Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote traefik dashboard #163

Closed
EnigmaCurry opened this issue Nov 28, 2023 · 1 comment
Closed

Remote traefik dashboard #163

EnigmaCurry opened this issue Nov 28, 2023 · 1 comment

Comments

@EnigmaCurry
Copy link
Owner

It is advantageous to run a secure server-workstation, as an SSH service, such that you connect a less secure laptop, with a hardware auth token, to a more secure Docker VM / droplet, and all the docker related credentials, and the .env files, live only behind the secure SSH server, and not on the laptop. You run all your d.rymcg.tech commands on the server-workstation, through SSH. The killer security benefit of this setup is that you can simply turn off the server and therby lockdown all admin access to your docker server.

laptop -> server-workstation -> docker-host

This mostly works right now. However there are few exceptions where we were expecting you to only run this from a local desktop machine, and won't work with another middleman.

The most important one to tackle first is the Traefik dashboard. When you run make open in the traefik directory, it creates an SSH tunnel and forwards the dashboard entrypoint through it. (normally the dashboard runs only on 127.0.0.1). In addition, there is a required HTTP Basic Auth username/password that the config enforces.

To access the dashboard from a tertiary client (your laptop), one option would be to forward the port a second time:

laptop -> server-workstation -> docker-host
localhost:3456 -> localhost:3456 -> localhost:3466

Another option would be to simply open up the dashboard entrypoint to the public, and rely on the enforcement of setting a good username/password.

A third option would be to wait for #146 and use ghostunnel on the laptop client, paired with a client TLS certificate, granting a single machine access to the dashboard, but from anywhere.

The first option seems like the way to go, because it doesn't require any additional dependency other than SSH. Right now the SSH port is randomized by make open but this will have to be made with a default/config variable because it needs to be known ahead of time during the initial client connection.
@EnigmaCurry EnigmaCurry mentioned this issue Nov 30, 2023
Draft
@EnigmaCurry
Copy link
Owner Author

I am thinking that #164 can make this no longer necessary. Instead of exposing the dashboard remotely, forward a browser over X11 that can connect locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@EnigmaCurry