Hi All.
I am trying to setup Traefik to connect to a windows rd server. Below is my setup.
In the same docker network I have wiregaurd, Pihole for the dns and Traefik. All conenctions I setup in traedik over http work (Meaning I can access them via the domain I have set up with cloudflare)
The only issue is I am unable to conenct to the RD server. From the host I can conenct to the rd server (I did check) there is no logs in traefik. I reviewed all teh ip tables and firewalls and (For testing) i allowed all conenctions and still I am unable to conenct.
Does anyone have any advice?
tcp:
routers:
analogic-host:
entryPoints:
- "rdp"
rule: "HostSNI(`rdp1.guest.example.com`)"
middlewares:
#- default-headers
#- https-redirectscheme
#- venn-whitelist
tls:
passthrough: true
service: analogic-host
#services:
services:
analogic-host:
loadBalancer:
servers:
- address: "10.X.X.4:3389"
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
filePath: "/traefik_logs/traefik.log"
api:
dashboard: true
debug: true
entryPoints:
rdp:
address: ":3389"
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: tech@vexample.com
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
You use HostSNI()
on the router, therefore Traefik needs a certificate to look into the TLS connection.
You have not assigned the certresolver
to entrypoint or router, so Traefik will generate a custom cert (which is probably not accepted by the client). (Except if you have declared your own certs in a dynamic config file)
The traffic is then forwarded encrypted (passthrough
) to you RDP target service, which does not know the cert and can not decrypt it without the custom Traefik cert.
You can remove all TLS related params from the (dedicated RDP) entrypoint, router and service and just use HostSNI(`*`)
for the rule, then the TCP traffic passes untouched through Traefik.
Restriction: that way you can’t differentiate on HostSNI, so can only use a single target service. Use a different entrypoint/port if you need more.
Also see simple Traefik TCP example.
What is strange is there is nothing in my Log File showing errors:
time="2023-08-29T07:50:53Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:54Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:54Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:56Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:56Z" level=debug msg="Accepting IP 10.X.1.2" middlewareName=venn-whitelist@file middlewareType=IPWhiteLister
Below is all my configs. I did do a trace route and it ends at Traefik. As mentioned all firewall ports are open (for testing) UFW is disabled aswell.:
global:
checkNewVersion: false
sendAnonymousUsage: false
log:
level: DEBUG
filePath: "/traefik_logs/traefik.log"
api:
dashboard: true
debug: true
entryPoints:
rdp:
address: ":3389"
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
certificatesResolvers:
cloudflare:
acme:
email: tech@example.com
storage: acme.json
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
config.yml:
tcp:
routers:
analogic-host:
entryPoints:
- "rdp"
rule: "HostSNI(`rdp1.guest.example.com`)"
middlewares:
#- default-headers
#- https-redirectscheme
#- venn-whitelist
tls:
certResolver: cloudflare
service: analogic-host
#services:
services:
analogic-host:
loadBalancer:
servers:
- address: "10.X.X.4:3389"
Docker-COmpose:
traefik:
image: traefik:v2.10.4
container_name: traefik
ports:
- 80:80
- 443:443
# -- (Optional) Enable Dashboard, don't do in production
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
- /home/vctech/Dockercompose/Traefik/data/traefik.yml:/traefik.yml:ro
- /home/vctech/Dockercompose/Traefik/data/acme.json:/acme.json
- /home/vctech/Dockercompose/Traefik/data/config.yml:/config.yml:ro
- /home/vctech/Dockercompose/Traefik/log:/traefik_logs
- /var/run/docker.sock:/var/run/docker.sock:ro
# -- (Optional) When using Cloudflare as Cert Resolver
environment:
- CF_API_EMAIL=tech@example.com
- CF_DNS_API_TOKEN=token
# -- (Optional) When using a custom network
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.azure.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=User:key"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.azure.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=azure.example.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.azure.example.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.guest.example.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
restart: unless-stopped
dns:
- 10.X.X.3
networks:
wg-easy:
ipv4_address: 10.X.X.4```
Format your code with 3 backticks in front and after, or select the code and press </>
. In yaml every space matters. And it makes it so much more readable.
The current questions are: is your RDP client using TLS? Which cert does it expect? Which cert is Traefik using? Is your RDP target service using TLS? Which cert?
Fixed Thanx I forgot its 3 ticks.
The RDP is just a Windows server on Azure. The server itself does not use tls. Just conenct with username and pass to the IP.
I am trying to use Pihole as the Local DNS (After conencting on a vpn) to then use Traefik to connect to the server. I dont want users to directly conenct from the VPN thus the DNS and Traefik be used.