4 votes

Reverse-Proxying services both inside and outside of Podman

Posted September 12 by scrambo

Tags: ask.help, networking, homelab, devops, docker

Hey all, not-a-networks-guy here.

I've currently got an rpi set up running pihole natively (not in a container) for ad and website blocking reasons. (Using port 80, no TLS) I've used the pihole localdns feature to set an internal hostname for that ip (me.lan).

On the same pi, I have podman "set up" to run FreshRSS, and I'm getting more and more annoyed about using the port # to access it. (me.lan:12345) I'd like to set up a reverse proxy (probably Traefik) in a container to redirect internally, but considering that port 80 is taken (by pihole, outside of podman) I don't see a way to direct traffic from the pihole to Traefik.

I'd really rather not reconfigure the whole setup to use containers.... I'm lazy, and also prefer my dns resolver to have the least amount of overhead possible. Is configuring the router an option here, or is the only way to achieve what I'm looking for an overhaul of the pi and containers?

If I've missed any pertinent details, let me know and I'll update here.

1 comment

vord

September 12 (edited September 12)

Link

While I don't run pihole, I do run traefik in the way that you describe, to proxy things both in docker and out of it. Most https traffic uses port 443 by default. I don't bother configuring port...

While I don't run pihole, I do run traefik in the way that you describe, to proxy things both in docker and out of it.

Most https traffic uses port 443 by default. I don't bother configuring port 80 on traefik, I have it use DNS to manage automatic cert renewals with LetsEncrypt and only passthrough https traffic. I use DuckDNS for my external subdomain provider.

Here are my configuration snippets. You might want to check against Traefik's docs and update accordingly...I'm still running 2.X. I also use the yaml and labels for configs...not everybody prefers that method, but it works for me.

First, I use docker-compose, with a .env file to define variables and secrets. I define the proxy network externally using docker network create proxy. Here's traefik with one of the docker-provided services, as well as HomeAssistant, using host networking, which to the proxy looks the same as being installed on the server outside of docker. Side note for HomeAssistant: Need to whitelist proxy's IP range, which is a bit of a PITA, especially with IPv6.

compose.yml

services:
   image: traefik:2.11
    container_name: traefik
    domainname: ${DOMAIN}
    restart: always
    networks:
      - proxy
    ports:
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ${CONFIG_PREFIX}/traefik/traefik.yml:/traefik.yml:ro
      - ${CONFIG_PREFIX}/traefik/acme.json:/acme.json
      - ${CONFIG_PREFIX}/traefik/config.yml:/config.yml:ro
    environment:
      DUCKDNS_TOKEN: ${DUCK_DNS}
      DUCKDNS_HTTP_TIMEOUT: 30
      DUCKDNS_POLLING_INTERVAL: 2
      DUCKDNS_PROPAGATION_TIMEOUT: 60
      DUCKDNS_TTL: 60
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.traefik.middlewares=default-headers@file"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN}"
      - "traefik.http.routers.traefik.tls.certresolver=duckdns"
  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:alpine
    restart: unless-stopped
    networks:
      - proxy
    volumes:
      - ${CONFIG_PREFIX}/vaultwarden:/data
    expose:
      - 80
    environment:
      PUID: ${DUID}
      PGID: ${DGID}
      TZ: ${TZ}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.rule=Host(`passwords.${DOMAIN}`)"
      - "traefik.http.routers.vaultwarden.middlewares=default-headers@file"
      - "traefik.http.routers.vaultwarden.tls=true"
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:stable
    restart: always
    network_mode: host
    volumes:
      - ${CONFIG_PREFIX}/homeassistant:/config
    environment:
      - TZ=${TZ}

# Snip
networks:
  proxy:
    external: true

Now for the meat and potatoes, my traefik config files. You'll notice in the config.yml That the home service points to a URL....this is how you can point to any service outside of docker, and you can point it to any valid URL. I had snipped out some other services for this which point to some static pages hosted outside my own network even.

traefik.yml

global:
  checkNewVersion: false
  sendAnonymousUsage: false
entryPoints:
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxy
  file:
    filename: /config.yml

certificatesResolvers:
  duckdns:
    acme:
      email: <my email address here>
      storage: acme.json
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 90
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
tls:
  certResolver: duckdns
  domains:
    - main: "mysubdomain.duckdns.org"
      sans:
        - "*.mysubdomain.duckdns.org"
  options:
    default:
      minVersion: VersionTLS12
    mintls13:
      minVersion: VersionTLS13

config.yml

http:
  routers:
    home:
      service: home
      rule: "Host(`home.mysubdomain.duckdns.org`)"
      entryPoints:
      - websecure
      middlewares:
      - default-headers
      tls: true
  middlewares:
   # This really only exists because of other configuration I snipped out
    secure:
      chain:
        middlewares:
          - default-headers
    default-headers:
      headers:
        customFrameOptionsValue: SAMEORIGIN
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 315360000
        customResponseHeaders:
          X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
  services:
    home:
      loadBalancer:
        servers:
          - url: "http://<serverhostname>:8123/"

5 votes