MSSQL secure the connection

csaeum · February 19, 2022, 6:22pm

Hello, I run 1-2 MSSQL databases in Docker on a VServer.
These are not that important, but security should not be taken lightly.

These are currently running alongside Traefik, so I would like Traefik to secure this connection for me.

I read here in the forum that the attitude
"traefik.tcp.routers.mssql.tls=true" should be switched off. Because the client encrypts its data itself.

I still can't connect to the database
Here my files:

docker-compose.yml from Traefik:

version: "3.3"

volumes:
  letsencrypt-data:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/letsencrypt

services:
  traefik:
    image: "traefik:v2.6"
    container_name: ${COMPOSE_PROJECT_NAME}
    command:
      - "--api=true"
      - "--api.dashboard=true"
      - "--log.level=INFO"
      - "--accesslog=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.mssql.address=:1433"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=${LETSENCRYPT_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/${COMPOSE_PROJECT_NAME}.json"
    ports:
      - "80:80"
      - "443:443"
      - "1433:1433"
    volumes:
      - letsencrypt-data:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - "${PROXY_NETWORK}"
      - "default"
    labels:
      - traefik.enable=true
      # Routers
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=${HOSTRULE}
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=websecure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=api@internal
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=myresolver
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}_Auth
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_Auth.basicauth.removeheader=true
      # Passwort beachten - $ muss mit einen 2ten $ versehen werden
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_Auth.basicauth.users=      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

networks:
  traefik_proxy:
    external:
      name: ${PROXY_NETWORK}
  default:
    driver: bridge

docker-compose.yml from MSSQL

version: "3.7"

volumes:
  mssql-data:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/mssql/datenbank
  mssql-backup:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/mssql/backup

services:
  db:
    container_name: JTL-${COMPOSE_PROJECT_NAME}-2017
    image: mcr.microsoft.com/mssql/server:2017-GA-ubuntu
    user: root
    labels:
      - traefik.tcp.services.mssql.loadbalancer.server.port=${SQL_PORT}
      - traefik.tcp.routers.mssql.entrypoints=mssql
      - traefik.tcp.routers.mssql.rule=${HOST}
      - traefik.tcp.routers.mssql.service=mssql
    environment:
      ACCEPT_EULA: Y
      MSSQL_SA_PASSWORD: ${MSSQL_ROOT_PASSWORD}
      # "Developer" or "Express" or "Standard"
      MSSQL_PID: Developer
      MSSQL_LCID: 1031
      MSSQL_COLLATION: Latin1_General_CI_AS
      TZ: Europe/Berlin
      MSSQL_DATA_DIR: /var/opt/mssql/data
      MSSQL_LOG_DIR: /var/opt/mssql/log
#    ports:
#      - ${SQL_PORT}:1433
#      - ${SQL_PORT2}:1433
    volumes:
      - mssql-data:/var/opt/mssql
      - mssql-backup:/backup

  backup:
    container_name: JTL-${COMPOSE_PROJECT_NAME}-Backup
    image: bbtsoftwareag/mssql-backup
    # for using the cleanup feature, use the backup volume from db.
    volumes:
      - mssql-backup:/backup
    environment:
      TZ: Europe/Berlin
      DB_SERVER: db
      DB_USER: SA
      DB_PASSWORD: ${MSSQL_ROOT_PASSWORD}
      DB_NAMES: eazybusiness
      BACKUP_AGE: 2
      CRON_SCHEDULE: 00 06,12,18 * * *
    networks:
      - default

csaeum · September 9, 2023, 9:07am

Hello, I would like to revive this again after a good 1.5 years.

I have MSSQL running on its own. But now I want to have several running on port 1433 and have Traefik manage it.

So a request comes on mssql.xyz.example on port 1433 then Traefik should redirect it to the appropriate container.

That should generally be possible, right?

bluepuma77 · September 9, 2023, 5:26pm

Yes, maybe check simple Traefik TCP example.

But the wording is not "redirect", which will tell a http client to visit a different address, but Traefik is "forwarding" the connection.

Topic		Replies	Views
V2, TLS, Let's Encrypt and http --> https - SUCCESS! Traefik v2 (latest) docker	3	854	November 12, 2019
Traefik issues self signed certificates Traefik v2 (latest) docker , file	6	675	June 23, 2023
Tls: no cipher suite supported by both client and server Traefik v2 (latest) docker	8	951	May 10, 2023
Traefik v2.0: Help setting up TCP w/TLS for MySQL Traefik v2 (latest) docker , tcp	4	3331	August 12, 2021
Yet another TLS issue :D Traefik v2 (latest) docker	5	648	January 29, 2020

MSSQL secure the connection

Related Topics