Installing Teleport + Traefik (Letsencrypt TLS certs)
Vložit
- čas přidán 2. 06. 2024
- In this video, I'll show you how to install Traefik and Teleport in a few easy steps! I'll walk you through setting up the Docker projects, creating a custom network, adding an API token, configuring the cert resolver, and more. Plus, I'll show you how to deploy a new app service config in Teleport!
Teleport-*: goteleport.com/thedigitallife
Related Videos/Links
• NEW features in Telepo... - • Is this the BEST Rever... - • How I secure my Server...
goteleport.com/docs/
doc.traefik.io/traefik/
________________
💜 Support me and become a Fan!
→ christianlempa.de/patreon
💬 Join our Community!
→ christianlempa.de/discord
________________
Read my Tech Documentation
christianlempa.de/docs
My Gear and Equipment-*
christianlempa.de/kit
________________
Timestamps:
00:00 - Introduction
00:41 - What’s Traefik and how to start?
01:55 - Deploy Traefik
05:49 - Configure Traefik
10:49 - Deploy Teleport
15:56 - Configure Teleport
19:41 - Test App Deployment
________________
All links with “`*`” are and/or include affiliate links.
#Teleport #RemoteAccess #Homelab - Věda a technologie
Perfect timing! I got my harvester cluster up yesterday and wanted to try teleport for managing the k8s clusters!
Awesome! Hope it does work :D
Hey, Christian, at 20:50 you wonder why service name doesn't allow numbers and dashes, but earlier, at about 13:15 you define a Regex, that only allows letters: subhost:[a-z]+
May be it will help if you also allow dashes and numbers there: subhost:[a-z0-9-]+
I can confirm that is what you need to add. You can also set it to "subhost:[a-zA-Z0-9-]+" to allow lower case, uppercase, numbers, and a dashes. Your problem is traefik thinking the server does not exist based on the name.
I had a problem validating my ACME, I had to change my VLAN, but after that it worked perfectly.
Congratulations on the content.
Thanks! I'm always using DNS challenge in ACME cuz I don't need to bother with incoming network traffic
how the hell do you do it! this is the third time now I have wanted to install something, given up, and then within 48 hours you post the exact video I need!
It’s magic 😂
Great video. I learned a lot. Would it be possible to use Traefik as a reverse proxy also?
What's your opinion on this?
For individual developers, is there a good way to experience the k8s cluster and be able to launch projects?
As always, great video Christian! I have an interesting use case: I want to secure an HTTP API using Teleport, which some developers will access using curl or Postman. I'm not necessarily asking for a video on this, but I wonder how the authentication would work if there is no browser involved. This seems like a very legit use case; I haven't really researched it yet, but was watching this, and it came to mind.
EDIT: I wonder if I can authenticate in a browser and use the tokens from its local storage on the CLI with curl or in Postman
Great content. Thank's a lot.
Thank you!
Did i miss something? At the end you connect directly to teleport, but not through traefik right?
Awesome video as usual ! but the issue with the name in the app_service of teleport come from the traefik routers configuration! indeed the regex in the host only match a-z :)
🎉
Thank you again for your hard work. One more question. How did you manage to get a valid certificate on the 2nd level subdomain with cloudflare? Did you use universal edge ssl certificate, or you have ordered an advanced plan? I use the univrersal one, but my traefik falls back to the traefik default ssl certificate above the 1st level subdomain (with error). Thank you!
That’s not an issue with the certs, but with traefiks config I assume, let’s check on discord what’s the root cause
@@christianlempa I also don't see a way around this as the only way I can access the teleport instance is locally. cloudflare does not support a sub-sub-domain with a universal cert. this basically makes teleport useless.
@@dbishop9085only if you proxy your traffic inside cloudflare for sub sub domains, let's encrypt can generate multiple certificates without an issue for as deep as you like.
Ciao Christian!!
how do I now use uptimekuma via teleport via docker? I also install teleport in the uptimekuma docker?
Hi Christian, awesome videos. I will try tonight on my OCI Ampere VM. I will report on the output. Truly, I was in doubt about using a separate Standard.E2.1.Micro VM just for the teleport (like a gateway machine). Would you happen to have any opinion on that? Remembering we can have both on the free tier (the beefier Ampere and 2 micro VMs). Beautiful shirt by the way - " This is the way"
Let me know how it goes please! I've been having troubles using some other technologies on OCI...
@@the_wilson_smhyou may need to open the firewall both on the instance and the network firewall directly from oci, after that the few services I have on oci seems to work
hmm i'm wondering how i can setup the automatic certificates resolver with stratoDNS since it isn't supported by traefik yet.
any idea cause i can't really find a decent info page about this...
Strato supports DynDNS, any idea how i can get that connected to traefik?
fyi, i'm pretty new to traefik, but you could already tell i assume
Great content (as always) :) Could you show how to configure traefik, when you want to add that container in 2 networks (DMZ, and backend), and open ports only for the DMZ network? Thank you for your work!
Thanks! Let me think about that, that would need some more time for preparation, but an interesting topic for sure. Maybe I would include this in a topic about DMZ networks in general and how to separate your home network with a firewall.
Hello, I followed the tutorial to try to secure my setup. Everything works except that I am unable to start a virtual machine or access the shell. It return the error 501
Unfortunately doesn´t work in combination with existing internal traefik and authelia and the here showed teleport config...
Great video! Thank you. How would you use Traefik to track docker applications on another docker server? Of course, within the same network/subnet.
I would also be interested to know if this is possible, but I think not.
For traetik to be aware of containers creation need to be connected to the docker socket of on that server. Never try this between two separate server but maybe through tcp. On server 1, you expose the socket via tcp (docker-socket-proxy ?) and from server 2 you access this tcp port.
BIG CONCERN : Exposing docker socket can lead to big security hole, especially through Internet
I'd simply deploy Traefik on both servers. I'm running like 5 or 6 Traefik instances in my entire network :D
I would like some of these services to the public internet. Do you create another traefik as a forwarding proxy to the backend proxies?
Thanks for sharing, Christian. I'm creating my homelab, and it's helping a lot. One thing that I couldn't understand is how you're connecting through Teleport from outside your network. Do you have a fixed IP from your internet provider? I saw the other Teleport video you shared using the cloud solution, and it made sense as you are running an agent inside your local server. But how about this local Teleport? Can I access it from outside? How?
Cheers mate!
You're welcome! You have to create a DNAT rule to your internal teleport server, if you want to use it from outside
Working as expected🎉.
Q: It s possible to hide default login from homepage and display only Github login ? If yes, how? Thanks!
Nice Tutorial, could you make a video of the docker socket proxy from tecnativa? It is proxy for the docker socket to limit access to certain permissions to the docker api and would enhance security for the usage of traefik and other containers which need direct access to the docker socket.
Thank you! I'm not sure if I have time for it, as I have so many other projects on my list to look at like HAProxy and Caddy.
With Traefik and Teleport Docker Networks (Frontend in this video) - Is it a good idea to have these containers seperate from containers such as Game Servers. Is it also safe to say that any Web containers like 'NGINX' would need to be a member of this 'Frontend' network in order for Traefik to be able to communicate - Or could web servers also have their own docker network?
Hello Christian, forgive me for going off topic but you had briefly showcased an open source mind mapping app in a past vdieo that looks like hand witten (possibly) like a chalkboard, in one of your past videos but I cannot find it because it was not the main topic of that video. I would be truly grateful if you would share the name with me please? - Dennis
I'm completely sutck at the user bit, I can't get the command to work and get errors when I try to use any of the docker exec commands.
We need an update Traefik deployment installation :( cannot find any recent ones.
Hey there! I am getting this error:
Access Denied
Unable to serve application requests. Please try again. If the issue persists, verify if the Application Services are connected to Teleport.
I followed every step you did and it doesn't work when I click on my proxmox....
Any ideas?
I have exactly the same problem! @christianlempa can u help?
Can I use this with duckdns, because it's not working. Can't talk in the discord because I accidentally linked my phone number to another account, that I don't know the password or email for 😭
All depends on how you set it up man
Did it just like you, but then with duckdns@@christianlempa
I just started to test teleport and i thought it is a reverse proxy by itself, so why do i need an additional reverse proxy?
14:10 ahh because you run all services and teleport on the same docker instance
Can maybe someone give me any advice on my plans. I want to deploy a Cloud Server with Traefik and Teleport, this server will also host other Docker apps. Now my plan is to use Teleport to make these other Apps Accessible. Is this the right use case? Sure there are other ways like traefik as the reverse proxy and then use Authelia etc. for Authentication for the apps. This would work but I don’t want to use Authelia,Authentic etc. because these projects don’t seam to be maintained anymore, also I would like to get some of the Teleport features. And in the future I just can add more cloud or even local server to use teleport.
if you have ssl certs stored in acme.json ... will it still hit the rate limit on lets encrypt if you down and up the containers 50 times ? i believe the limit is 50 per week
I would like to know how can you create this type of domains in your local network. Do you use a custom DNS server?
Yes, I've made a video about it
@@christianlempa I just found it, thanks you! I understand that you are running bind9+terraform in a Ubuntu VM with docker (inside proxmox) right?
@@aruznieto yes that’s right
@@christianlempa I have an issue, I am following your video but when I do, docker compose up, the containers shows me this error:
zone ***/IN: NS 'ns.***' has no address records (A or AAAA)
where is the link to the config?
I can't see this application page...
Hello, Christian, first of all thank you for your great videos. Trying it out for myself is really fun. But somehow I don't understand something here.
The plan is to make my Portainer UI and the Traefik Dashboard only accessible via Teleport.
In other words, the labels for Traefik are not set here, because otherwise it would also be publicly accessible. But with a pure teleport access, I fail. So here I am still missing a little, maybe someone can give me a hint where the thinking mistake is.
Maybe join our discord, share your config and the community can help you out :)
doesn´t work with traefik in my case .... 😞
Does not run on separate test docker, too! Does anybody get this content running?!?
Join our Discord and share your setup with your findings, we'll have a look and help you :)
I'm not completely sure, but I think you can avoid the non existent volume by defining it as a top level first
Hey, I know this is not really relevant but I need help getting to the right help. So my goal is to create a website, create a web app, that uses AI to rescale images. But obviously, I need to learn. But I don't even know where to start. I have run web app programs from Docker. That's about as far as I have got. If anyone has any advice I would greatly appreciate it. Thank you!
What does that have to do with this topic?!?
It's relevant to the channel. Whats your problem?@@Glatze603
Start by creating the said web app first, hosting a web app is the easy part lol
Thanks, I just don't know where to start in finding the correct model. I see all these new AI scaling tools but can't figure out what they started off with. Or am I just confusing myself? When I look up about it I see I am 3 days into learning. I only found Docker yesterday.@@justfasial01 I appreciate the reply.
Unless I am missing something, this is a local solution only which is pretty much useless. Even if you expose traefik, cloudflare wont resolve beyond one subdomain with the free acct. Good tutorial, zero usability.
You need the advanced certificates from CF....