Skip to content

Document Traefik setup for Syncthing discosrv #684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 14 commits into from
Closed

Document Traefik setup for Syncthing discosrv #684

Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
1c455ae
Document Traefik setup for Syncthing discosrv
Cobertos Sep 24, 2021
f05538e
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
59b3034
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
1931f00
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
474da60
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
482c3bd
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
608830c
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
6a9582b
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
0a06dd2
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
77001f0
Update users/stdiscosrv.rst
Cobertos Sep 24, 2021
41c6498
Removed `#...` instead to prefer minimal amount of configuration
Cobertos Sep 27, 2021
1af9d83
Spacing and RST ordered list fixes
Cobertos Oct 20, 2021
54ea353
Merge branch 'main' into patch-1
Cobertos Oct 20, 2021
15ae08b
Fix spacing, fix plugin name in static config, clarify version
Cobertos Oct 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 115 additions & 0 deletions users/stdiscosrv.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,121 @@ page. Note that that page is directed at setting up a proxy for the
Syncthing web UI. You should do the proper path and port adjustments to proxying
the discovery server and your particular setup.

Traefik 2.5+
""""""""""""

Traefik will send ``X-Forwarded-For`` by default.

To send ``X-Forwarded-Tls-Client-Cert``:

#. Add a `TLS Options <https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls>`_
that sets ``clientAuthType`` to ``RequireAnyClientCert`` in your dynamic
config. Without this, Traefik will not pass the client certificate in the
``X-Forwarded-Tls-Client-Cert`` header.

.. code-block:: yaml

tls:
options:
syncthing-discosrv:
clientAuth:
clientAuthType: RequireAnyClientCert
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory, this is only needed for posts, and not gets.


#. Also in your dynamic config, add a middleware to pass the TLS client
cert (`passtlsclientcert.pem=true`), add that to the router, and set your
custom TLS options.

.. code-block:: yaml

syncthing-discosrv:
image: syncthing/discosrv
volumes:
- ./syncthing/DATA/syncthing-discosrv:/var/stdiscosrv
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.syncthing-discosrv-middleware.passtlsclientcert.pem=true"
- "traefik.http.services.syncthing-discosrv.loadbalancer.server.port=8443"
- "traefik.http.routers.syncthing-discosrv.entrypoints=https"
- "traefik.http.routers.syncthing-discosrv.rule=Host(`st-ds.xxx.dev`)"
- "traefik.http.routers.syncthing-discosrv.tls.options=syncthing-discosrv@file"
- "traefik.http.routers.syncthing-discosrv.middlewares=syncthing-discosrv-middleware"
command:
- "-http"

To send ``X-Client-Port``:

Traefik has ``X-Forwarded-Port`` which can only be changed using a
plugin (plugins were added in version 2.5 of Traefik).
Comment on lines +390 to +393
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth I think this sections is wrong. X-Forwarded-Port is the port number on the proxy that received the request, i.e., most likely 443. The X-Client-Port we want is the source port on the client side. If that's not available that's mostly fine, and this section can be skipped.


#. Clone down a header rewriting plugin, the example here uses
https://github.com/adyanth/header-transform.

#. Mount the plugin into the Traefik Docker container using a volume and
configure Traefik to read it.

.. code-block:: yaml

traefik:
image: traefik:v2.5
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"

- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"

# Will read the plugin at /plugins-local/src/github.com/adyanth/header-transform and assign it
# to a middleware plugin named `header-transform-plugin`.
- "--experimental.localPlugins.header-transform-plugin.moduleName=github.com/adyanth/header-transform"
volumes:
- "/opt/traefik:/data"
- "/var/run/docker.sock:/var/run/docker.sock:ro"

# Traefik reads local plugins using a specific path, rooted at /plugins-local.
# https://github.com/traefik/traefik/pull/8224
- "./traefik/header-transform:/plugins-local/src/github.com/adyanth/header-transform"
ports:
- "80:80"
- "443:443"

#. In your dynamic config, define a middleware using the plugin which has
a Rule that sets X-Client-Port to the value of X-Forwarded-Port.

.. code-block:: yaml

http:
middlewares:
header-transform:
plugin:
header-transform-plugin:
Rules:
- Rule:
Name: 'X-Client-Port Set'
Header: 'X-Client-Port'
Value: '^X-Forwarded-Port'
HeaderPrefix: "^"
Type: 'Set'

#. Add the middleware to the containers dynamic configuration.

.. code-block:: yaml

syncthing-discosrv:
image: syncthing/discosrv
volumes:
- ./syncthing/DATA/syncthing-discosrv:/var/stdiscosrv
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.syncthing-discosrv-middleware.passtlsclientcert.pem=true"
- "traefik.http.services.syncthing-discosrv.loadbalancer.server.port=8443"
- "traefik.http.routers.syncthing-discosrv.entrypoints=https"
- "traefik.http.routers.syncthing-discosrv.rule=Host(`st-ds.xxx.dev`)"
- "traefik.http.routers.syncthing-discosrv.tls.options=syncthing-discosrv@file"

# Add this line
- "traefik.http.routers.syncthing-discosrv.middlewares=syncthing-discosrv-middleware,header-transform@file"
command:
- "-http"


See Also
Expand Down