mother-of-all-self-hosting/mash-playbook

Running mash on dedicated IP

Closed this issue · 1 comments

shukon commented

I'm trying to run mash on a server with an apache2. The idea:

  • have to IPs IP1 (xx.xx.xx.105) and IP2 (xx.xx.xx.116) pointed at the server (works)
  • restrict apache2 to IP1 (works and IP2-ports are not listened on)
  • restrict traefik to IP2 - how?

I'm setting

devture_traefik_config_entrypoint_web_secure_address: "xx.xx.xx.116:443"
devture_traefik_config_entrypoint_web_address: "xx.xx.xx.116:80"
devture_traefik_container_web_secure_host_bind_port: "xx.xx.xx.116:443"
devture_traefik_container_web_host_bind_port: "xx.xx.xx.116:80"

but for I get

journalctl output 
Sep 24 11:48:07 mailer1 systemd[1]: Started Traefik (mash-traefik).
Sep 24 11:48:09 mailer1 mash-traefik[2477663]: 2024-09-24T09:48:09Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:101 > Traefik version 3.1.2 built on 2024-08-06T13:37:51Z version=3.1.2
Sep 24 11:48:09 mailer1 mash-traefik[2477663]: 2024-09-24T09:48:09Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:108 > Static configuration loaded [json] staticConfiguration={"accessLog":{"fields":{"defaultMode":"keep","headers":{"defaultMode":"drop"}},"filters":{},"format":"common"},"api":{},"certificatesResolvers":{"default":{"acme":{"caServer":"https://acme-v02.api.letsencrypt.org/directory","certificatesDuration":2160,"email":"it@example.org","httpChallenge":{"entryPoint":"web"},"keyType":"RSA4096","storage":"/ssl/acme.json"}}},"entryPoints":{"web":{"address":"xx.xx.xx.116:80","forwardedHeaders":{},"http":{"redirections":{"entryPoint":{"permanent":true,"priority":9223372036854775806,"scheme":"https","to":":443"}}},"http2":{"maxConcurrentStreams":250},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}},"web-secure":{"address":"xx.xx.xx.116:443","forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"http3":{"advertisedPort":443},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{},"log":{"format":"common","level":"DEBUG"},"providers":{"docker":{"defaultRule":"Host(`{{ normalize .Name }}`)","endpoint":"tcp://mash-container-socket-proxy:2375","network":"traefik","watch":true},"file":{"filename":"/config/provider.yml","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
Sep 24 11:48:09 mailer1 mash-traefik[2477663]: 2024-09-24T09:48:09Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:617 >
Sep 24 11:48:09 mailer1 mash-traefik[2477663]: 2024-09-24T09:48:09Z ERR github.com/traefik/traefik/v3/cmd/traefik/traefik.go:83 > Command error error="command traefik error: error while building entryPoint web: error preparing server: error opening listener: listen tcp xx.xx.xx.116:80: bind: cannot assign requested address"
Sep 24 11:48:11 mailer1 systemd[1]: mash-traefik.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 11:48:11 mailer1 systemd[1]: mash-traefik.service: Failed with result 'exit-code'.

Ports

I don't think it's a port-in-use problem. First, I don't have anything listen on that IP:PORT when checking with

netstat -tulpn | grep :80 
tcp        0      0 xx.xx.xx.105:80          0.0.0.0:*               LISTEN      1298766/apache2     
tcp        0      0 127.0.0.1:8024          0.0.0.0:*               LISTEN      2448096/python3     
tcp        0      0 127.0.0.1:8001          0.0.0.0:*               LISTEN      2426594/python3

and also I get a very specific "port already in use" message when there is something running on that port (so traefik/docker can detect that and fail because of that, but if there is nothing running it fails with a generic error).

Why am I asking here?

I'm asking here because it works (with binding to that specific IP!) when

  1. using traefik without docker.
  2. using a simple whoami container with docker.

So it's neither just docker, nor traefik, but rather this specific configuration setup. I know it's a networking question, but maybe someone looks at this and goes "Duh, it's easy, you just need to change that_magic_var", so I'm asking here anyway.
Also I do not come empty-handed as I plan to contribute dokuwiki (already finished) and zulip in the coming weeks... 😇

shukon commented

Solution: I'm stupid and networking makes sense.
When leaving devture_traefik_config_entrypoint_web_secure_address and devture_traefik_config_entrypoint_web_address on default 80 and 443, it works. This makes perfect sense since traefik can not actually see the IPs as they are behind the docker network I guess.