Open
Description
Forgive me asking a question regarding traefik, from the docs I see that this isn't used by the maintainer and therefore only supported by other users somehow.
I read and followed this example:
but so far I don't get the stack fully working.
What I don't understand yet: headscale-ui brings its own rev-proxy caddy, right? The traefik-labels in the mentioned compose file don't enable TLS within traefik, so traefik seems only to provide http to the external world (?).
If I run it this way I don't get valid TLS for the 2 services.
Do I have to add something like the following?
- traefik.http.routers.headscale-rtr.tls=true
- traefik.http.routers.headscale-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-rtr.entrypoints=websecure
# ui
- traefik.http.routers.headscale-ui-rtr.tls=true
- traefik.http.routers.headscale-ui-rtr.tls.certresolver=http_resolver
- traefik.http.routers.headscale-ui-rtr.entrypoints=websecure
this pulls a TLS-cert and I was able to access the headscale-UI. But if I entered https://headscale.my.tld into the settings, I got "client sent an HTTP request to an HTTPS server" in the logs of the headscale-container.
Here my current compose config:
name: headscale
services:
headscale:
command:
- serve
container_name: headscale
image: headscale/headscale:0.23
labels:
traefik.enable: "true"
traefik.http.routers.headscale-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/`)
traefik.http.services.headscale-svc.loadbalancer.server.port: "8080"
networks:
proxy: null
restart: unless-stopped
volumes:
- type: bind
source: /opt/dockerfiles/headscale/config
target: /etc/headscale
bind:
create_host_path: true
- type: bind
source: /opt/dockerfiles/headscale/data
target: /var/lib/headscale
bind:
create_host_path: true
headscale-ui:
container_name: headscale-ui
image: ghcr.io/gurucomputing/headscale-ui:latest
labels:
traefik.enable: "true"
traefik.http.routers.headscale-ui-rtr.rule: Host(`headscale.my.tld`) && PathPrefix(`/web`)
traefik.http.services.headscale-ui-svc.loadbalancer.server.port: "8080"
networks:
proxy: null
restart: unless-stopped
networks:
proxy:
name: proxy
external: true
The container for the ui gives me some warnings:
headscale-ui | Starting Caddy
headscale-ui | {"level":"info","ts":1735298138.2229273,"msg":"using provided configuration","config_file":"/data/Caddyfile","config_adapter":"caddyfile"}
headscale-ui | {"level":"info","ts":1735298138.2524948,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
headscale-ui | {"level":"warn","ts":1735298138.254572,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":8080}
headscale-ui | {"level":"info","ts":1735298138.254701,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":8443}
headscale-ui | {"level":"warn","ts":1735298138.2547393,"logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
headscale-ui | {"level":"info","ts":1735298138.256623,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00045a180"}
headscale-ui | {"level":"warn","ts":1735298138.2568386,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
headscale-ui | {"level":"info","ts":1735298138.2571683,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
headscale-ui | {"level":"info","ts":1735298138.2572722,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
headscale-ui | {"level":"info","ts":1735298138.2581189,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
headscale-ui | {"level":"info","ts":1735298138.2583807,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
headscale-ui | {"level":"info","ts":1735298138.2584145,"logger":"pki.ca.local","msg":"root certificate trust store installation disabled; unconfigured clients may show warnings","path":"storage:pki/authorities/local/root.crt"}
headscale-ui | {"level":"info","ts":1735298138.2615268,"msg":"autosaved config (load with --resume flag)","file":"/home/appuser/.config/caddy/autosave.json"}
headscale-ui | {"level":"info","ts":1735298138.2616618,"msg":"serving initial configuration"}
headscale-ui | {"level":"warn","ts":1735298138.2848473,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/home/appuser/.local/share/caddy","instance":"b356a1f1-d293-456b-a93e-5a745734c4d0","try_again":1735384538.284842,"try_again_in":86399.999998888}
headscale-ui | {"level":"info","ts":1735298138.285147,"logger":"tls","msg":"finished cleaning storage units"}
headscale | 2024-12-27T11:15:38Z WRN An updated version of Headscale has been found (0.24.0-beta.2 vs. your current v0.23.0). Check it out https://github.com/juanfont/headscale/releases
headscale |
headscale | 2024-12-27T11:15:38Z WRN
headscale | WARN: The "dns.use_username_in_magic_dns" configuration key is deprecated and has been removed. Please see the changelog for more details.
headscale |
headscale | 2024-12-27T11:15:38Z INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
headscale | 2024-12-27T11:15:38Z WRN Listening without TLS but ServerURL does not start with http://
headscale | 2024-12-27T11:15:38Z INF listening and serving HTTP on: 127.0.0.1:8080
headscale | 2024-12-27T11:15:38Z INF listening and serving debug and metrics on: 127.0.0.1:9090
headscale | 2024-12-27T11:15:38Z INF Setting up a DERPMap update worker frequency=86400000
As far as I understand and read there is no specific config file for the ui-container, right?
thanks for any pointers here!
Metadata
Metadata
Assignees
Labels
No labels