Open rowie opened 1 year ago
got it!!!!!
add this to traefik.yml for x-forwarding the real client IP:
websecure: address: :443 proxyProtocol: insecure: true forwardedHeaders: **trustedIPs:
source: https://community.traefik.io/t/use-x-forwarded-in-traefik-v2/5206/4
but only for DoH ... cause DoT is shown as simple DNS in Adguard ...
Next little win!
i am able to conect to the Traefik Dashboard after removing the:
"&& (PathPrefix(/api
) || PathPrefix(/dashboard
))"
from the
"traefik.http.routers.traefikdashboard.rule=Host(traefik.{{hostname}}
)
Label
i expose 53/tcp and 53/udp direct to adguard) to see the client real IP when doing a normal dns query
The only problem on my list is that i see the proxy IP when using Dot. When this is working i need a wildcard cert to see the client with a "name" like myandroid.adguard.tld
traefik dashboard can only be accessed with:
https://url/dashboard/
it is very picky and you need the last /
!
And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?
ok, let me explain:
all my changes are done in der /srv/docker dir!
... and all the other things are in this two tickets.
Dont know what´s the best and easiest way help cause i am not a dev! First of all i will attach my compose file ...
i was playing around with docker-socket-proxy, but its not a real security booster ...cause you would need more then one proxy with differrent permissions/container ...
What i will change is the traefik wildcard cert thing in combination with nsone.net
traefik dashboard can only be accessed with: https://url/dashboard/ it is very picky and you need the last
/
!
Doesn´t work for me. Dont know why .. i have tested it with the / at the end but nothing happens
And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?
i have to figure out how i can make this cause i am not a dev. only a security guy/admin with much time to play around! ;-)
maybe i will only apply this to the public facing traefik contianer ... https://chriswiegman.com/2019/11/protecting-your-docker-socket-with-traefik-2/
adguard has no connection to the docker socket
since my server is supposed to be pubilc accessible i want to make it as secure as possible.i looked at some tutorial regarding traefik and crowdsec. how did you come up with this traefik config?
Hi Sorry Ronald for the slow reply, did you managed to get it working? The Traefik config is made by myself using the traefik docs.
After some small hints like:
ansibleUserName ALL=(ALL) NOPASSWD:ALL)
it is now finally running ... halfway
... unfortunately some things still do not work and slowly, I begin to despair.
What is not working:
I cant understand why (traefik) in this project is not working like a normal reverse proxy with x-forwarded-for enabled Adguard needs the real IP for blocking unwanted clients.
br, rowie