christianlempa-boilerplates/docker-compose/teleport/compose.yaml

35 lines
1.5 KiB
YAML
Raw Normal View History

2023-05-25 14:26:13 +02:00
---
2023-08-16 11:28:44 +02:00
# -- (Optional) When using Traefik, use this section
# networks:
# your-traefik-network:
# external: true
2022-08-30 19:01:48 +02:00
services:
teleport:
image: public.ecr.aws/gravitational/teleport-distroless:16.4.6
2022-08-30 19:01:48 +02:00
container_name: teleport
ports:
2023-08-16 11:28:44 +02:00
# -- (Optional) Remove this section, when using Traefik
2023-07-25 13:18:42 +02:00
- "3080:3080"
- "3023:3023"
- "3024:3024"
- "3025:3025"
2022-08-30 19:01:48 +02:00
volumes:
2023-07-25 13:18:42 +02:00
- ./config:/etc/teleport
- ./data:/var/lib/teleport
2023-08-16 12:15:47 +02:00
# -- (Optional) Traefik example configuration
# labels:
2023-08-09 10:39:13 +02:00
# - "traefik.enable=true"
2023-08-16 11:28:44 +02:00
# - "traefik.http.services.teleport.loadbalancer.server.port=3080"
# - "traefik.http.services.teleport.loadbalancer.server.scheme=https"
# - "traefik.http.routers.teleport-http.entrypoints=web"
fix: fix Traefik 3 host rule matching The function `HostHost` is an obvious typo, such a function does not exist, most likely just `Hosts` is meant here. Furthermore, Trafik 3 doesn't use the Gorilla Mux framework anymore, therefore the matching using curly brace syntax like in `{subhost:[a-z]+}` isn't supported anymore. For details, see [1]. Alas, the final Traffic 2 to 3 migration document dropped this crucial information but at least all of those many examples using this method which were in the Trafik 2 documentation were removed from the Traefik 3 documentation. Also `[a-z]+` does not match all valid sub-domains as specified per RFC 1123 [2], and needs to be enhanced to support hyphen characters within a single DNS label as well (but not at the start or the end of a label). This is also a requirement for i18n domains in their ACE representation. Actually the regular expression can be made even more strict to comply with length limitations as defined in RFC 2181 [3] but this would require pretty resource-intense lookarounds in the regular expression, therefore those should be neglected here. As we are doing regular expression match anyway, the `Host` function can be dropped. It adds redundancy to the configuration and only would make sense from a performance point of view, if the vast majority of requests would lack any sub-domain. Last but not least, the Trafik documentation isn't clear at all, whether any potential port number is being stripped from the `Host` request header. From empiric testing with Traefik 3.0.1 that's apparently the case, but as it isn't a documented feature, we rather accept potential ports as well. Same when it comes to case-sensitivity. From testing it looks like the hostname is always forced to lower-case chararcters, but strangely enough even the official documentation contains an example which suggests enabling case-insensitive mode for regular expression matching using `(?i)`. Therefore we better stick with that one as well. [1] https://traefik.io/blog/traefik-proxy-3-0-scope-beta-program-and-the-first-feature-drop/ [2] https://datatracker.ietf.org/doc/html/rfc1123 [3] https://datatracker.ietf.org/doc/html/rfc2181
2024-06-02 19:43:03 +02:00
# - "traefik.http.routers.teleport-http.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
2023-08-16 11:28:44 +02:00
# - "traefik.http.routers.teleport-https.entrypoints=websecure"
fix: fix Traefik 3 host rule matching The function `HostHost` is an obvious typo, such a function does not exist, most likely just `Hosts` is meant here. Furthermore, Trafik 3 doesn't use the Gorilla Mux framework anymore, therefore the matching using curly brace syntax like in `{subhost:[a-z]+}` isn't supported anymore. For details, see [1]. Alas, the final Traffic 2 to 3 migration document dropped this crucial information but at least all of those many examples using this method which were in the Trafik 2 documentation were removed from the Traefik 3 documentation. Also `[a-z]+` does not match all valid sub-domains as specified per RFC 1123 [2], and needs to be enhanced to support hyphen characters within a single DNS label as well (but not at the start or the end of a label). This is also a requirement for i18n domains in their ACE representation. Actually the regular expression can be made even more strict to comply with length limitations as defined in RFC 2181 [3] but this would require pretty resource-intense lookarounds in the regular expression, therefore those should be neglected here. As we are doing regular expression match anyway, the `Host` function can be dropped. It adds redundancy to the configuration and only would make sense from a performance point of view, if the vast majority of requests would lack any sub-domain. Last but not least, the Trafik documentation isn't clear at all, whether any potential port number is being stripped from the `Host` request header. From empiric testing with Traefik 3.0.1 that's apparently the case, but as it isn't a documented feature, we rather accept potential ports as well. Same when it comes to case-sensitivity. From testing it looks like the hostname is always forced to lower-case chararcters, but strangely enough even the official documentation contains an example which suggests enabling case-insensitive mode for regular expression matching using `(?i)`. Therefore we better stick with that one as well. [1] https://traefik.io/blog/traefik-proxy-3-0-scope-beta-program-and-the-first-feature-drop/ [2] https://datatracker.ietf.org/doc/html/rfc1123 [3] https://datatracker.ietf.org/doc/html/rfc2181
2024-06-02 19:43:03 +02:00
# - "traefik.http.routers.teleport-https.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
2023-08-16 11:28:44 +02:00
# - "traefik.http.routers.teleport-https.tls=true"
# - "traefik.http.routers.teleport-https.tls.certresolver=your-certresolver"
# - "traefik.http.routers.teleport-https.tls.domains[0].main=your-server-url"
# - "traefik.http.routers.teleport-https.tls.domains[0].sans=*.your-server-url"
2023-08-16 12:15:47 +02:00
# networks:
# - your-traefik-network
2023-08-16 11:28:44 +02:00
restart: unless-stopped