Hi,
I am working on a docker-compose project using traefik as a reverse proxy for a MediaWiki. I am trying to set up the log analyzer GoAccess to generate real time html reports from the apache logs. The report is then served with a simple nginx webserver. The real time updates invoke a secured websocket connection, which I cannot get to work at all. I am unsure how to route the websocket and tried many configs and ideas I found online, to no avail. It does work locally without tls/ssl.
redacted excerpt of docker-compose.yml
:
services:
apache:
[...]
reverse-proxy:
restart: always
image: traefik:v2.8
ports:
- 443:443 # HTTPS port
- 80:80 # HTTP port
- 7890:7890 # goaccess websocket
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
- traefik-letsencrypt:/letsencrypt # Persistent file for ACME Setup (Certificate Store)
- traefik-log:/data/log # Persistent file for logging
networks:
- default
labels:
- traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.routers.dashboard.tls.certResolver=le
- traefik.http.routers.dashboard.service=api@internal
goaccess:
image: allinurl/goaccess
container_name: goaccess
depends_on:
- traefik-certs-dumper
restart: always
command:
- '--log-file=/srv/log/access.log'
- '--output=/srv/reports/index.html'
- '--log-format=COMBINED'
- '--real-time-html'
- '--anonymize-ip'
# - '--config-file=/etc/goaccess.conf'
- '--geoip-database=/srv/geoip/GeoLite2-City.mmdb'
- '--db-path=/srv/data'
- '--ssl-cert=/letsencrypt/certs/certs/stats.example.com.crt'
- '--ssl-key=/letsencrypt/certs/private/stats.example.com.key'
# - '--restore'
# - '--persist'
expose:
- 7890
# ports:
# - 7890:7890
networks:
default:
aliases:
- goaccess.svc
volumes:
- apache_logs:/srv/log:ro
- apache_reports:/srv/reports
- goaccess_db:/srv/data
# - ./goaccess/goaccess.conf:/etc/goaccess.conf
- ./goaccess/GeoLite2-City.mmdb:/srv/geoip/GeoLite2-City.mmdb
- traefik-letsencrypt:/letsencrypt:ro
labels:
- traefik.http.routers.goaccess.rule=Host(`stats.example.com`) # && PathPrefix(`/ws`)
- traefik.http.routers.goaccess.entrypoints=wss
- traefik.http.routers.goaccess.tls.certResolver=le
- traefik.http.routers.goaccess.middlewares=sslheader
- traefik.http.middlewares.sslheader.headers.customRequestHeaders.X-Forwarded-Proto=https
- traefik.http.services.goaccess-portal-compose.loadbalancer.server.port=7890
nginx:
image: nginx
container_name: nginx-goaccess
depends_on:
- goaccess
volumes:
- apache_reports:/usr/share/nginx/html
labels:
- traefik.http.routers.nginx.rule=Host(`stats.example.com`)
- traefik.http.routers.nginx.entrypoints=websecure
- traefik.http.routers.nginx.tls.certResolver=le
# just a tool to convert traefik's acme.json to .crt and .key files for goaccess --ssl-crt and --ssl-key
traefik-certs-dumper:
image: ldez/traefik-certs-dumper:v2.8.1
entrypoint: sh -c 'apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs'
volumes:
- traefik-letsencrypt:/data
traefik.yml:
log:
level: DEBUG
accessLog:
filePath: "/data/log/access.log"
api:
dashboard: true
entryPoints:
websecure:
address: ":443"
web:
address: ":80"
# redirect to https
http:
redirections:
entryPoint:
to: websecure
scheme: https
metrics:
address: :8082
wss:
address: :7890
metrics:
prometheus:
entryPoint: metrics
providers:
docker: {}
certificatesResolvers:
le:
acme:
tlschallenge: true
storage: /letsencrypt/acme.json
email: email@xyz.com
httpChallenge:
# used during the challenge
entryPoint: web
The websocket connection fails:
Firefox can’t establish a connection to the server at wss://stats.example.com:7890/.
Request Headers:
GET / undefined
Host: stats.example.com:7890
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://stats.example.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: VXLNqRn6fy+s7+8feykgLQ==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Also, the connection attempt is marked as insecure.
I suspect my traefik routing has redundant or contradicting settings, maybe conceptional errors (I'm new to all this, sorry!).
I would much appreciate any help you can offer!