Comments (6)
the concept that internal traffic shouldn't be encrypted by default is ludicrous
100% agreed. Self-signed encryption certainly is better than unencrypted. I just don't think that
insecureSkipVerify
ortls_insecure_skip_verify
in Caddys case are nice things to have in your configs and also go against your security-thinking. This setting wouldn't be necessary if you would use non-self-signed certificates (which Caddy would be very much able to do) or at least have the ability (via environment variables / docker secrets) to pass in a valid CA/Key combination.I don't need the encryption reverse proxy > container, since both are running as containers on the same host. I now mounted a custom Caddyfile into the container (
/data/Caddyfile
) like so and I am happy:{ skip_install_trust http_port 8080 } :8080 { redir / /web uri strip_prefix /web file_server { root /web } }With the custom Caddyfile I don't need these labels and can change the port to 8080:
- "traefik.http.services.headscale_ui-svc.loadbalancer.server.scheme=https" - "traefik.http.services.headscale_ui-svc.loadbalancer.serversTransport=disableSSLCheck@file"
Sorry yes, should have gotten off my soapbox long enough to mention that the container is easily customisable to house a custom config in /data/Caddyfile
:).
from headscale-ui.
I'm happy to add additional example configs, not in the main README but in a reference directory.
Since we are using a reverse proxy anyways, is the internal HTTPS with a self-signed certificate really necessary? I really dislike having to add an additional insecureSkipVerify configuration to either Caddy or traefik. I see that the service really is served via 127.0.0.1:2019 - why not expose that port to 0.0.0.0? What's the benefit of having Caddy inside the container?
Yes it's necessary, the concept that internal traffic shouldn't be encrypted by default is ludicrous. Chrome has done everyone a great disservice by making self signed encryption look worse than unencrypted traffic.
If you're using my docker container, it's gonna enforce encryption by default.
from headscale-ui.
the concept that internal traffic shouldn't be encrypted by default is ludicrous
100% agreed.
Self-signed encryption certainly is better than unencrypted. I just don't think that insecureSkipVerify
or tls_insecure_skip_verify
in Caddys case are nice things to have in your configs and also go against your security-thinking. This setting wouldn't be necessary if you would use non-self-signed certificates (which Caddy would be very much able to do) or at least have the ability (via environment variables / docker secrets) to pass in a valid CA/Key combination.
I don't need the encryption reverse proxy > container, since both are running as containers on the same host. I now mounted a custom Caddyfile into the container ( /data/Caddyfile
) like so and I am happy:
{
skip_install_trust
http_port 8080
}
:8080 {
redir / /web
uri strip_prefix /web
file_server {
root /web
}
}
With the custom Caddyfile I don't need these labels and can change the port to 8080:
- "traefik.http.services.headscale_ui-svc.loadbalancer.server.scheme=https"
- "traefik.http.services.headscale_ui-svc.loadbalancer.serversTransport=disableSSLCheck@file"
from headscale-ui.
I know it has been a while, but I just got a question.
I’m a novice with middleware, can either of you explain what this line do?
- "traefik.http.routers.headscale-rtr.middlewares=chain-no-auth@file"
It looks like there is a line in your traefik toml that describes “chain-no-auth”
im currently getting a bad gateway when I try to access headscale itself through https
thanks
from headscale-ui.
It looks like there is a line in your traefik toml that describes “chain-no-auth”
Good catch - you can actually just leave that line out of your configuration, but you are right that the example is missing. You can check out the documentation on middlewares here https://doc.traefik.io/traefik/middlewares/overview/ and chains here: https://doc.traefik.io/traefik/middlewares/http/chain/#chain.
If you want some examples for middleware chains check out this repo: https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/toml/middlewares-chains.toml.example
from headscale-ui.
Excellent, thanks for that example.
I'll try it out and let you know, let's see if it fixes my bad gateway issue
from headscale-ui.
Related Issues (20)
- Headscale URL & API Key HOT 3
- Proxy Settings "Nginx Proxy Manager" web UI HOT 28
- please delete HOT 6
- ACL support ? HOT 2
- Rename Machine into Node HOT 11
- accessing headscale server on same lan over http (not https) HOT 2
- Feature Request: Show assigned user of machine in the Device View HOT 2
- Trying to deploy the "static site" but failing HOT 2
- nginx proxy location config help HOT 3
- CORS is not working HOT 2
- WebUI Login Security by Authentik or Token HOT 5
- Ionscale support? HOT 2
- I encountered an error when adding the key HOT 4
- 404 on GET https://<domain>/api/v1/machine HOT 2
- Device view fails (tested with headscale docker image 0.23.0) HOT 2
- House Keeping
- Fix developer image pipeline
- Remove Dynamic API check in future version HOT 1
- An error when test server key HOT 1
- New Container start HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headscale-ui.