Community discussions

MikroTik App
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Topic Author
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Container "Traefik" (on RB5009)

Sun Apr 09, 2023 12:26 pm

Anyone here has practical working container like "Traefik" operational ? (can serve as reverse-proxy)
I've imported it and I can start it, but dash-board for example does not work. Also what about its config file "traefik.yml" ? I've shelled into the container but cannot find any config..also there seems 0 logging ....

https://hub.docker.com/_/traefik
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Container "Traefik" (on RB5009)

Sun Apr 09, 2023 2:24 pm

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Topic Author
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Container "Traefik" (on RB5009)

Sun Apr 09, 2023 8:06 pm

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
Yes but this requires a DB in the backend. I have NPM also running on a Synology NAS combined with MariaDB where the config is stored for NPM ?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Topic Author
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Container "Traefik" (on RB5009)

Sun Apr 09, 2023 8:47 pm

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
How did you install it ?
I tried to launch it via line below but it gives an error.

add remote-image=jc21/nginx-proxy-manager:latest interface=veth4 root-dir=/usb3-part1/npm mounts=npm_data,npm_encrypt start-on-boot=yes logging=yes
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Container "Traefik" (on RB5009)

Sun Apr 09, 2023 11:41 pm

My container has been running on 7.8b3 since I started it 32 days ago. Perhaps an older build would run?
DB https://nginxproxymanager.com/setup/#us ... b-database
2023-04-09_23-55-46.png
.
/container mounts
add dst=/data/ name=nginx-proxy-data src=/pcie1-part1/containers/mounts/nginx-proxy/data
add dst=/etc/letsencrypt/ name=nginx-proxy-ssl src=/pcie1-part1/containers/mounts/nginx-proxy/ssl
/container
add dns=172.17.0.1 envlist=nginx interface=Nginx mounts=nginx-proxy-data,nginx-proxy-ssl root-dir=pcie1-part1/containers/nginx start-on-boot=yes workdir=/app
/container config
set ram-high=512.0MiB registry-url=https://registry-1.docker.io tmpdir=pcie1-part1/containers/tmp
/container envs
add key=DISABLE_IPV6 name=nginx value=true

You do not have the required permissions to view the files attached to this post.
 
elbob2002
Member Candidate
Member Candidate
Posts: 252
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Container "Traefik" (on RB5009)

Mon Apr 10, 2023 11:21 am

I use Caddy for my reverse proxies - one running on a container on an RB5009:

One small config file and automatic SSL with Letsencrypt:

https://caddyserver.com/
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Container "Traefik" (on RB5009)

Thu Sep 21, 2023 4:17 am

I don't know if this helps anyone, but I got Traefik to work on an RB1100 (which is actually ARM32) using this image: https://hub.docker.com/_/traefik

Was able to get it setup to act a CORS proxy for RouterOS (& similar to anNGNIX I've have, just Traefik seems "more modern", and flexible)

While Traefik comes up easily.... the UI is only for status, not configuration... so to make it do anything... it needs some "static configuration" (in their Traefik's terms) loaded.

That can be provided in traefix.yaml file in /container/mount, or the "cmd", or via env vars. But do anything useful it be dozen of env vars or "un-viewable-ly long line" as the cmd= in the /container config. The env var approach be useful if you want to control it's configuration inside RouterOS, without PC or needing a mount at all (see https://doc.traefik.io/traefik/referenc ... ation/env/). You could also create a new image with traefik as base, just with traefik.yaml included in new image. I explain the "mount approach" below.

To create the container for the config (adjust as needed):


:global rootdisk "raid1-part1"
/interface/veth/add name=veth-traefik address=172.18.18.18/24 gateway=172.18.18.1
/ip/address/add interface=veth-traefik address=172.18.18.1/24
/container add interface=veth-traefik logging=yes mounts=TRAEFIK_ETC root-dir="$rootdisk/traefik-etc"
/container add root-dir="$rootdisk/traefik-root" remote-image=library/traefik:v2.10 logging=yes interface=veth-traefik mounts=TRAEFIK_ETC
/container start


Now to use it, it needs a configuration. Your config vary depending on needs, but my example wants to forward everything it gets to the Mikrotik's web servers, adding ACME Let's Encrypt & CORS headers to read & redirecting to HTTP to HTTPS.

This part is more up to reader, since firewall rules vary a lot. But the follow config forwards all incoming 80/443 requests to Traefik's web server which then proxies to Mikrotik's webfig, REST, etc.


/ip firewall nat add comment="LAN port 80 to traefik web proxy" action=dst-nat chain=dstnat dst-port=8080 protocol=tcp src-address-list=LAN to-addresses=172.18.18.18 to-ports=8080
/ip firewall nat add comment="all (except traefik) port 80 to traefik web proxy" action=dst-nat chain=dstnat  dst-port=443 protocol=tcp to-addresses=172.18.18.18 from-address=!172.18.18.0/24 to-ports=443
/ip firewall nat add comment="all (except traefik) port 443 to traefik web proxy" action=dst-nat chain=dstnat  dst-port=80 protocol=tcp to-addresses=172.18.18.18 from-address=!172.18.18.0/24 to-ports=80
Since NAT rules are picked up first it's easy to direct the web traffic to Traefik. You may need add or remove /ip/firewall/filter things too as needed/desired — above just an example...


Finally, you need to load a configuration after editing from your desktop/laptop. You might be able to use my traefik.yaml below as a base. The critical part is it needs to be named "traefik.yaml" (and be valid config) and copied to the TRAEFIK_ETC mount directory. You can enable ROSE/SMB to mount or use FTP/SCP/etc to copy it, but it some valid config named "traefik.yaml" need to end up the mount that goes to /etc/traefik.

Here was my working config that proxy to RouterOS 80/443 using the container's gateway address (with /ip/services/http listening on 80/443 too):



log:
  level: debug
providers:
  file:
    directory: /etc/traefik
    watch: true
api:
  insecure: true
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
certificatesResolvers:
  lets-encrypt:
    acme:
      email: REPLACE_WITH_VALID_EMAIL=me@example.com 
      storage: acme.json
      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web
serversTransport:
  insecureSkipVerify: true
http:
  routers:
    bigdude-redirect-http:
      rule: "Host(`REPLACE_ME_WITH_IP_CLOUD_NAME_OR_YOUR_OWN=snXXXXXXX.mynetname.net`)"
      service: routeros-web
      entryPoints:
        - web
      middlewares:
        - redirect-https
    bigdude-https:
      rule: "Host(`REPLACE_ME_WITH_SAME_AS_ABOVE`)"
      service: routeros-web
      entryPoints:
        - websecure
      middlewares:
        - cors-routeros
      tls:
        certResolver: "lets-encrypt"
  services:
    routeros-web:
      loadBalancer:
        passHostHeader: false
        servers:
          - url: "http://172.18.18.1"
  middlewares:
    redirect-https:
      redirectScheme:
        scheme: https
        permanent: true 
    cors-routeros:
      headers:
        accessControlAllowCredentials: true
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - PATCH
          - DELETE
        accessControlAllowHeaders: "*"
        accessControlAllowOriginList:
          - https://localhost:3000
          - https://REPLACE_ME_WITH_SAME_AS_ABOVE=snXXXXXX.mynetname.net
        accessControlMaxAge: 100
        addVaryHeader: true

Please note the REPLACE things. The Traefik docs have more examples — above uses the "File (YAML)" configuration — as it's refer to in their docs here: https://doc.traefik.io/traefik/getting- ... /concepts/

Also, the LE certs only get checked/created at startup, so need to stop/start it after loading a config. All other change to the mounted traefik.yaml will happen live base on "file provider"'s watch being true.

Anyway, I liked Traefik configuration more than NGINX. I cannot vouch for its performance/stability/etc — mainly an experiment right now. HAProxy still seem like a better choice for anything real, but this seem better suited to a Mikrotik-sized container.

Who is online

Users browsing this forum: No registered users and 4 guests