Traefik working config & suggestion against default HTTPS about headscale-ui HOT 6 CLOSED

the concept that internal traffic shouldn't be encrypted by default is ludicrous

100% agreed. Self-signed encryption certainly is better than unencrypted. I just don't think that insecureSkipVerify or tls_insecure_skip_verify in Caddys case are nice things to have in your configs and also go against your security-thinking. This setting wouldn't be necessary if you would use non-self-signed certificates (which Caddy would be very much able to do) or at least have the ability (via environment variables / docker secrets) to pass in a valid CA/Key combination.

I don't need the encryption reverse proxy > container, since both are running as containers on the same host. I now mounted a custom Caddyfile into the container ( /data/Caddyfile) like so and I am happy:

{
  skip_install_trust
  http_port 8080
}
:8080 {
  redir / /web
  uri strip_prefix /web
  file_server {
    root /web
  }
}

With the custom Caddyfile I don't need these labels and can change the port to 8080:

      - "traefik.http.services.headscale_ui-svc.loadbalancer.server.scheme=https"
      - "traefik.http.services.headscale_ui-svc.loadbalancer.serversTransport=disableSSLCheck@file"

Sorry yes, should have gotten off my soapbox long enough to mention that the container is easily customisable to house a custom config in /data/Caddyfile :).

from headscale-ui.

I'm happy to add additional example configs, not in the main README but in a reference directory.

Since we are using a reverse proxy anyways, is the internal HTTPS with a self-signed certificate really necessary? I really dislike having to add an additional insecureSkipVerify configuration to either Caddy or traefik. I see that the service really is served via 127.0.0.1:2019 - why not expose that port to 0.0.0.0? What's the benefit of having Caddy inside the container?

Yes it's necessary, the concept that internal traffic shouldn't be encrypted by default is ludicrous. Chrome has done everyone a great disservice by making self signed encryption look worse than unencrypted traffic.

If you're using my docker container, it's gonna enforce encryption by default.

from headscale-ui.

the concept that internal traffic shouldn't be encrypted by default is ludicrous

100% agreed.
Self-signed encryption certainly is better than unencrypted. I just don't think that insecureSkipVerify or tls_insecure_skip_verify in Caddys case are nice things to have in your configs and also go against your security-thinking. This setting wouldn't be necessary if you would use non-self-signed certificates (which Caddy would be very much able to do) or at least have the ability (via environment variables / docker secrets) to pass in a valid CA/Key combination.

I don't need the encryption reverse proxy > container, since both are running as containers on the same host. I now mounted a custom Caddyfile into the container ( /data/Caddyfile) like so and I am happy:

{
  skip_install_trust
  http_port 8080
}
:8080 {
  redir / /web
  uri strip_prefix /web
  file_server {
    root /web
  }
}

With the custom Caddyfile I don't need these labels and can change the port to 8080:

      - "traefik.http.services.headscale_ui-svc.loadbalancer.server.scheme=https"
      - "traefik.http.services.headscale_ui-svc.loadbalancer.serversTransport=disableSSLCheck@file"

from headscale-ui.

I know it has been a while, but I just got a question.
I’m a novice with middleware, can either of you explain what this line do?

• "traefik.http.routers.headscale-rtr.middlewares=chain-no-auth@file"

It looks like there is a line in your traefik toml that describes “chain-no-auth”

im currently getting a bad gateway when I try to access headscale itself through https

thanks

from headscale-ui.

It looks like there is a line in your traefik toml that describes “chain-no-auth”

Good catch - you can actually just leave that line out of your configuration, but you are right that the example is missing. You can check out the documentation on middlewares here https://doc.traefik.io/traefik/middlewares/overview/ and chains here: https://doc.traefik.io/traefik/middlewares/http/chain/#chain.

If you want some examples for middleware chains check out this repo: https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/toml/middlewares-chains.toml.example

from headscale-ui.

Excellent, thanks for that example.

I'll try it out and let you know, let's see if it fixes my bad gateway issue

from headscale-ui.