12
NPM vs Traefik? (lemmy.world)

There have been a few Reddit, Lemmy and Youtube posts over the past week or so about Nginx Proxy Manager and their shortfalls, mostly towards CVEs and other security issues.

The problem is that unlike Traefik, NGINX Proxy Manager is actually easy to use. And before you recommend Caddy, that also has no GUI.

What do you use, if you have stuff exposed to the outside?

you are viewing a single comment's thread
view the rest of the comments
[-] dustojnikhummer@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Well, it works just fine for Docker containers, but trying to point it at other services is what is making my head hurt. With NPM it is literally "this IP at this port with this certificate = https://service.domain.tld"


version: "3.3"

services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    networks:
      - npm_bridge
    command:
      #- "--log.level=DEBUG"
      - "--providers.docker.exposedbydefault=false"
    ports:
      - "443:443"
      - "80:80"
      - "8180:8080"
    volumes:
      - "/docker/containers/traefik/letsencrypt:/letsencrypt"
      - "/docker/containers/traefik/:/etc/traefik"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
  npm_bridge:
    external: true


traefik.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"
    #[entryPoints.web.http.redirections.entryPoint]
      #to = "websecure"
      #scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  insecure = true

[certificatesResolvers.letsencrypt.acme]
  email = "[redacted]"
  storage = "/letsencrypt/acme.json"
  #caserver = "https://acme-staging-v02.api.letsencrypt.org/directory"
  caserver = "https://acme-v02.api.letsencrypt.org/directory"
  [certificatesResolvers.letsencrypt.acme.tlsChallenge]

[providers]
  [providers.docker]
    watch = true
    network = "npm_bridge"
  [providers.file]
    directory = "/etc/traefik/dynamic"
    watch = true

traefik_dynamic.toml

[tls.options]
  [tls.options.default]
    sniStrict = true
    minVersion = "VersionTLS12"
    curvePreferences = [
      "secp521r1",
      "secp384r1"
    ]
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    ]
    [tls.options.mintls13]
      minVersion = "VersionTLS13"

[http]
  [http.routers]
    [http.routers.jellyfin]
      rule = "Host(`jellyfin.[redacted].com`) && PathPrefix(`/`)"
      service = "jellyfin"
      entrypoints = "websecure"
        [http.routers.librespeed]
      rule = "Host(`librespeed.[redacted].com`) && PathPrefix(`/`)"
      service = "librespeed"
      entrypoints = "websecure"

  [http.services]
    [http.services.jellyfin.loadBalancer]
      [[http.services.jellyfin.loadBalancer.servers]]
        url = "http://10.0.1.201:8096"
    [http.services.librespeed.loadBalancer]
      [[http.services.librespeed.loadBalancer.servers]]
        url = "http://10.0.1.201:10016"

This setup sadly ends up with ERR_SSL_UNRECOGNIZED_NAME_ALERT for both services. These URLs are NOT proxied through Cloudflare. I'm trying to move from Truecharts + Traefik into manual docker + traefik

[-] terribleplan@lemmy.nrd.li 1 points 1 year ago* (last edited 1 year ago)

Is traefik successfully getting the cert via LE? It sounds like for one reason or another it is still using the built-in/default cert for those services. You can check the traefik log's LEGO lines, and/or look at your /letsencrypt/acme.json.

In my example I specified entrypoints.https.http.tls.domains, but I think that is only necessary when you're doing wildcard domains with a DNS solver.

edit: You may need to use the file provider rather than trying to specify stuff in the main config toml... traefik differentiates from "static" config that it has to know at boot time and can't change and "dynamic" config like routers and stuff.

[-] dustojnikhummer@lemmy.world 1 points 1 year ago

I am using a dynamic file, traefik_dynamic.toml

And it seems like I'm not getting certificates, acme.json doesn't have those two services in my dynamic config, ie jellyfin and librespeed

[-] terribleplan@lemmy.nrd.li 1 points 1 year ago

Your logs (at debug level at least, which is where I keep my server, haha) should have entries something along the lines of:

  • Receiving configuration from the file provider
  • What routers and services it sets up based on the configuration
  • Whether certificate generation is needed for the routers
  • What happens when LEGO tries to generate the certificate (created account, got challenge, passed/failed challenge, got cert, etc)
[-] dustojnikhummer@lemmy.world 1 points 1 year ago

The only thing Portainer gives me is weirdly

time="2023-07-05T20:42:26Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"

And syntax errors in my dynamic.toml file, but nothing about routers, services or certificates

I can see those services and routers in the traefik dashboard though

[-] terribleplan@lemmy.nrd.li 1 points 1 year ago

I am pretty sure what I described is only when --log.level=DEBUG or

[log]
  level = "DEBUG"

The syntax errors are weird/concerning if it says there are errors but it still seems to load the config anyway (based on you seeing them in the dashboard).

Back when I used the file provider I pointed it at a directory and put every router/service in its own file with that volume'd in to e.g. /traefik-conf. That's probably more just advice than being your problem though.

[-] dustojnikhummer@lemmy.world 1 points 1 year ago

I did try having jellyfin.toml and librespeed.toml but thought that isn't possible. If it is I would def prefer to go that way.

The syntax errors are weird/concerning

I often save when editing files, that's why it's popping up there

Enabled log.level debug but still nothing

this post was submitted on 05 Jul 2023
12 points (80.0% liked)

Selfhosted

39677 readers
348 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS