toniebox-reverse-engineering/teddycloud

Teddycloud With a Fully Qualified Domain and Behind a Reverse Proxy

Orthopoxvirus opened this issue · 2 comments

Hi

I got the cloud and box working with a RaspberryPI in the local network. But this has downsides:

  • The PI is slow (and in my case unreliable, i guess it goes to sleep)
  • The cloud is not accessible from other networks

Therefore I stared a quest to try to make the cloud work behind a reverse proxy and with a fully qualified domain name.

My setup

NAS

Local DNS

There is

  • a zone for my domain to the NAS
  • an A record which points to the traefik server's IP
  • a CNAME for the teddycloud which points to the traefik's domain

Dyn DNS

For outside access there is a dynDNS pointing my domain at my public IP. IPv6 is deactivated. No other records.

Docker

I run every service as a docker container or stack on the NAS. I use portainer for conveniance but that should not interfere with anything else.

Macvlan

I setup a Macvlan network so the traefik server gets it's own IP in the network. (see section router)

Traefik

Traefik is configured to NOT redirect http to https. It uses docker as configuration source and lives in the same proxy network as the teddycloud.

Teddy Cloud (custom domain redacted)

  • Default but
    • the custom domain
    • increased log level to 4
    • increased settings level to 2
  • Webinterface HTTP only is ticked (after flashing)

Here are the traefik labels. They might be intresting for others too since they work as intended (see results)

    labels:
      - traefik.enable=true
      - traefik.http.routers.teddycloud-1-http.entrypoints=web
      - traefik.http.routers.teddycloud-1-http.rule=Host(`teddycloud.mydomain.xyz`)
      - traefik.tcp.routers.teddycloud-1-tcp.entrypoints=websecure
      - traefik.tcp.routers.teddycloud-1-tcp.rule=HostSNI(`teddycloud.mydomain.xyz`)
      - traefik.tcp.routers.teddycloud-1-tcp.tls.passthrough=true
      - traefik.tcp.routers.teddycloud-1-tcp.service=teddycloud-1-https-service
      - traefik.tcp.services.teddycloud-1-https-service.loadbalancer.server.port=443

Router

  • Ports 80 and 443 are forwarded to traefik
  • the NAS IP is set as local DNS

Results so far

Everything seems to work as intended but the box cannot connect even after waiting a day baucause of DNS reasons.

The intention is:

  • Box checks DNS for my domain
  • Local or dynDNS tells it to contact the traefik server or my public IP (which forwards to the treafik server)
  • Traefik is the reverse proxy and forwards to the teddycloud (including TLS forwarding)

More results:

  • Teddycloud is accessible in http and https (with unsafe certificate warning) from the local network and the internet
  • In treafik's log every request is logged. http(s) connections by a browser can be observed. There were no requests by the box. Not even when refreshing (3s on one ear)
  • The box seems to ignore the local DNS, which does not matter
  • The https connection shows the teddycloud cert
    image

Help wanted

I guess many newbie hackers like myself want this to work. It would be cool if we could get it to work and compose a guide for everyone else.

The setup seems to work (checking with a browser), but the box cannot connect. Any help or hints to what I am missing are highly appreciated. If anyone of the RevvoX needs some more private details I will provide you via Telegram.

Thanks for reading!

I would suggest you to post this in our forums https://forum.revvox.de/ as this is not an issue that can be fixed by us.

The problem I see is that you are ignoring that the box does not support SNI.

https://forum.revvox.de/search?expanded=true&q=SNI

PS: Anyway, thank you for all your details!

Thanks a lot for the hint. Seems i did not search for the correct keywords. I'll continue my journey over there after learning about SNI.