Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[REQUEST] Traefik reverse proxy

Featured Replies

  • Replies 69
  • Views 29.9k
  • Created
  • Last Reply

So I got it to work. And it is very nice.

 

Install traefik plugin form:

https://github.com/yaskor/unraid-docker-templates

 

Then download this file: traefik.toml <- click to download

 

replace: 

<your-email> with your email

<your-domain> with your domain (duckdns)

 

then copy it to /mnt/user/appdata/traefik/

 

Now (re)start the traefik container via unraid!

 

Now go to the docker image you want to access from outside and put following

as extra Argument (Unraid - Advanced View)

 

--label="traefik.enable=true" --label="traefik.port=<port>" --label="traefik.frontend.rule=Host:<container-name>.<your-domain>.duckdns.org"

 

replace:

<container-name> with a name of your choosing (the name of the container)

<your-domain> with your domain

<port> with the internal port of the container !!!Attention: not the port which is mapped!!!

 

Restart container. Now it should working

 

Edited by kale-samil

I would like to try this also...

 

What happens if two dockers share the same container port though?

@airbillion

I don't think thats possible :-) Or I don't understand what you mean.

 

Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000...

 

@All

 

I hope my description above is usefull, I think I can do better (tell me if you want a better explanation)

 

The above configuration start traefik with automatic lets-encript certificates.

 

 

31 minutes ago, kale-samil said:

@airbillion

I don't think thats possible :-) Or I don't understand what you mean.

 

Lets say you have a container running on 5000, while the container is up, you can't start another container with port 5000...

 

@All

 

I hope my description above is usefull, I think I can do better (tell me if you want a better explanation)

 

The above configuration start traefik with automatic lets-encript certificates.

 

 

Can you give me a hand on how to install from https://github.com/yaskor/unraid-docker-templates

 

I already added that URL to my Docker Repositories (at the bottom of the Unraid Docker page), then I click "add container", and see Traefik listed as an option under your Repository.......I click on Traefik, but it fails to install. Error message below. I think something is wrong in your xml or I am installing this wrong.

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Traefik' --net='bridge' --privileged=true -e TZ="America/New_York" -e HOST_OS="unRAID" -p '6080:80/tcp' -p '6443:443/tcp' -p '6888:8080/tcp' -v '/mnt/user/appdata/traefik':'/etc/traefik/':'rw' -v '/var/run/docker.sock':'/var/run/docker.sock':'rw' 'traefik --api --docker'
/usr/bin/docker: invalid reference format.
See '/usr/bin/docker run --help'.

The command failed.

 

I think the problem is you have Repository marked as "traefik --api --docker". But I'm noob at this stuff so I really don't know.

Edited by Stupifier

@Stupifier

Hi, hmm thats strange. It should be:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik

you have that single-quotes everywhere, which unraid version are you using?

PS: I've updated my xml and removed --api --docker please update

And please download the new traefik.toml from above (the tutorial on top of this page)

Edited by kale-samil

51 minutes ago, kale-samil said:

@Stupifier

Hi, hmm thats strange. It should be:


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="Traefik" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -p 6080:80/tcp -p 6443:443/tcp -p 6888:8080/tcp -v "/mnt/user/appdata/traefik":"/etc/traefik/":rw -v "/var/run/docker.sock":"/var/run/docker.sock":rw traefik

you have that single-quotes everywhere, which unraid version are you using?

PS: I've updated my xml and removed --api --docker please update

And please download the new traefik.toml from above (the tutorial on top of this page)

 

Ok, Works. Remembered I needed to stop my NGINX docker container before doing this stuff. After that it worked....sort of. I get something about the https://container.domain.blah.blah being not secure....but I think that is because I had not revoked my LetsEncrypt Certificates from my NGINX Docker container instance. Not entirely sure how to revoke LetsEncrypt certificates. I imagine that is probably why, right? Traefik is trying to grab new certs for my Domain which is already setup by NGINX.

  • 2 weeks later...

I'm having difficulty getting this one to work. I end up unable to access the Dockers remotely from the WAN.

First, I forwarded ports in my firewall:

1.thumb.gif.8dbbb53b52b2c370fa50fda16f280c7f.gif

 

Then I have installed and configured traefik with this traefik.toml config:

defaultEntryPoints = ["http", "https"]
traefikLogsFile = "/etc/traefik/traefik.log"

[web]
address = ":8080"

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]
email = "[email protected]"
storageFile = "/etc/traefik/acme.json"
acmeLogging = true
entryPoint = "https"
onDemand = false
OnHostRule = true
[[acme.domains]]
  main = "mydomain.com"
 [acme.dnsChallenge]
 provider = "cloudflare"
 
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.com"
watch = true
exposedbydefault = false

I had to use dns instead of http for letsencrypt because my ISP blocks it, so I have my own domain name pointed to cloudflare and have created the appropriate subdomains. I then entered the cloudflare email username and API key as environment variables in the Traefik container. This appears to work according to the Traefik container's logs.

So I have these dockers running:

3.gif.80bc2d053d27d8256131ec71e0b8d6d5.gif

 

And then here's what I see in Traefik's Web UI:

2.thumb.gif.09921be1077e97f850481081877eb403.gif

 

But I still can't get to the dockers from the WAN. Trying to get to the NextCloud and Minio dockers using the host addresses listed in Traefik (e.g. https://nextcloud.mydomain.com) without success.

What am I missing here?

 

Thanks,

Ari

  • 3 weeks later...

adoucette: the linuxserver nextcloud container only exposes the tls port (443), are you sure you can use port 80?

 

In order to get my services set up with Traefik I had to add this to traefik.toml (top level) in order to allow self signed certs in the containers running on https

insecureSkipVerify = true

 

You will also have to set the labels for the service

traefik.protocol=https

traefik.port=443

Edited by JimL

Hi Guys,

 

I have a couple of questions please. I have an Apache docker with working LetsEncrypt that I use to access my other dockers from the outside with reverse proxy. I also have a couple of custom web sites hosted for my personal use.

 

With this; would I simply go back to plain Apache (no reverse proxies) and without LetsEncrypt?

 

If Traefik is properly configured, could I access my Dockers from the outside world?

 

I have my own registered full domain name. My ISP is dynamic IP, and I use no-ip.

 

All examples I see use duckdns. Will this work with my setup? What port do I open in my router?

 

Thanks,

 

H.

 

Traefik is ONLY an automated Reverse Proxy system. It is not a webserver. Apache and NGINX are Webserver AND Reverse Proxy capable.

8 hours ago, NAS said:

https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html

 

Worth a read (or one of the countless other links explaining why this is very bad) before you commit to this as a solution.

There is a good number of users here who appear to be using traefik (or letsencerypt) docker containers as a reverse proxy to expose other docker containers to the WAN through SSL. (e.g. nextcloud, sickbeard, plex, etc)

Does the linked page about dockers having access through the docker socket to the host root - and thus potential breakout of container to root access - imply that this is a security hole for these users? (I ask because I genuinely do not know.)

 

Long story short if someone roots a container with docker socket enabled its pretty much game over. This is why, much as I think traefik is a beautiful piece of engineering, is build on a hill of sand.

If that is the case, then doesn't this apply broadly/generally to all docker containers? So the letsencrypt container would suffer same inherent possibility of rooting as traefik, and so would any other containers accessed through their reverse proxies like nextcloud or plex?

So I have to think we're depending on the containers to be free of exploits.

I had assumed that docker was like a sandbox in that containers could not break out of what's provided them (e.g. the app data and any other data storage paths). Is there a way to run docker more securely on unRAID?

No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual.

1 minute ago, NAS said:

No I am specifically referring to the exceptional requirement of this container to activate the docker socket feature. This is very unusual.

Should we imply then that letsencrypt (and the other containers above mentioned like nextcloud, plex, and sickbeard) do not activate the docker socket and so do not share the risk of breakout from the containers to host root access?

There is always a risk of breakout of any container but this is the holy grail hack of such a system.

 

But to be clear what this sock feature does. Essentially it gives the container root access as a member of the docker group on the HOST machine.... not the container... the host.

 

This is a specific feature required by the traefik container and not required by almost any other container. It is very very very rare and for good reason.

 

Hmm. Thank you for pointing that out and then for clarifying.

Will remove Traefik from my system for this reason.

I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly.

Edited by Luqq

2 hours ago, Luqq said:

I think you are overreacting a bit. The article you linked only applies to write access to the docker socket which is indeed very dangerous. Traefik only needs read-only access to the socket in order to be able to read the labels of the containers to reverse proxy automatically. I think Traefik is a very nice method of reverse proxying without manual configuration if you have it set up properly.

 

  • Community Expert

Before everyone jumps ship from traefik here, I want to chime in and say that i believe there is a way to shore up the security to an acceptable level. Unfortunately i haven't gotten it to work quite yet. I believe the key lies in a program called docker-proxy-acl which provides can restrict access to certain endpoints on the docker socket. At the moment traefik does not function correctly through this proxy but I hopeful that the issue can be fixed in short order.

Sorry for any dumb questions in advance, still learning here.

 

I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet? No need to divert data over WAN when sitting next to server?

And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https?

  • Community Expert
12 hours ago, thostr said:

I was wondering if it was possible to use "dockername"."serverhostname".local on LAN and "dockername".domain.com if I connect from internet?

Yes it is, the "traefik.frontend.rule" label can take multiple host names in the form "Host:subdomian1.domain1.com,subdomian1.domain2.local"

 

12 hours ago, thostr said:

 

And how does it handle http vs https requests? does it forward http requests automaticly to https, or do I need to specificly enter https adresses in order to use https?

Though i havent tried it myself I believe it does have a setting to allow redirecting http -> https

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.