I have the following entrypoints:
--entrypoints.web.address=:80
--entrypoints.web_ssl.address=:443
--entrypoints.wss_ssl.address=:8443
And my container setup like this:
ha-deconz:
image: marthoc/deconz:stable
depends_on:
- core-traefik-fa
container_name: ha-deconz
restart: unless-stopped
environment:
- TZ=Europe/Amsterdam
- DECONZ_WEB_PORT=8080
- DECONZ_WS_PORT=8443
- DEBUG_INFO=0
- DECONZ_UPNP=0
networks:
traefik:
ports:
- 5900:5900
- 8080:8080
- 8443:8443
volumes:
- /etc/localtime:/etc/localtime:ro
- ha-deconz-data:/root/.local/share/dresden-elektronik/deCONZ
- ha-deconz-otau:/root/otau
devices:
- /dev/ttyACM0
labels:
# Enable traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# Router: image-specific
- "traefik.http.routers.ha-deconz-web.rule=Host(`host.at.domain.info`)"
- "traefik.http.routers.ha-deconz-web.entrypoints=web_ssl"
- "traefik.http.routers.ha-deconz-web.tls=true"
- "traefik.http.routers.ha-deconz-web.tls.certresolver=leresolver"
- "traefik.http.routers.ha-deconz-web.middlewares=sso,secureheaders"
- "traefik.http.routers.ha-deconz-web.service=ha-deconz-web"
- "traefik.http.services.ha-deconz-web.loadbalancer.server.port=8080"
# Router: image-specific
- "traefik.http.routers.ha-deconz-wss.rule=Host(`host.at.domain.info`)"
- "traefik.http.routers.ha-deconz-wss.entrypoints=wss_ssl"
- "traefik.http.routers.ha-deconz-wss.tls=true"
- "traefik.http.routers.ha-deconz-wss.tls.certresolver=leresolver"
- "traefik.http.routers.ha-deconz-wss.middlewares=secureheaders"
- "traefik.http.routers.ha-deconz-wss.service=ha-deconz-wss"
- "traefik.http.services.ha-deconz-wss.loadbalancer.server.port=8443"
I am able to connect to the main portal (entrypoint web_ssl) but the google chrome console shows errors for the connection to the custom websocket port (8443) like this:
websocket.js?e9ddc6:3 WebSocket connection to 'wss://host.at.domain.info:8443/' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
No errors popup in the Traefik log so i don't know what the problem might be. Who can help me in pinpointing and possibly solving the issue?
cakiwi
January 28, 2021, 2:14pm
2
You appear to be publishing port 8443 on the ha-deconz service, you should remove that as it will conflict with traefik publishing that port.
@cakiwi so a solution would be to (if Deconz internally hosts the webservices on 8443) to do it like this:
ports:
- 5900:5900
- 8080:8080
- 8081:8443
and
# Router: image-specific
- "traefik.http.routers.ha-deconz-wss.rule=Host(`host.at.domain.info`)"
- "traefik.http.routers.ha-deconz-wss.entrypoints=wss_ssl"
- "traefik.http.routers.ha-deconz-wss.tls=true"
- "traefik.http.routers.ha-deconz-wss.tls.certresolver=leresolver"
- "traefik.http.routers.ha-deconz-wss.middlewares=secureheaders"
- "traefik.http.routers.ha-deconz-wss.service=ha-deconz-wss"
- "traefik.http.services.ha-deconz-wss.loadbalancer.server.port=8081"
(so that Traefik knows to route the incoming 8443 to backend 8081 and Docker maps that 8081 to 8443 in the image again?)
cakiwi
January 30, 2021, 1:56pm
4
Unless you are connecting direct to ha-deconz there is no need at all to have ports exposed on that container.
Traefik and ha-deconz have to be on a common docker network so that is why there is no need to expose ports on ha-deconz.
Ok that makes sense; unfortunately i still get the error in the Chrome console:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
Any clue how i could debug that?
Update: seemed like Plex was broadcasting a certificate on that port somehow. After changing the port number to 8081 i now get this:
failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED
cakiwi
January 30, 2021, 6:15pm
6
Hi @Webunity
Do you know if the ha-deconz-wss is configured for TLS? As configures traefik will terminate TLS and will use unencrypted traefik to the container.
If this is the case you can configure ha-deconz-wss for plaintext or you can set the traefik to use TLS on the backend: - "traefik.http.services.service01.loadbalancer.server.scheme=https"
@cakiwi the deconz container uses the protocol to determine the WS connection, so a normal WS connection works, but WSS fails. How can i configure an SSL request to be mapped to plain text?
e.g. if i connect directly on the IP it creates a WS:// connection, if i use it via traefik it goes to wss://
How can i configure an SSL request to be mapped to plain text? @cakiwi can you shed some light?
update: i found this article - Scaling Websockets in the Cloud (Part 2). Introducing Traefik: the all-in-one solution for Docker Stacks and Kubernetes clusters - DEV Community
Which discusses something about stickyness - is that applicable? I've asked the author to also help out in this thread.
This is my current configuration for Deconz; what is important to mention is that the website (https://deconz.at.domain.info/ ) is secured by SSO (Google Auth) but i don't want the websocket connection to be protected that way; hence i created a different, currently non-working router.
deconz:
image: marthoc/deconz:latest
depends_on:
- traefik
container_name: deconz
restart: unless-stopped
environment:
- TZ=Europe/Amsterdam
- DECONZ_WEB_PORT=8080
- DECONZ_WS_PORT=8443
networks:
traefik:
lan:
ipv4_address: 192.168.1.105
ports:
- 5900:5900
- 8080:8080
- 8443:8443
volumes:
- /etc/localtime:/etc/localtime:ro
- ha-deconz-data:/root/.local/share/dresden-elektronik/deCONZ
- ha-deconz-otau:/root/otau
devices:
- /dev/ttyACM0
labels:
# Enable traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# Router: image-specific
- "traefik.http.routers.ha-deconz-web.rule=Host(`deconz.at.domain.info`)"
- "traefik.http.routers.ha-deconz-web.entrypoints=web_ssl"
- "traefik.http.routers.ha-deconz-web.tls=true"
- "traefik.http.routers.ha-deconz-web.tls.certresolver=leresolver"
- "traefik.http.routers.ha-deconz-web.middlewares=sso,secureheaders"
- "traefik.http.routers.ha-deconz-web.service=ha-deconz-web"
- "traefik.http.services.ha-deconz-web.loadbalancer.server.port=8080"
# Router: image-specific
- "traefik.http.routers.ha-deconz-wss.rule=Host(`deconz.at.domain.info`)"
- "traefik.http.routers.ha-deconz-wss.entrypoints=wss_ssl"
- "traefik.http.routers.ha-deconz-wss.tls=true"
- "traefik.http.routers.ha-deconz-wss.tls.certresolver=leresolver"
- "traefik.http.routers.ha-deconz-wss.middlewares=secureheaders,wss"
- "traefik.http.routers.ha-deconz-wss.service=ha-deconz-wss"
- "traefik.http.services.ha-deconz-wss.loadbalancer.server.port=8443"
Middleware wss in Traefik docker container:
- "traefik.http.middlewares.wss.headers.customrequestheaders.X-Forwarded-Proto=https"
Middleware secureheaders in Traefik docker container:
- "traefik.http.middlewares.secureheaders.headers.forceSTSHeader=true"
- "traefik.http.middlewares.secureheaders.headers.STSSeconds=315360000"
- "traefik.http.middlewares.secureheaders.headers.STSIncludeSubdomains=true"
- "traefik.http.middlewares.secureheaders.headers.STSPreload=true"
- "traefik.http.middlewares.secureheaders.headers.browserXSSFilter=true"
- "traefik.http.middlewares.secureheaders.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.secureheaders.headers.frameDeny=true"
- "traefik.http.middlewares.secureheaders.headers.sslForceHost=true"
- "traefik.http.middlewares.secureheaders.headers.sslRedirect=true"
- "traefik.http.middlewares.secureheaders.headers.customResponseHeaders.X-Robots-Tag=none"
- "traefik.http.middlewares.secureheaders.headers.customResponseHeaders.X-Script-Name=test"
- "traefik.http.middlewares.secureheaders.headers.customFrameOptionsValue=SAMEORIGIN"