How to use traefik for SSH
vishu06 opened this issue · comments
Hi,
How did you used traefik for SSH authentication can you provide some more details. Also how did you installed SSH server to be able to use with traefik .
Hello. I have been trying to do the same thing myself, and was happy to find your examples here. However, I was also unable to get things working. I am trying to use the Gogs git server instead of GitLab, but it should be the same in principle. No matter how I configure things between traefik, gogs, and docker-compose, my git pushes tell me that my connection to the SSH server is refused.
I just came here to answer this question because I used this as a reference to get ssh proxied through Traefik. The answer is that SSH cannot be routed by hostname, and basically that means the only way to do it is by setting the HostSNI rule to '*' so it would look like this:
# define hostname for the gitlab-ssh router
- traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`*`)
# define the ssh entry point
- traefik.tcp.routers.gitlab-ssh.entrypoints=ssh
# define service to use
- traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh-svc
# define backend port to use, this is the port Gitlab ssh listens on
- traefik.tcp.services.gitlab-ssh-svc.loadbalancer.server.port=22
See this thread, post 7 for reference: https://community.traefik.io/t/routing-ssh-traffic-with-traefik-v2/717/7
@linucksrox If you have it working can you post your full docker-compose files for traefik and gitlab? I am still having some issues getting this to work and I suspect i have a 2222 where i should have a 22.
@borgmanJeremy Sure this is the stack I'm using for Gitlab. Keep in mind in this case, I'm referencing two entrypoints which need to be already defined in Traefik, websecure and gitlab-ssh. websecure uses port 443, and gitlab-ssh uses port 23 in my case (because the host already reserves port 22 for SSH access). So basically port 23 on the host is mapped to port 22 in the Gitlab container for SSH. The Copy URL function in Gitlab automatically includes the correct port.
version: "3.7"
services:
gitlab:
image: gitlab/gitlab-ce:13.10.0-ce.0
networks:
- traefik-public
- gitlab-backend
volumes:
- ./data:/var/opt/gitlab
- ./logs:/var/log/gitlab
- ./config:/etc/gitlab
environment:
GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
configs:
- source: gitlab
target: /omnibus_config.rb
deploy:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-public"
- "traefik.http.routers.gitlab.rule=Host(`gitlab-docker.example.com`)"
- "traefik.http.routers.gitlab.entrypoints=websecure"
- "traefik.http.routers.gitlab.tls=true"
- "traefik.http.routers.gitlab.service=gitlab-service"
- "traefik.http.services.gitlab-service.loadbalancer.server.port=80"
- "traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitlab-ssh.entrypoints=ssh-gitlab"
- "traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh-service"
- "traefik.tcp.services.gitlab-ssh-service.loadbalancer.server.port=22"
update_config:
order: start-first
rollback_config:
order: start-first
restart_policy:
condition: any
gitlab-runner:
image: gitlab/gitlab-runner:alpine
networks:
- gitlab-backend
deploy:
mode: replicated
replicas: 4
labels:
- "traefik.enable=false"
configs:
gitlab:
file: ./gitlab.rb
networks:
gitlab-backend:
driver: overlay
name: gitlab-backend
traefik-public:
external: true
name: traefik-public
Here's a generalized version of my Traefik config for reference:
version: '3.7'
services:
traefik:
image: traefik:v2.4.8
command:
# Set up API Dashboard stuff
- "--api=true"
- "--api.dashboard=true"
# Set up docker swarm configuration
- "--providers.docker=true"
# exposedbydefault=true: When false, deploy labels must include traefik.enable=true
- "--providers.docker.exposedbydefault=true"
- "--providers.docker.swarmmode=true"
# Set up certificate configuration stuff
- "--providers.file.filename=/etc/traefik/traefik_certificates.yml"
- "--providers.file.watch=true"
# Set up entry points
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.ssh-gitlab.address=:23"
networks:
- traefik-public
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- ./ssl:/etc/traefik/ssl:ro
- ./traefik_certificates.yml:/etc/traefik/traefik_certificates.yml
ports:
- "80:80"
- "443:443"
- "23:23"
deploy:
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-public"
# Set up basicAuth on Traefik's dashboard
- "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
# Generated with htpasswd - if there is a $ in the encrypted password, you MUST escape it with another $, hence why they are always doubled up
- "traefik.http.middlewares.auth.basicauth.users=traefikadmin:changeme!!!"
# Set up catch all router + middleware to redirect http to https by default (any hostname on web entrypoint)
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.services.noop.loadbalancer.server.port=80"
restart_policy:
condition: any
placement:
constraints:
- node.role == manager
update_config:
order: start-first
rollback_config:
order: start-first
networks:
traefik-public:
driver: overlay
name: traefik-public