Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik #10

Closed
maltegrosse opened this issue Mar 12, 2021 · 5 comments
Closed

Traefik #10

maltegrosse opened this issue Mar 12, 2021 · 5 comments

Comments

@maltegrosse
Copy link

Hey, I currently struggling setting the forwarded http connection behind traefik to provide https. Any ideas / recommendations ?
@joonas-fi
Copy link
Member

This should work with a reverse proxy in front of it. In fact, that's been my exact use case also (though I'm not using Traefik).

I'd check:

  • that Traefik uses port 80 to talk to holepunch-server.
  • try checking if you can curl https://holepunch-server-hostname/_ssh , you should get some error relating to your request not asking for websocket
  • then repeat that same for directly talking to holepunch-server (without reverse proxy in front of it)
  • if that does not work, try checking for Traefik logs

@maltegrosse
Copy link
Author

Which Proxy do you use? can you provide me your docker-compose as an example?

@joonas-fi
Copy link
Member

joonas-fi commented Mar 15, 2021
edited
Loading

My docker-compose file wouldn't help because I'm using Edgerouter which is a loadbalancer I built myself (yes, I know how crazy it sounds). Edgerouter is probably not usable for anyone else than me right now, but it started with Traefik-compatible annotations.

I'm confident holepunch-server works with Traefik, because that's what I used with holepunch-server before building Edgerouter. Basically my loadbalancer layer is using traefik.frontend.rule with value of HostRegexp:{[^.]+}.punch.example.com. This is what would be in your docker-compose file in some form or another.

Then if you have an SSH client (OpenSSH or holepunch-client) providing reverse tunnel in the container port 8080, then https://8080.punch.example.com/ should be accessible from internet, provided that your loadbalancer is redirecting *.punch.example.com traffic to right container IP's port 80. The holepunch-server container itself reverse proxies TCP traffic (on top of WebSocket) from HTTP 80 to the port 8080 based on the subdomain match.

Have you assigned wildcard certificate to *.holepunch.something.com?

Make sure your loadbalancer is not stripping away the Host: header. Traefik seems to do the right thing by default.

Did all the checks pass that I asked about? What exactly are you trying to do? Specifically, you haven't mentioned any error messages or troubleshooting steps that have failed? Is plain HTTP working but HTTPS not? Does it work without loadbalancer, or is the trouble present only when behind a loadbalancer?

@maltegrosse
Copy link
Author

seems like I had some issues with docker on armv7.
finally i solved it by: (running traefik in another docker-compose instance)

version: "3.5"

services:
  holepunch:
    image: holepunch-server:latest
    environment:
      SSH_HOSTKEY: "somthing"
      CLIENT_PUBKEY: "something else"
    restart: always
    ports:
      - "5050:5050"
      - "2222:2222"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hp.rule=Host(`home.host.com`)"
      - "traefik.http.routers.hp.entrypoints=http"
      - "traefik.http.routers.hp.tls.certResolver=le"

      - "traefik.http.routers.api.rule=Host(`api.home.host.com`)"
      - "traefik.http.routers.api.service=api"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.tls.certResolver=le"
      - "traefik.http.services.api.loadbalancer.server.port=5050"
      - "traefik.http.routers.api.tls=true"
    networks:
      - backend
      - frontend

networks:
  frontend:
    name: frontend
    external: true
  backend:
    name: backend
    driver: bridge

Somehow i could not use your docker image on dockerhub as the binary is missing. I just did some workaround by
(latest alpine got some issues with armv7....)

FROM alpine:3.12

RUN apk update
RUN apk add openssh wget

RUN wget https://github.com/function61/holepunch-server/releases/download/20210312_0738_8f5e8775/holepunch-server_linux-arm
RUN mv holepunch-server_linux-arm holepunch-server
RUN chmod +x holepunch-server
ENTRYPOINT ["./holepunch-server", "server", "--http-reverse-proxy", "--sshd-websocket","--sshd-tcp","0.0.0.0:2222"]

@joonas-fi
Copy link
Member

You said the binary is missing.. you mentioned armv7 and we previously discussed #9

IIRC not found errors can also arise when trying to run binaries for non-compatible architectures. Seeing as the image with tag 20210312_0738_8f5e8775 is the first with ARM support, did you try to run the correct image? You also mention :latest, but the :latest tag also doesn't exist (I don't currently use that tag).

Anyways, seems like this issue is resolved. I'll close it for now but we can continue discussion and reopen if there's still an issue..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joonas-fi @maltegrosse