Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverse Proxy #8

Open
arunoruto opened this issue May 28, 2023 · 13 comments
Open

Reverse Proxy #8

arunoruto opened this issue May 28, 2023 · 13 comments

Comments

@arunoruto
Copy link

arunoruto commented May 28, 2023

I am trying to run a derper container behind a traefik proxy. I am not sure what I am doing wrong, but my config seems to work until I turn on verification.
Here is my service:

services:
  derp:
    image: fredliang/derper:latest
    container_name: tail-derp
    restart: unless-stopped
    environment:
      DERP_DOMAIN: derper.your-hostname.com
      DERP_ADDR: :80
      DERP_STUN: 'true'
      DERP_STUN_PORT: 3478
      DERP_HTTP_PORT: 443
      DERP_VERIFY_CLIENTS: 'true'
    networks:
      - web
    labels:
      traefik.enable: 'true'
      traefik.http.routers.derper.rule: Host(`derper.your-hostname.com`)
      traefik.http.routers.derper.tls.certresolver: myresolver
      traefik.http.routers.derper.entrypoints: websecure
      traefik.http.services.derper.loadbalancer.server.port: 80
      traefik.udp.routers.derper.entrypoints: stun
      traefik.udp.services.derper.loadbalancer.server.port: 3478

Derper is giving me constant errors like:

...
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: read EOF
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: removing connection
...

where 172.19.0.19 is the docker IP address of traefik, my reverse proxy. The service is available at https://derper.your-hostname.com and I also get the webpage, but it seems like I am missing something.

Sometimes I also do get errors like this:

...
2023/05/28 00:54:42 derp: 172.19.0.19:55912: client <id> rejected: client nodekey:<node key> not in set of peers
...
@mrrfv
Copy link
Contributor

mrrfv commented Dec 10, 2023

2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers

This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.

I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.

@arunoruto
Copy link
Author

arunoruto commented Dec 10, 2023

@mrrfv thanks for the respons!
Websockets are enabled out of the box for traefik as explained here and here.
What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.
Also, would HTTP to HTTPS redirecting be a problem?

@mrrfv
Copy link
Contributor

mrrfv commented Dec 10, 2023

Also, would HTTP to HTTPS redirecting be a problem?

The Tailscale documentation says HTTPS should be optional (i.e. HTTP should still work) just in case you're using a network that blocks encrypted connections. Forcing HTTPS shouldn't cause that big of a problem though.

What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.

Mounting the Tailscale socket (as a volume) worked for me on the first try, so I don't really know how to help you in that regard. Using the same network or host networking doesn't work in my experience. Are you running Tailscale in a container, or bare-metal?

Also:

    environment:
      DERP_DOMAIN: derper.your-hostname.com

Is <NAME>:<VALUE> the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE.

@arunoruto
Copy link
Author

I don't know if something has changed since I last tackled the problem, but it seems like this compose file works for now:

  derp:
    image: fredliang/derper:latest
    container_name: tail-derp
    restart: unless-stopped
    environment:
      DERP_DOMAIN: derper.example.com
      DERP_ADDR: :80
      DERP_HTTP_PORT: -1
      DERP_VERIFY_CLIENTS: 'true'
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - default
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
    labels:
      traefik.enable: 'true'
      # HTTPS
      traefik.http.routers.derper.rule: Host(`derper.example.com`)
      traefik.http.routers.derper.tls.certresolver: myresolver
      traefik.http.routers.derper.entrypoints: websecure
      traefik.http.routers.derper.service: derper
      traefik.http.services.derper.loadbalancer.server.port: 80
      # STUN
      traefik.udp.routers.derper.entrypoints: stun
      traefik.udp.services.derper.loadbalancer.server.port: 3478

I am not sure if the devices tag was needed, but I made sure to include it too for the TUN device.

Also:

    environment:
      DERP_DOMAIN: derper.your-hostname.com

Is <NAME>:<VALUE> the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE.
The key:value syntax also works for environments and labels. I like them more since the syntax highlighters pick them up easier. The only downside is, that you need to specify the true and false values in quotes, so they don't get mixed up with the yaml logical values.

I will test this setup for a few days and report if any problems arise. If not, I will close the issue then.

@londbell
Copy link

londbell commented Feb 4, 2024

2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers

This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.

I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.

Thanks for you!

@Cheesman97
Copy link

Hi @arunoruto
Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api

@arunoruto
Copy link
Author

Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api

I am currently running tailscale on the host machine. Therefore, I am mounting the tailscale.sock file inside the container.
I just switched servers, and the configuration is working so far. But sometimes I got weird behavior. I will try it again with the new server and give feedback.

@wang1zhen
Copy link

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?

I have tried several times, but there is always an error of 502 openresty.

@wodepig
Copy link

wodepig commented May 19, 2024

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?

I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl:
proxy_pass http://127.0.0.1:3443;
Snipaste_2024-05-19_12-28-58
Snipaste_2024-05-19_12-30-10
Snipaste_2024-05-19_12-30-30

访问:
derper.hostname.com:3443(必须带端口)

Snipaste_2024-05-19_12-32-18

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查)
并且确认访问3443端口
如果访问3443端口还是不行,请检查ssl证书的有效期
ps: 不知道为什么要添加:3443端口

@conancheng
Copy link

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443; Snipaste_2024-05-19_12-28-58 Snipaste_2024-05-19_12-30-10 Snipaste_2024-05-19_12-30-30

访问: derper.hostname.com:3443(必须带端口)

Snipaste_2024-05-19_12-32-18

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好,我按照你的方法部署了,但是在网站上Access Controls里面添加了
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "guangzhou",
"RegionName": "TX guangzhou",
"Nodes": [
{
"Name": "guangzhou-derp",
"RegionID": 900,
"DERPPort": 3443, //更换为自己的PORT
"HostName": "derper.XXX.com", //这里更换为自己的域名
"InsecureForTests": true,
},
],
},
},
},
按照这么写了后,找的到derp,但是无法连接的上
image

@cz19860416
Copy link

@conancheng hi,I also can not connect to the relay server, Only one have any idea about it ?

@caixiaomao
Copy link

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443; Snipaste_2024-05-19_12-28-58 Snipaste_2024-05-19_12-30-10 Snipaste_2024-05-19_12-30-30
访问: derper.hostname.com:3443(必须带端口)
Snipaste_2024-05-19_12-32-18
如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好,我按照你的方法部署了,但是在网站上Access Controls里面添加了 "derpMap": { "OmitDefaultRegions": true, "Regions": { "900": { "RegionID": 900, "RegionCode": "guangzhou", "RegionName": "TX guangzhou", "Nodes": [ { "Name": "guangzhou-derp", "RegionID": 900, "DERPPort": 3443, //更换为自己的PORT "HostName": "derper.XXX.com", //这里更换为自己的域名 "InsecureForTests": true, }, ], }, }, }, 按照这么写了后,找的到derp,但是无法连接的上 image

一样的问题,请问你解决了,用的是阿里云,是不是阿里云有什么限制? @conancheng

@SenLief
Copy link

SenLief commented Jan 15, 2025

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443; Snipaste_2024-05-19_12-28-58 Snipaste_2024-05-19_12-30-10 Snipaste_2024-05-19_12-30-30
访问: derper.hostname.com:3443(必须带端口)
Snipaste_2024-05-19_12-32-18
如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好,我按照你的方法部署了,但是在网站上Access Controls里面添加了 "derpMap": { "OmitDefaultRegions": true, "Regions": { "900": { "RegionID": 900, "RegionCode": "guangzhou", "RegionName": "TX guangzhou", "Nodes": [ { "Name": "guangzhou-derp", "RegionID": 900, "DERPPort": 3443, //更换为自己的PORT "HostName": "derper.XXX.com", //这里更换为自己的域名 "InsecureForTests": true, }, ], }, }, }, 按照这么写了后,找的到derp,但是无法连接的上 image

你的udp都没有开,阿里云和腾讯云都有自己的网络防火墙,需要在网页后台开一下对应的端口和协议。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants