Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traefik configuration for Snipe-IT #26

Closed
SonGokussj4 opened this issue Sep 21, 2021 · 9 comments
Closed

Traefik configuration for Snipe-IT #26

SonGokussj4 opened this issue Sep 21, 2021 · 9 comments

Comments

@SonGokussj4
Copy link

SonGokussj4 commented Sep 21, 2021

Desired Behavior

Config example of traefik label or documentation what else to change for traefik reverse proxy to work.

Current Behavior

As I tried almost every combination I can't make it work with traefik.
Instead of myserver:3051 I want snipeit.mydomain.com but getting either 404 or Gateway errors.

@github-actions
Copy link

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

@ADobin
Copy link

ADobin commented Oct 9, 2021

I've managed to get this working after digging into how this container is working and how snipe-it handles validation. I'm not sure if this also breaks things for when it's not running behind traefik, I'll do some more research and consider a pull request with documentation updates if it makes sense.

Problem - APP_URL env variable needs to be set

APP_URL is used by snipe-it to build out a bunch of different links. I set this value in my docker-compose to be the the same URL that I configured for traefik. This also fixes #25.

    environment:
      - NGINX_APP_URL=snipeit.example.com
      - APP_URL=https://snipeit.example.com

Problem - Content is served over HTTP instead of HTTPS

There are multiple reports of this issue that are duped to snipe/snipe-it#9179. What I found is that following the snipe-it documentation for Reverse Proxies it says to add an environment variables for APP_TRUSTED_PROXIES. This doesn't seem to work if you set it from within the environment section in docker-compose.yml. If you instead create an env file with this value, then things will work.

snipeit.env:

APP_TRUSTED_PROXIES=**

I'm sure there is a good reason for why this doesn't work but I haven't dug any further.

Problem - /setup claims you are serving from an invalid location

Once you get everything running, the setup will still claim to have invalid values for APP_URL, like in the error below:

Uh oh! Snipe-IT thinks your URL is https://snipeit.example.com, but your real URL is http://snipeit.example.com/setup Please update your APP_URL settings in your .env file

Looking at the Snipe-IT code, I think this is a bug with their setup code on how they do the validation of APP_URL. They determine what URL is currently being used in SettingsController.php, but are using the raw $_SERVER values instead of seeing if any proxy headers exist. I could also be totally wrong on how these values are supposed to flow through, I am a little out of my area of expertise with this. Luckily, this only seems to impact this one step, and I modified /config/nginx/site-confs/default to set the values they were expecting. I'm not even sure if that is necessary or if the setup will let you finish without doing that.

@github-actions
Copy link

github-actions bot commented Nov 9, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

ADobin added a commit to ADobin/docker-snipe-it that referenced this issue Dec 20, 2021
Include `APP_URL` in the required parameters.

See linuxserver#26 (comment), linuxserver#25
ADobin added a commit to ADobin/docker-snipe-it that referenced this issue Dec 20, 2021
ADobin added a commit to ADobin/docker-snipe-it that referenced this issue Dec 20, 2021
@drizuid
Copy link
Member

drizuid commented Dec 27, 2021

We do not support or test traefik as we provide our own supported reverse proxy. closing this

@drizuid drizuid closed this as completed Dec 27, 2021
@bryanpedini
Copy link

We do not support or test traefik as we provide our own supported reverse proxy.

Cool, so because you have developed your own non-standard reverse proxy setup, it means that everything else does not exist hence why you don't even wiki it?
I can relate to not supporting it, but not even considering?

I'm trying to setup a Snipe-IT instance using the official image and Træfik, searching on Google this issue is the top result for "snipe-it traefik", and the "solution" is a hard "no"?

Oookay, not gonna comment on that...

@SonGokussj4
Copy link
Author

Hi @bryanpedini , I'm running my Snipe-IT successfully now, forgot about this thread so this is my solution, feel free to ask for details:

snipeit/docker-compose.yml

version: "3"

services:

  snipeit:
    image: linuxserver/snipe-it:6.0.11
    container_name: snipeit_app
    restart: unless-stopped
    depends_on:
      - mysql
    volumes:
      - ./app_data:/config
    env_file: .env
    environment:
      - NGINX_APP_URL=snipeit.<myserver>.<mydomain>.cz
      - MYSQL_PORT_3306_TCP_ADDR=mysql
      - MYSQL_PORT_3306_TCP_PORT=3306
      - MYSQL_DATABASE=<snipe_db>
      - MYSQL_USER=<snipe_user>
      - MYSQL_PASSWORD=<password_mysql_user>
      - PGID=1000
      - PUID=1000
      - DOCKER_MODS=linuxserver/mods:universal-wait-for-internet|linuxserver/mods:universal-cron
      - API_THROTTLE_PER_MINUTE=600  # default 100
      - MAX_RESULTS=10000  # default 500
      - PHP_UPLOAD_LIMIT=50
    networks:
      - proxy
      - backend
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.snipeit-https.rule=Host(`snipeit.<myserver>.<mydomain>.cz`)
      - traefik.http.routers.snipeit-https.entrypoints=websecure
      - traefik.http.routers.snipeit-https.tls=true

  mysql:
      image: linuxserver/mariadb
      container_name: snipeit_db
      restart: always
      volumes:
        - ./db_data:/config
      environment:
        - PUID=1000
        - PGID=1000
        - TZ=Europe/London
        - MYSQL_ROOT_PASSWORD=<password_mysql_root>
        - MYSQL_USER=<snipe_user>
        - MYSQL_PASSWORD=<password_mysql_user>
        - MYSQL_DATABASE=<snipe_db>
      networks:
        - backend

networks:
  proxy:
    external: true
  backend:
    external: false

snipeit/.env

# Snipe-IT Settings
APP_ENV=production
APP_DEBUG=false
APP_TIMEZONE=Europe/Prague
APP_LOCALE=cs
APP_URL=https://snipeit.<server>.<domain>.cz
APP_KEY=base64:edLSOtxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkj/JcLI=  # from snipeit/app_data/SNIPE_IT_APP_KEY.txt


# --------------------------------------------
# REQUIRED: OUTGOING MAIL SERVER SETTINGS
# --------------------------------------------
MAIL_DRIVER=smtp
MAIL_HOST=<our_email_host>
MAIL_PORT=587
MAIL_USERNAME=<mail_username>
MAIL_PASSWORD=<mail_password>
MAIL_ENCRYPTION=null
MAIL_ENV_FROM_ADDR=<testaddress@<mydomain>.cz>
MAIL_FROM_ADDR=<mail_from_username>@<mydomain>.cz
MAIL_FROM_NAME='<name_from>'
MAIL_REPLYTO_ADDR=
MAIL_REPLYTO_NAME=
MAIL_BACKUP_NOTIFICATION_ADDRESS=<alerts_for_admins>@<mydomain>.cz

# --------------------------------------------
# OPTIONAL: SECURITY HEADER SETTINGS
# --------------------------------------------
CORS_ALLOWED_ORIGINS=*

traefik/docker-compose.yml

version: '3.7'

services:

  traefik:
    image: traefik:v2.6.6
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - "80:80"  # The HTTP port
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro  # So that Traefik can listen to the Docker events
      - /var/log/traefik:/var/log  # Logging
      - ./data/traefik.yml:/traefik.yml:ro  # Static configuration yml
      - ./data/dynamic_config:/etc/traefik/dynamic_config  # Dynamic configuration yml
      - ./data/certs:/etc/traefik/certs:ro  # Certificates folder
      - ./data/certs_keys:/etc/traefik/certs_keys:ro  # Certificates keys folder
    environment:
      - HOST_IP=${HOST_IP}
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.<myserver>.<mydomain>.cz`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.middlewares=traefik-auth
      - traefik.http.middlewares.traefik-auth.basicauth.users=admin:<hashedpassword>

networks:
  proxy:
    external: true

traefik/traefik.yml

# log default is ERROR, but WARN is more helpful
log:
  level: INFO

accessLog:
  filePath: /var/log/traefik-access.log

# enable dashboard on 8080
api:
  dashboard: true
  insecure: false

ping: {}

pilot:
  dashboard: false

# listen on 80/443, and redirect all 80 to 443 via 301
entryPoints:
  web:
    address: ":80"
    # comment out these lines if you don't want to redirect everything to https
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
      tls: {}

providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
    watch: true
  file:
    directory: /etc/traefik/dynamic_config
    watch: true

@nemchik
Copy link
Member

nemchik commented Oct 13, 2022

We do not support or test traefik as we provide our own supported reverse proxy.

Cool, so because you have developed your own non-standard reverse proxy setup, it means that everything else does not exist hence why you don't even wiki it? I can relate to not supporting it, but not even considering?

I'm trying to setup a Snipe-IT instance using the official image and Træfik, searching on Google this issue is the top result for "snipe-it traefik", and the "solution" is a hard "no"?

Oookay, not gonna comment on that...

This thread has been closed for almost a year.

you have developed your own non-standard reverse proxy setup

We put together SWAG which is primarily made up of nginx and certbot (not things we developed) and shipped with configuration files we made to make things easy. There is nothing non-standard about the option we support, and we support it because we made it.

it means that everything else does not exist

We are aware of other options, such as traefik, caddy, haproxy, etc. The fact that other options exist does not obligate us to learn how they work and offer support for them.

hence why you don't even wiki it?

We document what we do, and how to use what we make. We don't make traefik. We don't have all the answers about how to make traefik work with every application under the sun.

It seems (based on there being mention of issues being reported to the devs of snipe-it) that there are issues with snipe-it (not specific to our docker image) that make it challenging to proxy snipe-it with some reverse proxy solutions. The development of snipe-it is entirely out of our hands.

Your comment was pretty rude, considering we do what we do for free and make it available for anyone to use and do what they want with. We don't tell people not to use traefik, just that we aren't the helpdesk/hotline for it.

@bryanpedini
Copy link

Hi @bryanpedini , I'm running my Snipe-IT successfully now, forgot about this thread so this is my solution

Thank you for sharing @SonGokussj4, it might help others for sure. I, on the other end, ended up just searching a fair bit (more) online and finding about the nefarious APP_URL and APP_TRUSTED_PROXIES, which once set correctly made the Træfik setup work just fine: deployments/snipe-it.

@bryanpedini
Copy link

bryanpedini commented Oct 16, 2022

This thread has been closed for almost a year.

Cool. Issues related to the topic of the thread seemed to be not tho, or at least not clearly documented without a lot of research to make it work.

We are aware of other options, such as traefik, caddy, haproxy, etc. The fact that other options exist does not obligate us to learn how they work and offer support for them.

Sure, as stated before, I support the "not supporting it" thesis, but reject the mentality of not considering them:

We do not support or test traefik as we provide our own supported reverse proxy. closing this

No "feel free to draft a PR to include it in the docs", no "sorry but since we provide our solution we do not wish to waste time doing the research, but feel free to document it on your own and report us your findings", just "F U, we do things our way, either that way or you're on your own, and we don't care about your setup so that others trying to replicate will just see "closing this" and believe that it's not possible at all"...
Sure OP could have just replied with his findings anyway, just like he did after my first reply; sure you could have said "closing this" more nicely so that OP would have feeled more desirable to post his setup once it worked. Just that...

We document what we do, and how to use what we make. We don't make traefik. We don't have all the answers about how to make traefik work with every application under the sun.

Please refer to the previous, would have been nice to say "please draft up a PR" or "report your findings so that other people may get help here since this be the first google result" instead of just "closing this, because"...

It seems (based on there being mention of issues being reported to the devs of snipe-it) that there are issues with snipe-it (not specific to our docker image) that make it challenging to proxy snipe-it with some reverse proxy solutions. The development of snipe-it is entirely out of our hands.

Sure, was not saying so... anyway I made it work, so it might be challenging, but not impossible 🤷🏻

Your comment was pretty rude, considering we do what we do for free and make it available for anyone to use and do what they want with. We don't tell people not to use traefik, just that we aren't the helpdesk/hotline for it.

Didn't meant to be, just pointing out that maybe something different than "closing this" (without technically an explanation (beyond the "we do stuff our way")) would have been nice-er, since that could be interpreted (just like I did) rude as well by your end...

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants