't this apply broadly/generally to all docker containers? So the letsencrypt container would suffer same inherent possibility of rooting as traefik, and so would any other containers accessed through their reverse proxies like nextcloud or plex? So I have to think we're depending on the containers to be free of exploits. I had assumed that docker was like a sandbox in that containers could not break out of what's provided them (e.g. the app data and any other data storage paths). Is there a way to run docker more securely on unRAID?
May 31, 20188 yr No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual.
May 31, 20188 yr 1 minute ago, NAS said: No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual. Should we imply then that letsencrypt (and the other containers above mentioned like nextcloud, plex, and sickbeard) do not activate the docker socket and so do not share the risk of breakout from the containers to host root access?
May 31, 20188 yr There is always a risk of breakout of any container but this is the holy grail hack of such a system. But to be clear what this sock feature does. Essentially it gives the container root access as a member of the docker group on the HOST machine.... not the container... the host. This is a specific feature required by the traefik container and not required by almost any other container. It is very very very rare and for good reason.
May 31, 20188 yr Hmm. Thank you for pointing that out and then for clarifying. Will remove Traefik from my system for this reason.
June 2, 20188 yr I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly. Edited June 2, 20188 yr by Luqq
June 2, 20188 yr 2 hours ago, Luqq said: I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly.
June 2, 20188 yr Community Expert Before everyone jumps ship from traefik here, I want to chime in and say that i believe there is a way to shore up the security to an acceptable level. Unfortunately i haven't gotten it to work quite yet. I believe the key lies in a program called docker-proxy-acl which provides can restrict access to certain endpoints on the docker socket. At the moment traefik does not function correctly through this proxy but I hopeful that the issue can be fixed in short order.
June 6, 20188 yr Sorry for any dumb questions in advance, still learning here. I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? No need to divert data over WAN when sitting next to server? And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https?
June 7, 20188 yr Community Expert 12 hours ago, thostr said: I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? Yes it is, the "traefik.frontend.rule" label can take multiple host names in the form "Host:subdomian1.domain1.com,subdomian1.domain2.local" 12 hours ago, thostr said: And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https? Though i havent tried it myself I believe it does have a setting to allow redirecting http -> https
Archived
This topic is now archived and is closed to further replies.