I don't understand how to work whitelistSourceRange...
When I set the docker label traefik.frontend.whitelistSourceRange with my public IP, I cannot access to the container.
And in the logs, we can see that the IP is a private IP of... I don't know what ? (not the ip contianer and not my private ip)
time="2018-01-28T15:35:55Z" level=debug msg="source-IP 10.255.0.2 matched none of the whitelists - rejecting"
time="2018-01-28T15:35:55Z" level=debug msg="source-IP 10.255.0.2 matched none of the whitelists - rejecting"
Somebody can help me ?
thanks,
It looks like you have something between your machine and your Docker running Traefik. Perhaps an ELB in AWS or an Ingress controller in k8s? You will want to set an 'X-Forwarded-*' header with your original IP address and configure Traefik to use forwarded headers.
For example:
[entryPoints.http.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
http://docs.traefik.io/configuration/entrypoints/#whitelisting
Related
I've setup my traefik in docker, and it works as intended for container discovery etc.
But I'm getting tired of having to forward port 80 to my Synology NAS in order to renew LetsEncrypt certificates.
Therefore, I want all traffic on port 80 to be forwarded to my NAS (192.168.1.4) on port 80. Based on this answer How to get traefik to redirect to specific non-docker port from inside docker, I have added the following to my docker-compose:
labels:
- "--providers.file=true"
- "--providers.file.filename=/rules.toml"
volumes:
- "/opt/docker_volumes/traefik/rules.toml:/rules.toml"
My rules.toml looks like this:
[http.routers]
# Define a connection between requests and services
[http.routers.nasweb]
rule = "Host(`nas.example.com`)"
entrypoints = ["web"]
service = "nas"
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.nas.loadBalancer]
[[http.services.nas.loadBalancer.servers]]
url = "http://192.168.1.4:80"
However, I don't see any services in the traefik dashboard, nor does the certificate renew sucessfully. Can anyone spot any errors in the above?
I'm also completely open for a different solution.
I have a server that runs 2 docker containers, a Node.js API container, and an NGINX-RTMP container. The server itself also uses NGINX as a reverse proxy to sort traffic between these two containers based on port.
The NGINX-RTMP server accesses the API server via it's network alias like so:
on_publish http://api-server:3000/authorize
Which works great to communicate container-to-container. I can also go the other way by using urls like
http://nginx-server:8080/some-endpoint
Now I have a route on the NGINX server that I would like to restrict to just local traffic (i.e. only the API server should be able to hit this location). Now normally I can do this with a simple
# nginx conf file
location /restricted {
allow 127.0.0.1;
deny all;
}
What I would like to do is something like this:
# nginx conf file
location /restricted {
allow api-server;
deny all;
}
But I need to use the actual IP of the container. Now I can get the IP of the container by inspecting it, and I see the IP is 172.17.0.1. However when I look at other instances of this server I see some servers are 172.18.0.1 and 17.14.0.2 so it's not 100% consistent across servers. Now I could just write out all 256 variations of 172.*.0.0/24 but I imagine there must be a 'proper' way to wildcard this in nginx, or even a better way of specifying the container IP in my NGINX conf file. The only information I have found so far is to modify the type of network I'm using for my containers, but I don't want to do that.
How do I properly handle this?
# nginx conf file
location /restricted {
allow 172.*.0.0/24;
deny all;
}
I might have solved this one on my own actually.
Originally I thought I could 172.0.0.1/8 the block to allow all the IPs I thought possible for the local network, but this is wrong.
After reading this article: https://www.arin.net/reference/research/statistics/address_filters/ (archive mirror)
According to standards set forth in Internet Engineering Task Force (IETF) document RFC-1918 , the following IPv4 address ranges are reserved by the IANA for private internets
10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
Notice that the 172 net is a /12 and not /8.
Which is explained as
In August 2012, ARIN began allocating “172” address space to internet service, wireless, and content providers.
So I believe the correct method is:
# nginx conf file
location /restricted {
allow 172.16.0.0/12;
deny all;
}
In Short
I've managed to run Traefik locally and on AWS ECS but now I'm wondering how should I setup some sort of load balancing to make my two services with random IPs available to the public.
My current setup on ECS
[Internet]
|
[Load balancer on port 443 + ALB Security group on 443]
|
[Target group on port 443 + Security group from *any* port]
|
[cluster]
|
[service1 container ports "0:5000"]
While this works, I'd now like to add another container, eg. service2 also with random ports eg 0:8000. And that's why I need something like Traefik.
What I did
Here's Toml file:
[api]
address = ":8080"
[ecs]
clusters = ["my-cluster"]
watch = true
domain = "mydomain.com"
region = "eu-central-1"
accessKeyID = "AKIA..."
secretAccessKey = "..."
Also I've added the host entry in /etc/hosts:
127.0.0.1 service1.mydomain.com
127.0.0.1 service2.mydomain.com
And the relative labels on the containers and I can curl service1.mydomain.com/status and get a 200.
Now my last bit is just the following question:
How should publish all this to the internet? AWS ALB? AWS Network LB? Network Bridge/host/other?
AWS ALB vs AWS Network LB depends on who do you want to handle SSL.
If you have a wildcard certificate and all your services are subdomains of the same domain ALB may be a good choice
If you want to use Let's encrypt with traefik Network LB may be a better choice
In both case your setup will look something like this :
[Internet]
|
[LB]
|
[Target group]
|
[Traefik]
| |
[service1] [service2]
In both case, easiest way to get this is to make traefik ecs services to auto register to the target group.
This can be done at service creation (network configuration section) and can not be done later. Link to documentation
Screen of configuration console
I have been trying to setup a geo replication with glusterfs servers. Everything worked as expected in my test environment, on my staging environment, but then i tried the production and got stuck.
Let say I have
gluster fs server is on public ip 1.1.1.1
gluster fs slave is on public 2.2.2.2, but this IP is on interface eth1
The eth0 on gluster fs slave server is 192.168.0.1.
So when i start the command on 1.1.1.1 (firewall and ssh keys are set properly)
gluster volume geo-replication vol0 2.2.2.2::vol0 create push-pem
I get an error.
Unable to fetch slave volume details. Please check the slave cluster and slave volume.
geo-replication command failed
The error is not that important in this case, the problem is the slave IP address
2015-03-16T11:41:08.101229+00:00 xxx kernel: TCP LOGDROP: IN= OUT=eth0 SRC=1.1.1.1 DST=192.168.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24243 DF PROTO=TCP SPT=1015 DPT=24007 WINDOW=14600 RES=0x00 SYN URGP=0
As you can see in the firewall drop log above, the port 24007 of the slave gluster daemon is advertised on private IP of the interface eth0 on slave server and should be the IP of the eth1 private IP. So master cannot connect and will time out
Is there a way to force gluster server to advertise interface eth1 or bind to it only?
I use cfengine and ansible to push configuration, so binding to Interface could be a better solution than IP, but whatever solution will do.
Thank you in advance.
I've encountered this issue but in a different context.
I was trying to geo-replicate two nodes which were both behind a NAT (AWS instances in different regions).
When the master connects to the slave via the public IP to check for volume compatability/size and other details, it retrieves the hostname of the slave, which usually resolves to something that only has meaning in that remote region.
Then it uses that hostname to dial back to the slave when later setting up the session, which fails, as that hostname resolves to a private IP in a different region.
My workaround for the issue was to use hostnames when creating the volumes, probing for peers, and establishing geo replication, and then add a /etc/hosts entry mapping slaves hostname which usually resolves to its private IP to its public IP, rather than it's private IP.
This gets you to the point where you establish a session, but I haven't had any luck actually getting it to sync, as it uses the wrong IP somewhere long the way again.
Edit:
I've actually managed to get it running by adding /etc/hosts hacks on both sides.
GlusterFS has no notion of the network layer. Check your routes. If the next-hop for your geo-replication slave is on eth1, then gluster will open a port on that interface for the slave IP address.
Also make sure your firewall is configured to forward geo-replication traffic on this port.
i have a question concerning the correct setup of debian's resolv.conf file.
i have 3 domains:
a-domain.com,
b-domain.com and
c-domain.com
the server has a static IP.
do i have to add all (one by one) domains to resolv.conf ?
currently none of them are in resolv.conf - i have sth. like
dns timeouts - the page is only available after 10-20 seconds!
same issue for ssh.
what did i forget or what is misconfigured ?
thanks for hints in advanced.
They go in /etc/hosts like so:
192.168.0.1 a-domain.com
192.168.0.2 b-domain.com
192.168.0.3 c-domain.com
(Use the actual IP addresses, of course. And I'm assuming this is on a private subnet -- otherwise why aren't you using DNS?)
resolv.conf is there to set up your DNS servers.