Reputation: 81
Traefik + cloudflared with full strict tunnel on docker
I have a VM which run multiple containers all linked to one docker network.
Traefik (as reverse proxy & load balancer)
cloudflared as tunnel
whoami (for testing purposes)
and some containers like photoprism, nextcloud, node-red,...
I generated an origin cert via Cloudflare which has been added to Traefik.
In Cloudflare, I have a subdomain which points via the tunnel to https://172.16.10.11 (ip from the VM). This causes an unsecure connection (IP SAN applied -> I don't think this is possible on a private ip?). When I disable TLS verification on Cloudflare, it works. However, I am trying to set this up properly. Next,I tried pointing my domain towards https://localhost. the cloudflared service running in a container cannot reach any other services as these are located other containers.
I was thinking, what if I run the cloudflared service within the Traefik container, I believe I can reach Traefik via localhost?
Do you have any advice on how to achieve a secure tunnel with cert verification? Or is this not realistic when self-hosting?
Current docker compose:
version: '3'
services:
traefik:
image: traefik:latest
command:
- --log.level=debug
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --serverstransport.insecureskipverify
- --providers.file.filename=/etc/traefik/dynamic_conf.yml
- --providers.file.watch=true
ports:
- "8080:8080"
- "443:443"
- "80:80"
networks:
- proxy_network
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- traefik-data:/etc/traefik
labels:
- traefik.enable=true
- traefik.docker.network=proxy_network
- traefik.http.routers.traefik.rule=Host(`${DOMAINNAME_TRAEFIK}`)
- traefik.http.routers.traefik.entrypoints=web
- traefik.http.routers.traefik.service=traefik
- traefik.http.services.traefik.loadbalancer.server.port=8080
tunnel:
container_name: cloudflared-tunnel
image: cloudflare/cloudflared
#restart: unless-stopped
networks:
- proxy_network
command: tunnel --no-autoupdate run --token ${CLOUDFLARED_TOKEN}
whoami:
image: traefik/whoami
container_name: whoami1
command:
# It tells whoami to start listening on 2001 instead of 80
- --port=2000
- --name=iamfoo
networks:
- proxy_network
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`${DOMAINNAME}`)
- traefik.http.routers.whoami.entrypoints=websecure
- traefik.http.routers.whoami.tls=true
- traefik.http.routers.whoami.service=whoami
- traefik.http.services.whoami.loadbalancer.server.port=2000
volumes:
traefik-data:
driver: local
networks:
proxy_network:
name: proxy_network
external: true
I expect a secure tunnel solution and to make sure that this architecture is setup in a good way.
Upvotes: 0
Views: 4479
Answers (1)
Reputation: 870
I have a subdomain which points via the tunnel to https://172.16.10.11 (ip from the VM). This causes an unsecure connection (IP SAN applied -> I don't think this is possible on a private ip?). When I disable TLS verification on Cloudflare, it works.
While I'm not absolutely sure what you're trying to say here, I'm assuming you're not able to establish a secure connection to Traefik via cloudflared. This is most likely due to the fact that you did not specify the host header in Cloudflare Zero Trust > Access > Tunnels > your-tunnel-name > Public Hostname > your-hostname > Edit > Additional application settings > HTTP Settings > HTTP Host Header, therefore Traefik is unable to match the correct TLS certificate to use for the request.
Next,I tried pointing my domain towards https://localhost. the cloudflared service running in a container cannot reach any other services as these are located other containers.
I was thinking, what if I run the cloudflared service within the Traefik container, I believe I can reach Traefik via localhost?
localhost = 127.0.0.1. It will not work in a container setup without using host mode. You should use traefik as the backend location.
Do you have any advice on how to achieve a secure tunnel with cert verification? Or is this not realistic when self-hosting?
Frankly it's both cumbersome and unnecessary to implement "cert verification" here, if you're indicating that Traefik and cloudflared should connect using TLS. It introduces more overhead when connecting to the actual backend, and there's really not much point in doing TLS here -- the internal Docker bridge network is only accessible to those containers in the same network, and the applications running on the Docker host machine here. Cloudflare Tunnel already introduces a secure connection to the Cloudflare Edges.
I'm suggesting that you use insecure entrypoint for Traefik, that is, plain HTTP, and use HTTP as backend in Cloudflare Zero Trust (i.e.: http://traefik), and this will do.
Upvotes: 0
Related Questions
- Hilt (Android): cannot find symbol return DaggerApp_HiltComponents_ApplicationC.builder()
- Hilt cannot be provided without an @Provides-annotated method
- Android Hilt DI - error: package {ApplicationClassName}_HiltComponents does not exist
- hilt: error: [Dagger/MissingBinding] Repository cannot be provided without an @Provides-annotated method
- Android dagger hilt
- Hilt - app cannot be provided without an @Inject constructor or an @Provides-annotated method
- Hilt implement issue - Expected @HiltAndroidApp to have a value
- Android Hilt cannot be provided without an @Provides-annotated method. in repository Interface Class
- Build failed after adding Hilt components in Android project
- Dagger Hilt error injecting ActivityContext