Freekers / ansible-adguard

Ansible playbook to setup AdGuard Home with Unbound, including DoH, DoT & Let's Encrypt, based on Docker
GNU Affero General Public License v3.0
90 stars 20 forks source link

a short summary #11

Open rowie opened 1 year ago

rowie commented 1 year ago

After some small hints like:

ansibleUserName ALL=(ALL) NOPASSWD:ALL)

it is now finally running ... halfway

... unfortunately some things still do not work and slowly, I begin to despair.

What is not working:

I cant understand why (traefik) in this project is not working like a normal reverse proxy with x-forwarded-for enabled Adguard needs the real IP for blocking unwanted clients.

br, rowie

rowie commented 1 year ago

got it!!!!!

add this to traefik.yml for x-forwarding the real client IP:

websecure: address: :443 proxyProtocol: insecure: true forwardedHeaders: **trustedIPs:

source: https://community.traefik.io/t/use-x-forwarded-in-traefik-v2/5206/4

rowie commented 1 year ago

but only for DoH ... cause DoT is shown as simple DNS in Adguard ...

rowie commented 1 year ago

Next little win!

The only problem on my list is that i see the proxy IP when using Dot. When this is working i need a wildcard cert to see the client with a "name" like myandroid.adguard.tld

bruvv commented 1 year ago

traefik dashboard can only be accessed with: https://url/dashboard/ it is very picky and you need the last /!

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

rowie commented 1 year ago

ok, let me explain:

all my changes are done in der /srv/docker dir!

... and all the other things are in this two tickets.

Dont know what´s the best and easiest way help cause i am not a dev! First of all i will attach my compose file ...

rowie commented 1 year ago

i was playing around with docker-socket-proxy, but its not a real security booster ...cause you would need more then one proxy with differrent permissions/container ...

What i will change is the traefik wildcard cert thing in combination with nsone.net

rowie commented 1 year ago

traefik dashboard can only be accessed with: https://url/dashboard/ it is very picky and you need the last /!

Doesn´t work for me. Dont know why .. i have tested it with the / at the end but nothing happens

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

i have to figure out how i can make this cause i am not a dev. only a security guy/admin with much time to play around! ;-)

rowie commented 1 year ago

maybe i will only apply this to the public facing traefik contianer ... https://chriswiegman.com/2019/11/protecting-your-docker-socket-with-traefik-2/

adguard has no connection to the docker socket

rowie commented 1 year ago

since my server is supposed to be pubilc accessible i want to make it as secure as possible.i looked at some tutorial regarding traefik and crowdsec. how did you come up with this traefik config?

bruvv commented 1 year ago

Hi Sorry Ronald for the slow reply, did you managed to get it working? The Traefik config is made by myself using the traefik docs.