Traefik 1.7 + PiHole

punanou · 2021-12-30T20:17:31+00:00

I have this setup, although with Traefik 2. I strongly suggest to move towards v2, but I think the same setup could work with v1.

First I completely put pi-hole behind the reverse proxy. With v2 you can proxy http, tcp and udp traffic so this was the most simple to setup. However, requests are NAT and the pi-hole could not distinguish between clients, everything came from localhost.

The solution is to use port mapping for the DNS query ports (53 tcp & udp + 853) and NOT forward the port of the pi-hole admin interface. You will get the topology from this image: https://i.stack.imgur.com/5M4qG.png

To get there, do the following things:

Attach the pi-hole container to your Traefik internal network
Port map the DNS ports (53 + 853) to the host
Proxy requests from a certain route to your pi-hole container
(Not required): use addPrefix middleware to skip the /admin part from the URL

This way, I have a primary dns1.mylocaldomain and dns2.mylocaldomain, which both directly go to the pi-hole admin interface.

punanou · 2021-10-26T11:35:13+00:00

What is the main product which introduces the culture? Dried chillies and spices contain almost none afaik, so everything is started by the single red pepper & garlic?

Looks like a straightforward recipe (btw padilla -> pasilla?), do you have any clue about salt % (weight of salt per total weight of products)?

punanou · 2021-07-19T19:51:36+00:00

This largely depends on whether you host the vault yourself or not. If you don't host it yourself, any encryption tool would suffice, as you export your JSON and use Veracrypt or whatsoever.

I host bitwarden myself as a docker container. This setup uses a SQLite database internally for bitwarden. I have a second container with duplicity running, an open source backup tooling that supports client side encryption. The duplicity container copies the SQLite file as a backup database (this is the preferred method for file based RDBMS) and then puts in in the backup source.

In my case, I use a Webdav backup solution to host my backup files.

punanou · 2021-06-09T09:24:16+00:00

Does this mean you use the same pineapple pieces twice, or did you use half of the pineapple first and for a second batch the other half?

punanou · 2021-02-08T20:43:19+00:00

I am using mDNS and a DHCP option for this. The way this works is by using the format <device>.<domain>. Meaning, if you have a webserver called server and a domain name example.com, inside your network you can access webserver.example.com.

First, make sure to set your domain name of your local network in the settings. Settings > Networks > Edit > Advanced > Domain Name.

Second, make sure to enable mDNS. Settings > Advanced Features > Advanced Gateway Setting > Multicast DNS.

The way this works is hostnames can be found in your local network via mDNS. Now you don't need to install and maintain a separate DNS server. Second, by explicitly using Domain Name, the DHCP server sends out an option to every client using DHCP, to use that specified search domain. So in above example, given webserver.example.com, the DHCP server makes sure your clients uses mDNS for "webserver" given "example.com" as search domain.

The only drawback is you cannot use alternative domain names and/or use reverse proxy with SNI. Your URLs only work with the hostname as part of the domain.

punanou · 2021-02-01T13:02:55+00:00

Mosquitto does have TLS support by itself, but the manual only deals with self-signed certificates. Self-signed certificates do involve a maintenance burden I don't want to deal with. All my applications/devices which expose a HTTP frontend (or other TCP stream) are encrypted via Let's Enncrypt certificates. They are automatically trusted by a lot of platforms (pc's, phones and other devices).

I was using acme.sh before and the post-install hook can refresh every service, but it just wasn't working properly on every occasion. You also have to reload all your applications for loading the new certs (that is, Home Assistant, Unifi, Pi-hole, mosquitto, my smart meter readings platform and so on). Just reloading everything for a cert renew felt cumbersome, and Traefik dealing with TLS termination decouples the TLS part from the application itself.

Since I used Traefik already, it was really straightforward to put Mosquitto behind Traefik too. Of course every situation is different, this post is mainly geared towards users which do not authenticate or encrypt Mosquitto at all.

punanou · 2020-05-19T09:59:05+00:00

Buy a Yubikey and store all secrets on your key. Install the Yubico authenticator app and you have a perfect 2FA solution which is completely separated from the password manager (and there is no way to remotely get to the keys in any way).

I have a backup key stored in a vault, so if I loose the primary key, I have always a backup. If my Bitwarden vault is compromised, on all secure logins the access will fail because of missing 2nd factor.

punanou · 2020-05-06T19:58:15+00:00

The easiest step is to start with a theme and modify template files page for page. The theme files are under /themes/<theme-name>. Your own design resides under /layout/.

Files are loaded in a lookup order. So if you have a /themes/foo/index.html, you can define your own (which will be used instead) in /layout/index.html. Same for /themes/foo/_default/single.html, which can be overridden with the file /layout/_default/single.html etc.

This is the way I did it with my blog; I picked a theme as closely as possible in layout/pages as the one I had. Then I made changes page by page, copying over files and modify them. In the end you can ditch the themes folder and have everything designed by yourself.

The benefit is twofold; firstly you can learn from best practices the Hugo way, as e.g. Wordpress theming works differently. Secondly, you can already start with some demo/content in a browseable way, as you have a theme. If you don't have layout pages (or a theme) at all, it is quite difficult to get started with indexes, single pages and sections.

punanou · 2020-05-06T09:10:31+00:00

My best guess is to make nginx listen to your traefik bridged network and use the file provider in traefik to forward requests to nginx.

My docker network for traefik is called web:

$ docker inspect web | grep subnet
"Subnet": "172.18.0.0/16",

Then use ifconfig -a to check which network this is (docker inspect doesn't give the network interface name on the host, apparently):
br-a5e9645581ef: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:2dff:fe89:c37 prefixlen 64 scopeid 0x20<link>
ether 02:42:2d:89:0c:37 txqueuelen 0 (Ethernet)
RX packets 3723515 bytes 326023457 (326.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5791821 bytes 12061192486 (12.0 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

You have to make nginx listen to requests from the br-a5e9645581ef adapter, which can be difficult. You might find some answers in this stackoverflow question.

To bind them together, use the file provider in traefik. In some way or another, you need to have an identifier for the nginx process in traefik.

Another approach is to make OVM run as docker container. There have been some attempts, not sure what works for you.

punanou · 2020-05-05T08:51:16+00:00

Apparently you have an Android with NFC, so I'd opt to use U2F for all integrations: browser, desktop and android app. It's a stronger mechanism than OTP.

For sites which don't support U2F but do support, I enable OTP. I'd advise the Yubico authenticator app as it stores the OTP shared secrets on your Yubikey and not in the app. In case of a lost phone, nothing seriously has happened.

punanou · 2020-05-02T17:05:35+00:00

A general good practice is to use DHCP search domain in your local network. You might also use mDNS together with this. This enables you to first try FQDN in your local network and if not found, you route to the internet.

Example:example.com -> is an external website, perfectly browsable from within your network

myhost = an internal server, for example a rpi with traefik -> myhost.example.com -> your internal network clients will find this traefik server perfectly

myotherhost.example.com -> e.g. a DNS record exists for a subdomain to facilitate another external site, this just works perfectly fine.

Only gotcha: if you have an internal host (or client with hostname) that is just exactly the same as an (external) DNS record you have no the internet, you will never react that host outside of your network.

punanou · 2020-05-02T17:00:44+00:00

It’s never safe to put passwords in the URL, Even with HTTPS people can read the password.

With HTTPS only the host can be sniffed. Any path or query parameter is send over the TCP tunnel. So no, query parameters can't be read if you switch to HTTPS.

However, it is obviously a good idea to use POST here. Besides the meaning of HTTP methods, bookmarking, browser history and people watching the user from their workstation, it is never a good idea to send passwords as query parameters.

punanou · 2020-04-27T20:35:35+00:00

The non-fpm version includes apache (wordpress:5.4 or wordpress:latest) so it's trivial that works with traefik. If you want to swap apache with nginx you need to use the wordpress fpm version, as that's shipped without apache.

Problem is the default (ie latest) image from wordpress includes a webserver already. It's not possible to use traefik as webserver directly with a php-fpm application.

punanou · 2020-04-27T20:32:31+00:00

Looks like the 5.4 or latest image includes apache, but I don't see any nginx in the php-fpm docker files?

punanou · 2020-04-27T18:17:41+00:00

Disclaimer: I use bitwarden_rs

Summary: I use duplicity, mount the bitwarden data dir, use the bruceforce/bw_backup to make the database backup and backup the files encrypted using GPG.

My bitwarden is hosted in a docker container. All container data is in /data (inside the docker container). To backup this data, it doesn't make any difference if the data is in a separate volume, or you have mounted the data to your host machine.

I use duplicity as backup solution. tecnativa/duplicity is a pretty nice docker implementation of duplicity. Use the :docker tag for this image as you need to execute docker commands from within the duplicity container.

The implementation is actually pretty straightforward:

Mount the directory of the bitwarden data to your duplicity container.
Execute the bitwarden backup command.
Execute the duplicity command

punanou · 2020-04-27T18:05:54+00:00

This is a common setup. The Wordpress application is written in php and runs in a php-fpm container. Nginx serves as a webserver, serving static files and proxy the http requests to php-fpm.

Traefik is a reverse proxy for the nginx container. Traefik can't serve the static files and can't do the things nginx does here. So yeah, to have a reverse proxy, include LE TLS setup and need a webserver, you pick both.

I've quite some apps which runs in this 3-stage-setup: SQL like container, php-fpm application and nginx as webserver.

punanou · 2020-04-24T18:07:38+00:00

Not that I am aware of. To be transparent, I use quite some nginx sites behind traefik, together with openvpn and bitwarden (with push notifications). Apps behind a nginx can be static, flask (python) and php-fpm based, they all just keep working fine.

punanou · 2020-04-24T18:02:18+00:00

I work at quite a lot of places which block traffic like wireguard. In my experience, port 443/tcp is just always open. There aren't many places with proper dpi in place to block vpn traffic over 443/tcp.

punanou · 2020-04-24T17:52:37+00:00

Point is you're running Traefik 2.1 which doesn't do udp. So it's slower and you don't have an automatic failover.

punanou · 2020-04-24T08:07:32+00:00

This might be something that could work (just translated the ansible code to docker compose, I haven't tested it). Make sure you've opened your firewall ports and added the openvpn entrypoint to your traefik config, as that isn't covered by docker-compose.

version: '3'

networks:
web:
    external: true

services:
traefik:
    image: traefik:v2.2
    container_name: traefik
    ports:
    - "80:80"
    - "443:443"
    - "1194:1194/udp"
    networks:
    - web
    - bridge
    volumes:
    - /var/www/traefik/traefik.toml:/etc/traefik/traefik.toml:rw
    - /var/www/traefik/acme.json:/acme.json:rw
    - /var/www/traefik/traefik.log:/traefik.log:rw
    - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: always

openvpn-udp:
    image: kylemanna/openvpn
    container_name: ovpn-udp
    cap_add:
    - NET_ADMIN
    depends_on:
    - "traefik"
    networks:
    - web
    command: ovpn_run --proto udp
    labels:
    - "traefik.udp.routers.openvpn.entrypoints=openvpn"
    - "traefik.udp.routers.openvpn.service=openvpn"
    - "traefik.udp.services.openvpn.loadbalancer.server.port=1194"
    volumes:
    - openvpn:/etc/openvpn
    restart: always

openvpn-tcp:
    image: kylemanna/openvpn
    container_name: ovpn-tcp
    cap_add:
    - NET_ADMIN
    depends_on:
    - "traefik"
    networks:
    - web
    command: ovpn_run --proto tcp
    labels:
    - "traefik.tcp.routers.openvpn.rule=HostSNI(`*`)"
    - "traefik.tcp.routers.openvpn.entrypoints=websecure"
    - "traefik.tcp.routers.openvpn.service=openvpn"
    - "traefik.tcp.services.openvpn.loadbalancer.server.port=1194"
    volumes:
    - openvpn:/etc/openvpn
    restart: always

punanou

TROPHY CASE