Traefik support

[hanssatt]

Hei there

Thanks for developing such a great project. I'd really like to host a snikket server but my web server set up is based on traefik as a reverse proxy. Would it be possible to add some sort of guide or example conf-file for traefik?

https://doc.traefik.io/traefik/

Thanks in advance.

[decentral1se]

Hey @hanssatt we have a veryyyyy experimental snikket + traefik support config over in https://git.coopcloud.tech/coop-cloud/snikket that has seen already deployments and is undergoing testing. There are a few outstanding issues with our approach but we're hoping to work out a way to get those changes upstream here. Happy to help out / hear feedback / get help on making this work out better!

[hanssatt]

Hei @decentral1se, thanks for your reply. I'm happy to check it out but i'm very busy at the moment. When i finally find some time to test i'll let you know about the result.

[decentral1se]

See also https://github.com/snikket-im/snikket-web-proxy/pull/6.

[decentral1se]

So, for the snikket-web-proxy, we need to resolve https://github.com/snikket-im/snikket-web-proxy/issues/5.

Here in snikket-server, it seems we would need to clean up / agree on a way to merge this approach:

• https://github.com/3-w-c/snikket-server/commit/b1af112f15838da477a528dc81bc35c6396bad5d
• https://github.com/3-w-c/snikket-server/commit/7605046cb0e6a230509dbfe670ac4b9fa7213157
• https://github.com/3-w-c/snikket-server/commit/d8577e0e57a79afd48695aadc60f7873b56897bc

Which can be summarised as "make certificate paths configurable" (see https://github.com/snikket-im/snikket-web-proxy/pull/6#issuecomment-955715601.

We're using then this cert transfer approach detailed in https://git.coopcloud.tech/coop-cloud/snikket/src/commit/516411935e5cc10c2964d73f1e0581c238f37c73/compose.yml#L77-L86 which copies over traefik generated certs. It ain't pretty but it works and probably reduces the amount of work that needs to be done here in snikket-server.

If anyone can see a way forward, I'm happy to try implement it. https://git.coopcloud.tech/coop-cloud/snikket is currently running on two temporary forks of proxy/server and we'd love to get back on mainline by having some way to configure snikket to handle traefik.

[spereg53]

i am interested to work with nginx proxy that already is working on the same server,can you help me,thanks

[spereg53]

i forgot to tell,that the server nginx proxy is installed with docker-compose,and is configurable in graphical mode,like is installed, snikket,thanks

[Faeranne]

Since this seems like the best place to ask, Is there a reason web-proxy is a mandatory part of Snikket? Is there any reason one couldn't just wholesale replace it with traefik? or is web-proxy doing more than just proxying https to http? If it is, can we move whatever it's doing special into a separate container, say perhaps the web-portal container? Or at least setup web-proxy to support simply disabling https? I ask because I'm seeking to use snikket myself, but all four of my available servers have Traefik already running on 443 and 80, and I'm trying to be a bit aware of my server footprint right now, so spinning up a dedicated server is a no-go. (trying to remove servers, not add them hehe...)

[Faeranne]

Looking through, I'm guessing the only real road block to simply ignoring the web-proxy container is because Snikket want's to handle tls termination for the non-http services, is that right? Is there any reason Snikket couldn't be given an option to open non-tls versions of these ports, and let Traefik handle the non-http TLS termination?

[Faeranne]

So I dug even further, and I'm guessing between the TURN and XMPP endpoints, things are a bit more complicated. My network skills might be showing their limits here, as I'm not actually sure if UDP can even support TLS (my memory says TLS requires a handshake, and thus some amount of transport state, and thus would invalidate use over stateless UDP? Or at least depends on order.) But if it can, that would be a blocker for UDP based TURN, since Traefik only support TLS on HTTP and TCP endpoints. As for XMPP, the impression I get is Traefik can support handling TLS termination, but it's tricky. Either way I'm gonna start with just getting a basic TURN and an XMPP server running before diving into getting snikket going.