search

aceberg / WatchYourLAN

Lightweight network IP scanner. Can be used to notify about new hosts and monitor host online/offline history
https://hub.docker.com/r/aceberg/watchyourlan
MIT License
4.57k stars 145 forks source link

Use with reverse proxy? #53

Open P8ntBal1551 opened 1 year ago

P8ntBal1551 commented 1 year ago

Hi,

I don't know if this is possible, but does anyone know if I'm able to use WYL with reverse proxy running in docker? I understand that I need to attach this to the host network to use it, and doing so will prevent Traefik from being able to pick it up on the bridge network. Is there any way that anyone knows that I can eat my cake and have it too?

Thank you

sholder89 commented 1 year ago

You should be able to add a router to your config.yml file for traefik and a service that points to wyl

Here's my config if it helps:

http:
  routers:
    watchyourlan:
      entryPoints:
        - "https"
      rule: "Host(`watchyourlan.local.myurl.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: watchyourlan

  services:
    watchyourlan:
      loadBalancer:
        servers:
          - url: "http://ip.address.of.wyl:8840"
        passHostHeader: true

  middlewares:
    default-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true

I'm in no way an expert here and figured this all out watching YouTube (credit to https://www.youtube.com/@TechnoTim) and copying and pasting stuff from other people but this is working for me. You should be able to use this to point to anything that's not in your traefik bridge network.

Hope this helps!

redtripleAAA commented 1 year ago

I am using one instance with NPM (Nginx Proxy Manager) And another instance with Cloudflared Tunnel

No changes on the WatchYouLan instance, just point to the docker host and it's GUI port and it should work fine.

SlavikCA commented 1 year ago

Here is my docker-compose with Traefik:

version: "3"
services:
  lan2:
    image: aceberg/node-bootstrap
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.lan2.tls.certresolver=myresolver
      - traefik.http.routers.lan2.tls=true
      - traefik.http.routers.lan2.rule=Host(`lan2.example.com`)

  lan:
    image: aceberg/watchyourlan
    network_mode: "host"
    restart: unless-stopped
    command: "-n https://lan2.example.com"
    depends_on:
      - lan2
    labels:
      - traefik.enable=true
      - traefik.http.routers.lan.tls.certresolver=myresolver
      - traefik.http.routers.lan.tls=true
      - traefik.http.routers.lan.rule=Host(`lan.example.com`)
      - traefik.http.services.lan.loadbalancer.server.port=8840
    environment:
      GUIPORT: "8840"                   # optional, default: 8840
      TZ: America/New_York              # required: needs your TZ for correct time
      IFACE: "ovs_eth1"                 # required: 1 or more interface
      #GUIIP: "0.0.0.0"                 # optional, default: localhost
      TIMEOUT: "300"                    # optional, time in seconds, default: 60
      SHOUTRRR_URL: ""                  # optional, set url to notify
      THEME: "darkly"                   # optional
      IGNOREIP: "no"                    # optional
      AUTH: true
      AUTH_USER: "*****"
      AUTH_PASSWORD: "$$2y*****"
        # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
        # To create user:password pair, it's possible to use this command:
        # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
    volumes:
    - ./data:/data
drewgcolemancwg commented 11 months ago

Good morning! I am trying to get mine to run behind Nginx (not using NPM), and I am having issues figuring out what settings I need. The redirect works, and the page loads, but the GUI is very basic - no styling. Any suggestions on what I am missing with my nginx settings?

Location entry below:

add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass $forward_scheme://$server:$port$request_uri; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection;

djismgaming commented 3 months ago

Good morning! I am trying to get mine to run behind Nginx (not using NPM), and I am having issues figuring out what settings I need. The redirect works, and the page loads, but the GUI is very basic - no styling. Any suggestions on what I am missing with my nginx settings?

Location entry below:

add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass $forward_scheme://$server:$port$request_uri; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection;

I have this same issue using SWAG. There seems to be something missing to make it work as connecting via the IP:PORT.

Behind HTTPS on SWAG:

image

Directly HTTP with IP:PORT:

image

inuonly commented 2 months ago

I did try to use this on cloudflare proxy service and it ran out of the box with clouflared service. The only issue is I would not want to keep a public facing domain/subdomain url directly to show all devices and mac address publicly. I was looking for any web authentication stuff but could not find in the docuemntation. My setup is in docker conatiner. So i removed my public domain because of that.

djismgaming commented 2 months ago

I did try to use this on cloudflare proxy service and it ran out of the box with clouflared service. The only issue is I would not want to keep a public facing domain/subdomain url directly to show all devices and mac address publicly. I was looking for any web authentication stuff but could not find in the docuemntation. My setup is in docker conatiner. So i removed my public domain because of that.

you can run it behind a reverse proxy that only works locally on your lan/VPN. You'll need a DNS server you can use rewrite rules with like AdGuardHome or pi-hole

I use a SWAG and an NGINX with proxy-configs docker mod (both linuxserver) in a single 'docker compose' stack. One I call swag and the other swag-local. The swag is the reverse proxy for internet-facing things and swag-local is the reverse proxy for local/VPN access.

There is a lot of access in the swag-local and very little on the internet-facing swag.

It means that some proxy-configs are maintained in both reverse proxies but local access (with TLS certificates) works locally even without an internet connection.

Just an idea 😁

inuonly commented 2 months ago

I did try to use this on cloudflare proxy service and it ran out of the box with clouflared service. The only issue is I would not want to keep a public facing domain/subdomain url directly to show all devices and mac address publicly. I was looking for any web authentication stuff but could not find in the docuemntation. My setup is in docker conatiner. So i removed my public domain because of that.

you can run it behind a reverse proxy that only works locally on your lan/VPN. You'll need a DNS server you can use rewrite rules with like AdGuardHome or pi-hole

I use a SWAG and an NGINX with proxy-configs docker mod (both linuxserver) in a single 'docker compose' stack. One I call swag and the other swag-local. The swag is the reverse proxy for internet-facing things and swag-local is the reverse proxy for local/VPN access.

There is a lot of access in the swag-local and very little on the internet-facing swag.

It means that some proxy-configs are maintained in both reverse proxies but local access (with TLS certificates) works locally even without an internet connection.

Just an idea 😁

I think that is way over my paygrade. (pun intended) . Just to be clear I already can access it remotely via domain name and reverse proxy i just did not liek the idea of having no auth for public facing urls. I mean to say I am not sure what and how to achieve what you are saying although I do understand it partially up to a certain level of understanding( my rookie understanding.) For now using it only locally I am fine with ip access. I would still not use it to access on remote without any authenticaltion because not all client ( system from where i am accessing my instance) would be in my control. My workaround as of now is vpn proxxy that I keep to my cellular device and access my homelab system via the vpn. Heads up I am new to WatchYourLAN party 😉 So still messing arroudn and figuring stuff as per my options. Like trying to integrate a notification to telegram bot or something like ntfy server.

djismgaming commented 2 months ago

I did try to use this on cloudflare proxy service and it ran out of the box with clouflared service. The only issue is I would not want to keep a public facing domain/subdomain url directly to show all devices and mac address publicly. I was looking for any web authentication stuff but could not find in the docuemntation. My setup is in docker conatiner. So i removed my public domain because of that.

you can run it behind a reverse proxy that only works locally on your lan/VPN. You'll need a DNS server you can use rewrite rules with like AdGuardHome or pi-hole I use a SWAG and an NGINX with proxy-configs docker mod (both linuxserver) in a single 'docker compose' stack. One I call swag and the other swag-local. The swag is the reverse proxy for internet-facing things and swag-local is the reverse proxy for local/VPN access. There is a lot of access in the swag-local and very little on the internet-facing swag. It means that some proxy-configs are maintained in both reverse proxies but local access (with TLS certificates) works locally even without an internet connection. Just an idea 😁

I think that is way over my paygrade. (pun intended) . Just to be clear I already can access it remotely via domain name and reverse proxy i just did not liek the idea of having no auth for public facing urls. I mean to say I am not sure what and how to achieve what you are saying although I do understand it partially up to a certain level of understanding( my rookie understanding.) For now using it only locally I am fine with ip access. I would still not use it to access on remote without any authenticaltion because not all client ( system from where i am accessing my instance) would be in my control. My workaround as of now is vpn proxxy that I keep to my cellular device and access my homelab system via the vpn. Heads up I am new to WatchYourLAN party 😉 So still messing arroudn and figuring stuff as per my options. Like trying to integrate a notification to telegram bot or something like ntfy server.

Indeed, no problem.

In that case, to keep it simple you could setup authelia. SWAG has configurations set for using authelia as an authentication portal before getting to your application. It's very useful but will also take some time to setup.

Here's my current setup for the 4 containers I use as an "application gateway". You could remove the two reverse proxies, cloudflared and just use authelia with your setup.

If you use docker run, there are converters online to convert this setup to that.

networks:
  default:
    name: linuxserver
    external: true

services:

  cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel --no-autoupdate run
    environment:
      - TUNNEL_TOKEN=$CF_TUNNEL_TOKEN

  authelia:
    healthcheck:
      disable: true
    restart: unless-stopped
    container_name: authelia
    environment:
      - PUID=99
      - PGID=100
      - TZ=$TZ
    image: authelia/authelia:latest
    ports:
      - 9092:9091
    volumes:
      - ./data-authelia:/config

  swag:
    restart: unless-stopped
    container_name: swag
    environment:
      - TZ=$TZ
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - PROPAGATION=30
      - EMAIL=$SWAG_EMAIL
      - ONLY_SUBDOMAINS=false
      - PUID=99
      - PGID=100
      - URL=$SWAG_URL
      - EXTRA_DOMAINS=
      - STAGING=false
      - UMASK=000
      - SUBDOMAINS=wildcard
      - CERTPROVIDER=
      - MAXMINDDB_LICENSE_KEY=$MAXMIND
      - DOCKER_MODS=linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-cloudflare-real-ip|linuxserver/mods:swag-maxmind
      - DHLEVEL=2048
      - MAXMINDDB_USER_ID=$MAXMINDDB_USER_ID
    image: lscr.io/linuxserver/swag:latest
    ports:
      - 446:443
      - 82:80
    volumes:
      - ./data-swag:/config

  swag-local:
    restart: unless-stopped
    container_name: swag-local
    depends_on:
      - swag
    environment:
      - UMASK=000
      - TZ=$TZ
      - DOCKER_MODS=linuxserver/mods:swag-auto-reload|linuxserver/mods:nginx-proxy-confs
      - PUID=99
      - PGID=100
    ports:
      - 443:443
      - 80:80
    image: lscr.io/linuxserver/nginx:latest
    volumes:
      - ./data-swag-local:/config
      - ./data-swag/:/swag-ssl #this is to mount the TLS certificate setup by the internet-facing SWAG container to use it also in the local-only NGINX container for local/VPN use
inuonly commented 2 months ago

Oh yeah I forgot about authelia. Thank you and also thanks for the compose file . That does help. I will go back and try this.