I think i'm getting my networking piece with docker and traefik container configuration mixed up causing this problem where my NAS is still untrusted when i navigate to the URL.
My docker service is running on my Firewalla Gold which is also my router (DHCP) server. It's IP is 192.168.169.1/24 Firewalla Gold: Multi-Gigabit Cyber Security Firewall & Router Protect | Firewalla
(Firewalla) $ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
d0caa1dff116 bridge bridge local
0a1ebbb11363 host host local
258e4dfaef53 none null local
7ce54a31f032 pi-hole_default bridge local
b4811b1e7816 proxy bridge local
5e7b53f332b8 unifi_default bridge local
Proxy is the network defined for traefik using 172.18.0.1/16
Portainer is using IP 172.18.0.3
in this, i have successfully put Portainer behind it getting a wildcard from Cloudflare.
Also to note, i'm running pihole container with 172.16.0.2 and local DNS entries for traefik, portainer pointed to 172.18.0.2 (traefik) and this is working fine.
Now when i put my NAS (located in my LAN 192.168.169.161/24) in my rules, dashboard shows it like this but navigating to it is untrusted and still shows synology cert when inspecting.
I can ping my NAS from inside traefik container as well so this tells me routing is fine i think.
$ sudo docker network inspect bridge
[
{
"Name": "bridge",
"Id": "d0caa1dff1163676e16da802955ee692f8323c58722fcf7263696bf2affb412d",
"Created": "2023-01-03T16:50:13.207842281-10:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
My firewalla IP is 192.168.169.1 as the GW for all my devices in my LAN.
Why i think this is happening is because i'm supposed to be using docker host network which would be 192.168.169.0/24 instead of proxy (which creates 172.18.0.3 automatically).
docker compose
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=****
- CF_DNS_API_TOKEN=****
# - CF_API_KEY=YOU_API_KEY
# be sure to use the correct one depending on if you are using a token or key
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/traefik/data/traefik.yml:/traefik.yml:ro
- /mnt/traefik/data/acme.json:/acme.json
- /mnt/traefik/data/config.yml:/config.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:****"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard-internal.local.mydomain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.example.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
config.yml
http:
routers:
dsm:
entryPoints:
- "https"
rule: "Host(`nas.local.mydomain.home`)"
middlewares:
- default-headers
tls: {}
service: dsm
services:
dsm:
loadBalancer:
servers:
- url: "https://192.168.169.161:5001"
passHostHeader: true
middlewares:
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/24"
- "192.168.0.0/16"
- "172.0.0.0/8"
secured:
chain:
middlewares:
- default-whitelist
- default-headers
traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
log:
level: DEBUG
filePath: /traefik.log
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: myemail
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
Am i thinking correctly here or way off on config?