search

linuxserver / docker-snipe-it

Alpine/Nginx container for the Asset Management software Snipe-IT
GNU General Public License v3.0
123 stars 26 forks source link

Traefik configuration for Snipe-IT #26

Closed SonGokussj4 closed 2 years ago

SonGokussj4 commented 2 years ago

Desired Behavior

Config example of traefik label or documentation what else to change for traefik reverse proxy to work.

Current Behavior

As I tried almost every combination I can't make it work with traefik. Instead of myserver:3051 I want snipeit.mydomain.com but getting either 404 or Gateway errors.

github-actions[bot] commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

ADobin commented 2 years ago

I've managed to get this working after digging into how this container is working and how snipe-it handles validation. I'm not sure if this also breaks things for when it's not running behind traefik, I'll do some more research and consider a pull request with documentation updates if it makes sense.

Problem - APP_URL env variable needs to be set

APP_URL is used by snipe-it to build out a bunch of different links. I set this value in my docker-compose to be the the same URL that I configured for traefik. This also fixes #25.

    environment:
      - NGINX_APP_URL=snipeit.example.com
      - APP_URL=https://snipeit.example.com

Problem - Content is served over HTTP instead of HTTPS

There are multiple reports of this issue that are duped to https://github.com/snipe/snipe-it/issues/9179. What I found is that following the snipe-it documentation for Reverse Proxies it says to add an environment variables for APP_TRUSTED_PROXIES. This doesn't seem to work if you set it from within the environment section in docker-compose.yml. If you instead create an env file with this value, then things will work.

snipeit.env:

APP_TRUSTED_PROXIES=**

I'm sure there is a good reason for why this doesn't work but I haven't dug any further.

Problem - /setup claims you are serving from an invalid location

Once you get everything running, the setup will still claim to have invalid values for APP_URL, like in the error below:

Uh oh! Snipe-IT thinks your URL is https://snipeit.example.com, but your real URL is http://snipeit.example.com/setup Please update your APP_URL settings in your .env file

Looking at the Snipe-IT code, I think this is a bug with their setup code on how they do the validation of APP_URL. They determine what URL is currently being used in SettingsController.php, but are using the raw $_SERVER values instead of seeing if any proxy headers exist. I could also be totally wrong on how these values are supposed to flow through, I am a little out of my area of expertise with this. Luckily, this only seems to impact this one step, and I modified /config/nginx/site-confs/default to set the values they were expecting. I'm not even sure if that is necessary or if the setup will let you finish without doing that.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

drizuid commented 2 years ago

We do not support or test traefik as we provide our own supported reverse proxy. closing this

bryanpedini commented 1 year ago

We do not support or test traefik as we provide our own supported reverse proxy.

Cool, so because you have developed your own non-standard reverse proxy setup, it means that everything else does not exist hence why you don't even wiki it? I can relate to not supporting it, but not even considering?

I'm trying to setup a Snipe-IT instance using the official image and Træfik, searching on Google this issue is the top result for "snipe-it traefik", and the "solution" is a hard "no"?

Oookay, not gonna comment on that...

SonGokussj4 commented 1 year ago

Hi @bryanpedini , I'm running my Snipe-IT successfully now, forgot about this thread so this is my solution, feel free to ask for details:

snipeit/docker-compose.yml

version: "3"

services:

  snipeit:
    image: linuxserver/snipe-it:6.0.11
    container_name: snipeit_app
    restart: unless-stopped
    depends_on:
      - mysql
    volumes:
      - ./app_data:/config
    env_file: .env
    environment:
      - NGINX_APP_URL=snipeit.<myserver>.<mydomain>.cz
      - MYSQL_PORT_3306_TCP_ADDR=mysql
      - MYSQL_PORT_3306_TCP_PORT=3306
      - MYSQL_DATABASE=<snipe_db>
      - MYSQL_USER=<snipe_user>
      - MYSQL_PASSWORD=<password_mysql_user>
      - PGID=1000
      - PUID=1000
      - DOCKER_MODS=linuxserver/mods:universal-wait-for-internet|linuxserver/mods:universal-cron
      - API_THROTTLE_PER_MINUTE=600  # default 100
      - MAX_RESULTS=10000  # default 500
      - PHP_UPLOAD_LIMIT=50
    networks:
      - proxy
      - backend
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.snipeit-https.rule=Host(`snipeit.<myserver>.<mydomain>.cz`)
      - traefik.http.routers.snipeit-https.entrypoints=websecure
      - traefik.http.routers.snipeit-https.tls=true

  mysql:
      image: linuxserver/mariadb
      container_name: snipeit_db
      restart: always
      volumes:
        - ./db_data:/config
      environment:
        - PUID=1000
        - PGID=1000
        - TZ=Europe/London
        - MYSQL_ROOT_PASSWORD=<password_mysql_root>
        - MYSQL_USER=<snipe_user>
        - MYSQL_PASSWORD=<password_mysql_user>
        - MYSQL_DATABASE=<snipe_db>
      networks:
        - backend

networks:
  proxy:
    external: true
  backend:
    external: false

snipeit/.env

# Snipe-IT Settings
APP_ENV=production
APP_DEBUG=false
APP_TIMEZONE=Europe/Prague
APP_LOCALE=cs
APP_URL=https://snipeit.<server>.<domain>.cz
APP_KEY=base64:edLSOtxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkj/JcLI=  # from snipeit/app_data/SNIPE_IT_APP_KEY.txt

# --------------------------------------------
# REQUIRED: OUTGOING MAIL SERVER SETTINGS
# --------------------------------------------
MAIL_DRIVER=smtp
MAIL_HOST=<our_email_host>
MAIL_PORT=587
MAIL_USERNAME=<mail_username>
MAIL_PASSWORD=<mail_password>
MAIL_ENCRYPTION=null
MAIL_ENV_FROM_ADDR=<testaddress@<mydomain>.cz>
MAIL_FROM_ADDR=<mail_from_username>@<mydomain>.cz
MAIL_FROM_NAME='<name_from>'
MAIL_REPLYTO_ADDR=
MAIL_REPLYTO_NAME=
MAIL_BACKUP_NOTIFICATION_ADDRESS=<alerts_for_admins>@<mydomain>.cz

# --------------------------------------------
# OPTIONAL: SECURITY HEADER SETTINGS
# --------------------------------------------
CORS_ALLOWED_ORIGINS=*

traefik/docker-compose.yml

version: '3.7'

services:

  traefik:
    image: traefik:v2.6.6
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - "80:80"  # The HTTP port
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro  # So that Traefik can listen to the Docker events
      - /var/log/traefik:/var/log  # Logging
      - ./data/traefik.yml:/traefik.yml:ro  # Static configuration yml
      - ./data/dynamic_config:/etc/traefik/dynamic_config  # Dynamic configuration yml
      - ./data/certs:/etc/traefik/certs:ro  # Certificates folder
      - ./data/certs_keys:/etc/traefik/certs_keys:ro  # Certificates keys folder
    environment:
      - HOST_IP=${HOST_IP}
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.<myserver>.<mydomain>.cz`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.middlewares=traefik-auth
      - traefik.http.middlewares.traefik-auth.basicauth.users=admin:<hashedpassword>

networks:
  proxy:
    external: true

traefik/traefik.yml

# log default is ERROR, but WARN is more helpful
log:
  level: INFO

accessLog:
  filePath: /var/log/traefik-access.log

# enable dashboard on 8080
api:
  dashboard: true
  insecure: false

ping: {}

pilot:
  dashboard: false

# listen on 80/443, and redirect all 80 to 443 via 301
entryPoints:
  web:
    address: ":80"
    # comment out these lines if you don't want to redirect everything to https
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
      tls: {}

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    watch: true
  file:
    directory: /etc/traefik/dynamic_config
    watch: true
nemchik commented 1 year ago

We do not support or test traefik as we provide our own supported reverse proxy.

Cool, so because you have developed your own non-standard reverse proxy setup, it means that everything else does not exist hence why you don't even wiki it? I can relate to not supporting it, but not even considering?

I'm trying to setup a Snipe-IT instance using the official image and Træfik, searching on Google this issue is the top result for "snipe-it traefik", and the "solution" is a hard "no"?

Oookay, not gonna comment on that...

This thread has been closed for almost a year.

you have developed your own non-standard reverse proxy setup

We put together SWAG which is primarily made up of nginx and certbot (not things we developed) and shipped with configuration files we made to make things easy. There is nothing non-standard about the option we support, and we support it because we made it.

it means that everything else does not exist

We are aware of other options, such as traefik, caddy, haproxy, etc. The fact that other options exist does not obligate us to learn how they work and offer support for them.

hence why you don't even wiki it?

We document what we do, and how to use what we make. We don't make traefik. We don't have all the answers about how to make traefik work with every application under the sun.

It seems (based on there being mention of issues being reported to the devs of snipe-it) that there are issues with snipe-it (not specific to our docker image) that make it challenging to proxy snipe-it with some reverse proxy solutions. The development of snipe-it is entirely out of our hands.

Your comment was pretty rude, considering we do what we do for free and make it available for anyone to use and do what they want with. We don't tell people not to use traefik, just that we aren't the helpdesk/hotline for it.

bryanpedini commented 1 year ago

Hi @bryanpedini , I'm running my Snipe-IT successfully now, forgot about this thread so this is my solution

Thank you for sharing @SonGokussj4, it might help others for sure. I, on the other end, ended up just searching a fair bit (more) online and finding about the nefarious APP_URL and APP_TRUSTED_PROXIES, which once set correctly made the Træfik setup work just fine: deployments/snipe-it.

bryanpedini commented 1 year ago

This thread has been closed for almost a year.

Cool. Issues related to the topic of the thread seemed to be not tho, or at least not clearly documented without a lot of research to make it work.

We are aware of other options, such as traefik, caddy, haproxy, etc. The fact that other options exist does not obligate us to learn how they work and offer support for them.

Sure, as stated before, I support the "not supporting it" thesis, but reject the mentality of not considering them:

We do not support or test traefik as we provide our own supported reverse proxy. closing this

No "feel free to draft a PR to include it in the docs", no "sorry but since we provide our solution we do not wish to waste time doing the research, but feel free to document it on your own and report us your findings", just "F U, we do things our way, either that way or you're on your own, and we don't care about your setup so that others trying to replicate will just see "closing this" and believe that it's not possible at all"... Sure OP could have just replied with his findings anyway, just like he did after my first reply; sure you could have said "closing this" more nicely so that OP would have feeled more desirable to post his setup once it worked. Just that...

We document what we do, and how to use what we make. We don't make traefik. We don't have all the answers about how to make traefik work with every application under the sun.

Please refer to the previous, would have been nice to say "please draft up a PR" or "report your findings so that other people may get help here since this be the first google result" instead of just "closing this, because"...

It seems (based on there being mention of issues being reported to the devs of snipe-it) that there are issues with snipe-it (not specific to our docker image) that make it challenging to proxy snipe-it with some reverse proxy solutions. The development of snipe-it is entirely out of our hands.

Sure, was not saying so... anyway I made it work, so it might be challenging, but not impossible 🤷🏻

Your comment was pretty rude, considering we do what we do for free and make it available for anyone to use and do what they want with. We don't tell people not to use traefik, just that we aren't the helpdesk/hotline for it.

Didn't meant to be, just pointing out that maybe something different than "closing this" (without technically an explanation (beyond the "we do stuff our way")) would have been nice-er, since that could be interpreted (just like I did) rude as well by your end...