Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls issues: understanding integration with traefik proxy #184

Open
stefangweichinger opened this issue Dec 27, 2024 · 1 comment
Open

tls issues: understanding integration with traefik proxy #184

stefangweichinger opened this issue Dec 27, 2024 · 1 comment

Comments

@stefangweichinger
Copy link

Forgive me asking a question regarding traefik, from the docs I see that this isn't used by the maintainer and therefore only supported by other users somehow.

I read and followed this example:

https://github.com/gurucomputing/headscale-ui/blob/master/documentation/configuration.md#traefik-configuration

but so far I don't get the stack fully working.

What I don't understand yet: headscale-ui brings its own rev-proxy caddy, right? The traefik-labels in the mentioned compose file don't enable TLS within traefik, so traefik seems only to provide http to the external world (?).

If I run it this way I don't get valid TLS for the 2 services.

Do I have to add something like the following?

- traefik.http.routers.headscale-rtr.tls=true
- traefik.http.routers.headscale-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-rtr.entrypoints=websecure

# ui

- traefik.http.routers.headscale-ui-rtr.tls=true
- traefik.http.routers.headscale-ui-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-ui-rtr.entrypoints=websecure

this pulls a TLS-cert and I was able to access the headscale-UI. But if I entered https://headscale.my.tld into the settings, I got "client sent an HTTP request to an HTTPS server" in the logs of the headscale-container.

Here my current compose config:

name: headscale
services:
  headscale:
    command:
      - serve
    container_name: headscale
    image: headscale/headscale:0.23
    labels:
      traefik.enable: "true"
      traefik.http.routers.headscale-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/`)
      traefik.http.services.headscale-svc.loadbalancer.server.port: "8080"
    networks:
      proxy: null
    restart: unless-stopped
    volumes:
      - type: bind
        source: /opt/dockerfiles/headscale/config
        target: /etc/headscale
        bind:
          create_host_path: true
      - type: bind
        source: /opt/dockerfiles/headscale/data
        target: /var/lib/headscale
        bind:
          create_host_path: true
  headscale-ui:
    container_name: headscale-ui
    image: ghcr.io/gurucomputing/headscale-ui:latest
    labels:
      traefik.enable: "true"
      traefik.http.routers.headscale-ui-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/web`)
      traefik.http.services.headscale-ui-svc.loadbalancer.server.port: "8080"
    networks:
      proxy: null
    restart: unless-stopped
networks:
  proxy:
    name: proxy
    external: true

The container for the ui gives me some warnings:

headscale-ui  | Starting Caddy
headscale-ui  | {"level":"info","ts":1735298138.2229273,"msg":"using provided configuration","config_file":"/data/Caddyfile","config_adapter":"caddyfile"}
headscale-ui  | {"level":"info","ts":1735298138.2524948,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
headscale-ui  | {"level":"warn","ts":1735298138.254572,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":8080}
headscale-ui  | {"level":"info","ts":1735298138.254701,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":8443}
headscale-ui  | {"level":"warn","ts":1735298138.2547393,"logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
headscale-ui  | {"level":"info","ts":1735298138.256623,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00045a180"}
headscale-ui  | {"level":"warn","ts":1735298138.2568386,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
headscale-ui  | {"level":"info","ts":1735298138.2571683,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
headscale-ui  | {"level":"info","ts":1735298138.2572722,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
headscale-ui  | {"level":"info","ts":1735298138.2581189,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
headscale-ui  | {"level":"info","ts":1735298138.2583807,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
headscale-ui  | {"level":"info","ts":1735298138.2584145,"logger":"pki.ca.local","msg":"root certificate trust store installation disabled; unconfigured clients may show warnings","path":"storage:pki/authorities/local/root.crt"}
headscale-ui  | {"level":"info","ts":1735298138.2615268,"msg":"autosaved config (load with --resume flag)","file":"/home/appuser/.config/caddy/autosave.json"}
headscale-ui  | {"level":"info","ts":1735298138.2616618,"msg":"serving initial configuration"}
headscale-ui  | {"level":"warn","ts":1735298138.2848473,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/home/appuser/.local/share/caddy","instance":"b356a1f1-d293-456b-a93e-5a745734c4d0","try_again":1735384538.284842,"try_again_in":86399.999998888}
headscale-ui  | {"level":"info","ts":1735298138.285147,"logger":"tls","msg":"finished cleaning storage units"}
headscale     | 2024-12-27T11:15:38Z WRN An updated version of Headscale has been found (0.24.0-beta.2 vs. your current v0.23.0). Check it out https://github.com/juanfont/headscale/releases
headscale     | 
headscale     | 2024-12-27T11:15:38Z WRN 
headscale     | WARN: The "dns.use_username_in_magic_dns" configuration key is deprecated and has been removed. Please see the changelog for more details.
headscale     | 
headscale     | 2024-12-27T11:15:38Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
headscale     | 2024-12-27T11:15:38Z WRN Listening without TLS but ServerURL does not start with http://
headscale     | 2024-12-27T11:15:38Z INF listening and serving HTTP on: 127.0.0.1:8080
headscale     | 2024-12-27T11:15:38Z INF listening and serving debug and metrics on: 127.0.0.1:9090
headscale     | 2024-12-27T11:15:38Z INF Setting up a DERPMap update worker frequency=86400000

As far as I understand and read there is no specific config file for the ui-container, right?

thanks for any pointers here!
@stefangweichinger
Copy link
Author

I think I got it.

I edited my config like in https://headscale.net/stable/ref/integration/reverse-proxy/#tls and enabled TLS via traefik-labels for both headscale and UI. Now the integration seems to work and I can proceed testing. Thanks ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stefangweichinger