search

sVoxelDev / minecraft-server-template

A 30 seconds quickstart template for creating minecraft server networks with docker and git.
MIT License
64 stars 10 forks source link

Dynmap behind nginx proxy #4

Closed jpcapone closed 2 years ago

jpcapone commented 2 years ago

Hey thanks for this minecraft deployment its just what i was looking for. I have everything pretty much working but I am unable to get DynMap working. I followed the instructions and placed the plugin into the plugins folder and I can also confirm that the plugin is loaded but when I access the website I get a 404 error. the 404 error occurs when i use the internal domain name which is minecraft.internal.com or the internal ip address. I am able to use the web name because i created an internal dns record to resolve to the docker host. If i do map.minecraft.internal.com i get This page cannot be reached. I am pretty savvy so please hit me with any suggestions you have so I can attempt to resolve the issue, thanks.

Silthus commented 2 years ago

Can you take a look at the Traefik Routing Dashboard under: traefik.minecraft.internal.com and see if the dynmap route gets registered correctly? Also take a look at the traeffik containers log when requesting map. and see if there are any errors.

You can also join our discord to get support here: https://discord.gg/HSU8FtgjVD

jpcapone commented 2 years ago

Ok I figured out a portion of the issue. I did not have internal DNS records created for the map/traefik/rcon endpoints. now that I have added them I can access map.minecraft.internal.com but i get "Connection to back-end closed, automatically trying to reconnect in 5 seconds...." when i try to connect to rcon.minecraft.internal.com. i get 404 when I attempt to traefik/rcon. Also, in the console of the traefik container i am getting a lot of these errors "time="2021-11-25T19:17:13Z" level=error msg="Unable to obtain ACME certificate for domains". Does traefik need to be able to verify the domains externally via lets encrypt? If so that will be problematic for me because i am currently using nginx as a reverse proxy for my sites that are accessible remotely. either way i will report what i find in the traefik logs and if there are any other suggestions please send them my way. Also, i will prolly hop on discord later but if you give me something to work with before then i will give it a shot. finally, I am having a hard time tracking down the traefik log location in the container. can you assist with that?

Silthus commented 2 years ago

Yes you are correct, the traeffik instance tries to issue Let'ss Encrypt certificates for all endpoints. And Let's Encrypt can't reach your backend because of the reverse proxy.

As I see it you have two options:

Option 1

Change the base domain in your Minecraft server setup to a real reachable subdomain and forward all traffic from your reverse proxy to the traeffik instance. For example create a *.mc.your-server.com proxy rule to the traeffik backend. You will have to use different ports for the traeffik container though as your nginx proxy already binds to 80/443. This option is not really recommended as traeffik is thought to be a "front door" proxy, but you could make it happen. To expose an direct alias, e.g. for map.your-server.com instead of map.mc.your-server.com create a cname and proxy it in your nginx to traeffik.

Option 2

Do all TLS termination on your nginx proxy, remove the certificate configuration from traefikk or provide your own certificate resolver and remove the https redirects from traeffik. This will probably become a real mess since you are manually doing the things traeffik is supposed todo.

Option 3 recommended

Switch out your nginx front door for the traeffik container (on my server we used a separate compose file run as a different user that auto started when the server started). This way you are decoupling the traeffik proxy from Minecraft and then you can configure the routes from your current nginx configuration in a different container that is also connected to traeffik.

services:
  traefik:
    image: "traefik:v2.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=webmaster@my-server.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "80:80"
    networks:
      - traefik
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=myresolver"
      - "traefik.http.routers.api.rule=Host(`traefik.my-node1.my-server.com`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=your-user:your-htaccess-pw-encrypted"
networks:
  traefik:
    external: true

All docker container that have the correct traeffik labels and are connected to the traeffik network will automatically route over the proxy. This allows you to dynamically add and remove endpoints in your network.

Here is an example of a simple nginx container that is routed to from traefik. You can mount your existing nginx config into it and it should work.

version: "3.3"

services:
  nginx:
    image: nginx
    container_name: test_proxy
    labels:
      - "traefik.enable=true" # enables the service
      - "traefik.http.routers.nginx.rule=Host(`proxy.mydomain.com`)" # domain to expose on
      - "traefik.http.routers.nginx.entrypoints=websecure" # if you named your 443 entrypoint differently than webscure, substitute it here!
      - "traefik.http.routers.nginx.tls.certresolver=letsencrypt" # if you named your cert resolver differently than letsencrypt, substitute it here!
    networks:
      - traefik

networks:
  traefik:
    external: true
Silthus commented 2 years ago

Did the solution we discussed in the Discord work?

If so could you maybe document this in a very short FAQ style so I can add it to the docs for others?

jpcapone commented 2 years ago

Thanks for checking in. I haven't been working on it super heavy because I have been really busy. If you don't mind I will pick you brain as I navigate working through the solution we discussed.

Silthus commented 2 years ago

Sure just hit me up on Discord. I will close this issue then.