Docker compose, bridge and host networking, and traefik puzzle
I am trying to create a setup using docker compose where I run
-
traefik
as non-root according to Traefik 2.0 — paranoid about mounting /var/run/docker.sock? | by containeroo | Medium (this works) - services via
traefik
based on ‘treafik router’
An example extract from my docker compose file is:
networks:
rna-docker-exposed:
external: true # means it is a fixed docker network created with "docker network create rna-docker-exposed"
name: rna-docker-exposed # docker create network rna-docker-exposed
rna-docker-nonexposed:
internal: true # means it gets created especially for this compose and is called <dirname>_rna-docker-nonexposed
driver: bridge
dockerproxy: # see https://github.com/Tecnativa/docker-socket-proxy
image: ghcr.io/tecnativa/docker-socket-proxy:0.1.1
restart: unless-stopped
mem_limit: 2G
cpus: 0.75
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro # never expose this container to the internet!
environment:
- CONTAINERS=1
- LOG_LEVEL=debug
networks:
- rna-docker-nonexposed # use only internal network
traefik:
container_name: rnaserver-traefik
restart: unless-stopped
read_only: true
mem_limit: 2G
cpus: 0.75
depends_on:
- dockerproxy
security_opt:
- no-new-privileges:true
image: traefik:v2.9.4
user: 115:120
ports:
- "80:10080" # high nr so we don't need to be root to bind
- "443:10443" # ditto
labels:
- "traefik.enable=true"
# Configure Traefik dashboard & api on secure entrypoint (":443"), for local LAN clients only
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.tls=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`foo.rna.nl`) && ClientIP(`192.168.2.1/24`) && (
PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.middlewares=simpleAuth@file,rnalanWhitelist@file" # double on IP whitelist, this and ClientIP ...
networks:
- rna-docker-exposed
- rna-docker-nonexposed
whoami:
image: traefik/whoami
container_name: rnaserver-whoami
restart: unless-stopped
user: 117:122
depends_on:
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=rna-docker-exposed"
- "traefik.http.routers.whoami.rule=Host(`foo.rna.nl`) && PathPrefix(`/whoami`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
networks:
- rna-docker-exposed
Now this works. But I also want to run a service that – when it gets a connection from the outside world — doesn’t think all traffic comes from docker, not from the local LAN. E.g. `traefik/whoami’ now reports:
Hostname: 058aef33472f
IP: 127.0.0.1
IP: 172.23.0.4
RemoteAddr: 172.23.0.2:33464
GET /whoami HTTP/1.1
Host: foo.rna.nl
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9
X-Forwarded-For: 192.168.2.86
X-Forwarded-Host: foo.rna.nl
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: c13bfbe1e443
X-Real-Ip: 192.168.2.86
But I want it to report: RemoteAddr: 192.168.2.86:something
Can I combine
-
traefik
not running as root, but used to route anyway (as now) - have a service that listens not on a bridge network, but on the host network?
My guess is not, because it would require traefik to be both network_mode: bridge
and network_mode: host
at the same time. But I might be missing something. Am I?
And suppose, I would like to change so that the/a whoami container reports RemoteAddr: 192.168.2.86:something
outside of traefik
. What options do I have? What about the TLS handling (that traefik now does for me)?