I am trying to create a setup using docker compose where I run
traefikas non-root according to Traefik 2.0 — paranoid about mounting /var/run/docker.sock? | by containeroo | Medium (this works)
- services via
traefikbased on ‘treafik router’
An example extract from my docker compose file is:
networks: rna-docker-exposed: external: true # means it is a fixed docker network created with "docker network create rna-docker-exposed" name: rna-docker-exposed # docker create network rna-docker-exposed rna-docker-nonexposed: internal: true # means it gets created especially for this compose and is called <dirname>_rna-docker-nonexposed driver: bridge dockerproxy: # see https://github.com/Tecnativa/docker-socket-proxy image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1 restart: unless-stopped mem_limit: 2G cpus: 0.75 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro # never expose this container to the internet! environment: - CONTAINERS=1 - LOG_LEVEL=debug networks: - rna-docker-nonexposed # use only internal network traefik: container_name: rnaserver-traefik restart: unless-stopped read_only: true mem_limit: 2G cpus: 0.75 depends_on: - dockerproxy security_opt: - no-new-privileges:true image: traefik:v2.9.4 user: 115:120 ports: - "80:10080" # high nr so we don't need to be root to bind - "443:10443" # ditto labels: - "traefik.enable=true" # Configure Traefik dashboard & api on secure entrypoint (":443"), for local LAN clients only - "traefik.http.routers.traefik-dashboard.entrypoints=websecure" - "traefik.http.routers.traefik-dashboard.tls=true" - "traefik.http.routers.traefik-dashboard.rule=Host(`foo.rna.nl`) && ClientIP(`192.168.2.1/24`) && ( PathPrefix(`/api`) || PathPrefix(`/dashboard`))" - "traefik.http.routers.traefik-dashboard.service=api@internal" - "traefik.http.routers.traefik-dashboard.middlewares=simpleAuth@file,rnalanWhitelist@file" # double on IP whitelist, this and ClientIP ... networks: - rna-docker-exposed - rna-docker-nonexposed whoami: image: traefik/whoami container_name: rnaserver-whoami restart: unless-stopped user: 117:122 depends_on: - traefik labels: - "traefik.enable=true" - "traefik.docker.network=rna-docker-exposed" - "traefik.http.routers.whoami.rule=Host(`foo.rna.nl`) && PathPrefix(`/whoami`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls=true" networks: - rna-docker-exposed
Now this works. But I also want to run a service that – when it gets a connection from the outside world — doesn’t think all traffic comes from docker, not from the local LAN. E.g. `traefik/whoami’ now reports:
Hostname: 058aef33472f IP: 127.0.0.1 IP: 172.23.0.4 RemoteAddr: 172.23.0.2:33464 GET /whoami HTTP/1.1 Host: foo.rna.nl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9 X-Forwarded-For: 192.168.2.86 X-Forwarded-Host: foo.rna.nl X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: c13bfbe1e443 X-Real-Ip: 192.168.2.86
But I want it to report:
Can I combine
traefiknot running as root, but used to route anyway (as now)
- have a service that listens not on a bridge network, but on the host network?
My guess is not, because it would require traefik to be both
network_mode: bridge and
network_mode: host at the same time. But I might be missing something. Am I?
And suppose, I would like to change so that the/a whoami container reports
RemoteAddr: 192.168.2.86:something outside of
traefik. What options do I have? What about the TLS handling (that traefik now does for me)?