Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
app-notes:webvpn-secure-https-portforwardings-for-unsecure-http-devices [2018/07/13 13:40] preisig |
app-notes:webvpn-secure-https-portforwardings-for-unsecure-http-devices [2022/01/28 14:00] (current) schmitt |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| ===== Prerequisistes ===== | ===== Prerequisistes ===== | ||
| * Netmodule Router running software version >= 4.0.0.100 with a virtualisation licence | * Netmodule Router running software version >= 4.0.0.100 with a virtualisation licence | ||
| - | * Running LXC virtualisation environment [[app-notes:virtualisation|described here]] | + | * Running LXC virtualisation environment [[virtualisation:start|described here]] |
| * ARM based linux distribution of your flavor from [[https://jenkins.linuxcontainers.org/view/Images/|linuxcontainers.org]], to make it small the example is based on [[https://alpinelinux.org/|Alpine Linux]] | * ARM based linux distribution of your flavor from [[https://jenkins.linuxcontainers.org/view/Images/|linuxcontainers.org]], to make it small the example is based on [[https://alpinelinux.org/|Alpine Linux]] | ||
| * The [[https://traefik.io|traefik.io]] reverse proxy for the ARM Platform | * The [[https://traefik.io|traefik.io]] reverse proxy for the ARM Platform | ||
| - | * As an alternativ you can download a ready to use container **HERE (ADD LINK & Upload container)** | + | * As an alternativ you can download a ready to use container [[https://share.netmodule.com/router/public/virt/alpine_3.7_traefik.tar.xz|HERE]] |
| * OpenVPN network setup (your container could also run on one of your openvpn clients) | * OpenVPN network setup (your container could also run on one of your openvpn clients) | ||
| * Clients need fix IP adresses so you can add them later to traefik | * Clients need fix IP adresses so you can add them later to traefik | ||
| Line 129: | Line 129: | ||
| For a more detailed description on how to configure traefik please refer to [[https://traefik.io|traefik.io]] | For a more detailed description on how to configure traefik please refer to [[https://traefik.io|traefik.io]] | ||
| + | ==== Information on the already setup container ==== | ||
| - | ===== Configuring the router ===== | + | You can download traefik already integrated into an[[https://alpinelinux.org/|Alpine Linux]] container that is ready to use. Here are the details you need: |
| - | On the router side we assume that you have already setup OpenVPN. Now in the configuration above you saw, that the backends are defined through the OpenVPN ip adresses but not using the standart http port 80 instead they are configured via 8080. This is simply, because you might have more then one EndPoint in your site which then makes assigning them via the same router very easy. Just increas the port number on the defined backends in traefik. | + | Download from: **(ADD LINK AGAIN)** |
| + | * Configuration: /etc/traefik | ||
| + | * Binary: /usr/local/bin (linked to the original file in /etc/traefik) | ||
| + | * Startup Script: /etc/init.d/traefik | ||
| + | |||
| + | In this container all you need to do, is extract it to your router, edit /etc/traefik/config.toml to your needs and then restart the service with /etc/init.d/traefik restart and you are done. | ||
| + | |||
| + | Since the service runs as non-root user the default listening ports for http and https where changed to 65080 and 65443. So additionally on your router you'd need to create NAPT Rules, that rewrite the http & https ports accordingly. | ||
| + | |||
| + | {{:app-notes:traeffik-napt-examoles2.png|}} | ||
| + | |||
| + | |||
| + | ===== Configuring the router (EndPoint) ===== | ||
| + | |||
| + | On the router side we assume that you have already setup OpenVPN. Now in the configuration above you saw, that the backends are defined with the OpenVPN ip adresses but not using the standart http port 80 instead they are configured via 8080. This is simply, because you might have more then one EndPoint in your site which then makes assigning them via the same router very easy. Just increas the port number on the defined backends in traefik. | ||
| The Router (for example in Site1) would need a NAPT Rule translating the incoming Port 8080 from its tun interface to port 80 and the ip of your endpoint. So your NAPT rule on the router on site 1 might look like this (with a second endpoint to visualize the just mentioned). | The Router (for example in Site1) would need a NAPT Rule translating the incoming Port 8080 from its tun interface to port 80 and the ip of your endpoint. So your NAPT rule on the router on site 1 might look like this (with a second endpoint to visualize the just mentioned). | ||
| - | {{:app-notes:traefik-napt-example.jpg|}} | + | {{:app-notes:traefik-napt-ecample.png|}} |
| On the router that is running the container and serving the requests, don't forget to change the WebGui Ports 80 & 443 to some other ports,so that they can be re-written via NAPT rules to get to the container. | On the router that is running the container and serving the requests, don't forget to change the WebGui Ports 80 & 443 to some other ports,so that they can be re-written via NAPT rules to get to the container. | ||