search

ChristianLempa / videos

This is my video documentation. Here you'll find code-snippets, technical documentation, templates, command reference, and whatever is needed for all my YouTube Videos.
MIT License
879 stars 322 forks source link

NGINX Reverse Proxy Config for Teleport Docker container #23

Closed mighty-services closed 1 year ago

mighty-services commented 2 years ago

Dear Christian,

thanks a lot for your tutorials in this toppic! Great to see others be enthusiastic about teleport :)

I also have a homelab running on proxmox and Nginx reverse Proxy and have several Services running on it, so I simply cant use port 443 by default like you described. I´d like to pass it through the Reverse proxy butcant get it to work. I always get the error

WARN [MX:PROXY:] "\nERROR REPORT:\nOriginal Error: *trace.BadParameterError multiplexer failed to detect connection protocol

Based on this post, I´ve edited the teleport.yml file to this:

#version: v2
teleport:
  nodename: teleport
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
#  proxy_listener_mode: multiplex
  cluster_name: teleport.example.com
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.example.com:443
  https_keypairs: []
#  acme:
#    enabled: yes
#    email: <Email>

In the reverse Proxy I forwarded "teleport.example.com" as https Protokoll to my host-IP on port 443

Can you explain how to configure the Reverse proxy or how to use teleport on another port?

mark33sv commented 1 year ago

I have same problem with MAILCOW, only when I run command: sudo docker-comose -up -d

Error: Error response from daemon: driver failed programming external connectivity on endpoint mailcowdockecow-1 (nxnxnnxnxxnxnnxnnxnxnxnnxnxnnxnxnxnnxnxnnxnxnxnnxnnxnxnx): Error starting userland pr 0.0.0.0:443: bind: address already in use

Is not a problem if a changed port into mailcow.conf:

For technical reasons, http bindings are a bit different from other service bindings. You will find the following variables, separated by a bind address and its port: Example: HTTP_BIND=1.2.3.4

HTTP_PORT=80 HTTP_BIND= HTTPS_PORT=443 for -->8443 ? HTTPS_BIND=

Or How to apply Reverse Proxy? In fact: I'm use digitalocean.com, they use port 80 and 443 for resolve names::https secure site ...

ChristianLempa commented 1 year ago

Sorry for the late response, as @mark33sv already mentioned, you need to change the port. Can you tell me whether this is still an issue, or if you need anything else?

mighty-services commented 1 year ago

Hy Christian,

I tried that but the problem is not the port forwarding itself for this container - I'm sorry for not pointing that out clearly. I run many containers already through my ngnix reverse-proxy and they are working, but teleport (just like netcloud aio) is different, since its recommending to manage the certification with Lets Encrypt by himself and not via the reverse proxy.

mighty-services commented 1 year ago

I found other discussions (https://github.com/gravitational/teleport/discussions/7857) that say its not possible, but you mentioned it in one of your video tutorials using a loadbalancer. They both have the same "issue" regarding the SSL-Handling by themself. You mentioned it in one of your videos and managed to get a cluster running. But when I try to add a linux server it sais it cant connect since the cerrtificate on the cluster differs from the URL. Its probaly, because the cluster stil uses his own selfsigned certificate, since it cannot do the HTTP/HTTPS-chalenge by himself. Just like this guy posted. The only workaround I see right now is to obtain a certificate on the reverse proxy for the specific teleport URL and copy it over to the maschine where I run the teleport cluster. This I have to do every time the certificate changes.

mighty-services commented 1 year ago

Honestly that was to complicated in my sight, so by now I bought a raspi, set up a teleport-instance on another site, whee there's only teleport running.

But I would be happy if someone could jump in and help me with this :)

ChristianLempa commented 1 year ago

I think at some point I need to make another video about Teleport set-up on Kubernetes with Traefik. That would probably solve some of your questions, as it requires Traefik to add additional entry points with TLS pass-through. Let me schedule that for next year, I might reach out to Teleport if they'd like to support another dedicated self-hosted tutorial :) For now, I would advise setting it up without a reverse proxy, and just use different ports and the ACME service integrated in Teleport.

mighty-services commented 1 year ago

Thanks a lot Christian. I'm looking forward to the video :)

Am 02.12.2022 um 09:33, Christian Lempa @.***> schrieb:

I think at some point I need to make another video about Teleport set-up on Kubernetes with Traefik. That would probably solve some of your questions, as it requires Traefik to add additional entry points with TLS pass-through. Let me schedule that for next year, I might reach out to Teleport if they'd like to support another dedicated self-hosted tutorial :) For now, I would advise setting it up without a reverse proxy, and just use different ports and the ACME service integrated in Teleport.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>