2023-05-25 14:26:13 +02:00
|
|
|
---
|
2023-08-16 11:28:44 +02:00
|
|
|
# -- (Optional) When using Traefik, use this section
|
|
|
|
# networks:
|
|
|
|
# your-traefik-network:
|
|
|
|
# external: true
|
2022-08-30 19:01:48 +02:00
|
|
|
services:
|
|
|
|
teleport:
|
2024-10-23 23:20:16 +02:00
|
|
|
image: public.ecr.aws/gravitational/teleport-distroless:16.4.6
|
2022-08-30 19:01:48 +02:00
|
|
|
container_name: teleport
|
|
|
|
ports:
|
2023-08-16 11:28:44 +02:00
|
|
|
# -- (Optional) Remove this section, when using Traefik
|
2023-07-25 13:18:42 +02:00
|
|
|
- "3080:3080"
|
|
|
|
- "3023:3023"
|
|
|
|
- "3024:3024"
|
|
|
|
- "3025:3025"
|
2022-08-30 19:01:48 +02:00
|
|
|
volumes:
|
2023-07-25 13:18:42 +02:00
|
|
|
- ./config:/etc/teleport
|
|
|
|
- ./data:/var/lib/teleport
|
2023-08-16 12:15:47 +02:00
|
|
|
# -- (Optional) Traefik example configuration
|
|
|
|
# labels:
|
2023-08-09 10:39:13 +02:00
|
|
|
# - "traefik.enable=true"
|
2023-08-16 11:28:44 +02:00
|
|
|
# - "traefik.http.services.teleport.loadbalancer.server.port=3080"
|
|
|
|
# - "traefik.http.services.teleport.loadbalancer.server.scheme=https"
|
|
|
|
# - "traefik.http.routers.teleport-http.entrypoints=web"
|
fix: fix Traefik 3 host rule matching
The function `HostHost` is an obvious typo, such a function does not
exist, most likely just `Hosts` is meant here.
Furthermore, Trafik 3 doesn't use the Gorilla Mux framework
anymore, therefore the matching using curly brace syntax like in
`{subhost:[a-z]+}` isn't supported anymore. For details, see [1].
Alas, the final Traffic 2 to 3 migration document dropped this crucial
information but at least all of those many examples using this method
which were in the Trafik 2 documentation were removed from the Traefik 3
documentation.
Also `[a-z]+` does not match all valid sub-domains as specified per RFC
1123 [2], and needs to be enhanced to support hyphen characters within a
single DNS label as well (but not at the start or the end of a label).
This is also a requirement for i18n domains in their ACE representation.
Actually the regular expression can be made even more strict to comply
with length limitations as defined in RFC 2181 [3] but this would require
pretty resource-intense lookarounds in the regular expression, therefore
those should be neglected here.
As we are doing regular expression match anyway, the `Host` function can
be dropped. It adds redundancy to the configuration and only would make
sense from a performance point of view, if the vast majority of requests
would lack any sub-domain.
Last but not least, the Trafik documentation isn't clear at all, whether
any potential port number is being stripped from the `Host` request header.
From empiric testing with Traefik 3.0.1 that's apparently the case, but
as it isn't a documented feature, we rather accept potential ports as
well.
Same when it comes to case-sensitivity. From testing it looks like the
hostname is always forced to lower-case chararcters, but strangely
enough even the official documentation contains an example which
suggests enabling case-insensitive mode for regular expression matching
using `(?i)`. Therefore we better stick with that one as well.
[1] https://traefik.io/blog/traefik-proxy-3-0-scope-beta-program-and-the-first-feature-drop/
[2] https://datatracker.ietf.org/doc/html/rfc1123
[3] https://datatracker.ietf.org/doc/html/rfc2181
2024-06-02 19:43:03 +02:00
|
|
|
# - "traefik.http.routers.teleport-http.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
|
2023-08-16 11:28:44 +02:00
|
|
|
# - "traefik.http.routers.teleport-https.entrypoints=websecure"
|
fix: fix Traefik 3 host rule matching
The function `HostHost` is an obvious typo, such a function does not
exist, most likely just `Hosts` is meant here.
Furthermore, Trafik 3 doesn't use the Gorilla Mux framework
anymore, therefore the matching using curly brace syntax like in
`{subhost:[a-z]+}` isn't supported anymore. For details, see [1].
Alas, the final Traffic 2 to 3 migration document dropped this crucial
information but at least all of those many examples using this method
which were in the Trafik 2 documentation were removed from the Traefik 3
documentation.
Also `[a-z]+` does not match all valid sub-domains as specified per RFC
1123 [2], and needs to be enhanced to support hyphen characters within a
single DNS label as well (but not at the start or the end of a label).
This is also a requirement for i18n domains in their ACE representation.
Actually the regular expression can be made even more strict to comply
with length limitations as defined in RFC 2181 [3] but this would require
pretty resource-intense lookarounds in the regular expression, therefore
those should be neglected here.
As we are doing regular expression match anyway, the `Host` function can
be dropped. It adds redundancy to the configuration and only would make
sense from a performance point of view, if the vast majority of requests
would lack any sub-domain.
Last but not least, the Trafik documentation isn't clear at all, whether
any potential port number is being stripped from the `Host` request header.
From empiric testing with Traefik 3.0.1 that's apparently the case, but
as it isn't a documented feature, we rather accept potential ports as
well.
Same when it comes to case-sensitivity. From testing it looks like the
hostname is always forced to lower-case chararcters, but strangely
enough even the official documentation contains an example which
suggests enabling case-insensitive mode for regular expression matching
using `(?i)`. Therefore we better stick with that one as well.
[1] https://traefik.io/blog/traefik-proxy-3-0-scope-beta-program-and-the-first-feature-drop/
[2] https://datatracker.ietf.org/doc/html/rfc1123
[3] https://datatracker.ietf.org/doc/html/rfc2181
2024-06-02 19:43:03 +02:00
|
|
|
# - "traefik.http.routers.teleport-https.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
|
2023-08-16 11:28:44 +02:00
|
|
|
# - "traefik.http.routers.teleport-https.tls=true"
|
|
|
|
# - "traefik.http.routers.teleport-https.tls.certresolver=your-certresolver"
|
|
|
|
# - "traefik.http.routers.teleport-https.tls.domains[0].main=your-server-url"
|
|
|
|
# - "traefik.http.routers.teleport-https.tls.domains[0].sans=*.your-server-url"
|
2023-08-16 12:15:47 +02:00
|
|
|
# networks:
|
|
|
|
# - your-traefik-network
|
2023-08-16 11:28:44 +02:00
|
|
|
restart: unless-stopped
|