Installing Teleport + Traefik (Letsencrypt TLS certs)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody this is Christian and last week we covered some of the new and cool features in teleport 13. remember this is the free and open source identity proxy that you can use to securely authenticate to your home lab or it infrastructure and manage applications Linux servers kubernetes and yeah many other resources today I want to expand on this and walk you through the deployment of a new teleport instance and how that's going to work with a traffic reverse proxy to securely expose this application with trusted TLS certificates so I hope that's going to be helpful for you if you want to know how to securely authenticate to your infrastructure using teleport so without any further discussion let's jump right into it okay so before we start I just want to say if you never heard about traffic before if you don't know about reverse proxies Docker and so on then you probably should check out some of my older videos because they have covered it in much more detail today we will mainly focus on the deployment side and I want to keep it very simple so I'm not going over all of the details of the traffic reverse proxy I will link you a related video in the description that you can check out but if you're familiar with that and how TLS Works in general I think this will be pretty straightforward for you I also want to say that both traffic and teleport have some good documentation on how to set up all of this stuff but if you want to keep it simple and if you don't want to start from scratch then you can also check out my boilerplates repository on GitHub so there I'm managing my template collection for various types of deployments we will go into Docker compose folder and here I have created two separate projects one for teleport and one for traffic so we will first start with connecting to one of my remote servers and I'm going to create a new folder here for our project that is called teleport demo one and I'm also going to create another project folder that we are using for traffic so we will need both of these folders and they will contain separate Docker compose files for each of these services and I'm going to start with the deployment of the traffic reverse proxy because that's what we're going to need first and it should be working before we start deploying teleport so as with all of the darker projects I'm going to start with a new darker compose file and I'm going back to my git repository I'm grabbing all of this stuff here and basically copy and paste it into my project folder as I said if you want to have a more in-depth explanation about traffic I'm going to make separate videos about that and I'm also going to link you all the resources that I've created before first of all because we want to connect those two services in an easy way it's always good to create a new Docker Network on your Linux server that both of these Docker projects are attached to because otherwise if you're just using the docker default Network I've explained this in my Docker networking tutorial then each Docker post file would create a separate Docker Network and those two projects wouldn't be able to talk to each other so let's let's do this and create a new network I will just call this front end hit enter and then you should see your custom Network and then in the docker compose file we need to uncomment this line replace your traffic network with the name of the network that you have created in my case front end make sure it's external true otherwise this Docker compose project would try to create this network which is already existing so with the external true statement you make sure that an already created network is not try to create again it's just attached to this darker composed project and that we're going to create a new service for the traffic reverse proxy I'm going to set it to The Container name traffic and I'm using the latest traffic image that was released at the time of the recording of course you can also switch to an updated version of traffic if you want and we should also expose both of the parts here the port 80e4 HTTP protocol and https for https protocol what we also need is this volume Mount pointer here we start creating a config directory so we can yeah add a new folder where we later we'll store the traffic configuration and this will be mounted into the ETC traffic path into the containers file system so traffic can access this and it's persistently stored on the host operating system you also need to give traffic access to the docker socket so otherwise it can't automatically expose any containers dynamically using the label so that is also important and because we also want to use cloudflare as a certificate resolver we also need to uncomment this line here to add an environment variable that is called CF DNS API token if you're using a different DNS provider you're not using cloudflare you can also go into the traffic documentation so here you can get a list of all the different providers that traffic reverse proxy currently supports I'm pretty sure you're finding one of your one of the DNS providers in that list here that you want to use I'm going to use cloudflare so we need to pass in this environment variable into the container so this obviously you should replace with your cloudflare API token if you're not sure how to create this you simply log into cloudflare open your profile section and then in the left menu you will find a button that's called API tokens click on create token and you can use the edit DNS Zone template if you want to authenticate that API token for all your DNS zones or you can also select one of your specific DNS zones and then I'm continuing to summary let's create this token copy this value and paste it in my environment variable of course we also need to uncomment this line here to attach the traffic Docker container to the front end Network that's everything we need for the docker compose file of course we also need to configure traffic because this usually will just create a simple traffic container but it doesn't know how to issue certificates it doesn't have a general configuration so that's why we were creating a new file that is called traffic dot EML and yeah just like with the docker compost file I'm not starting from scratch I'm going back to my boilerplates file and here you will also find a configuration template for the traffic file let's copy all of this stuff paste it into my config file on the remote server and then I'm going through some of this section again I'm not making this a full-blown traffic tutorial that's a topic for another video but just to mention you can also change anything in this configuration file like changing the lock levels enable access logging if you want to do that dashboard and so on can also change some of the entry point configuration I would definitely recommend you to do this here and redirect all the HTTP traffic to the secure https entry point because otherwise it might be possible that traffic will expose HTTP services and that's not what we want to do especially for authentication stuff and so on we always want to encrypt the traffic of course using the https protocols so why not redirect everything automatically and yeah then we can start configuring our certificate resolver so in my all tutorials we have always used the HTTP challenge but I would definitely recommend you to use a DNS challenge to issue certificates from your provider because that's going to be a lot easier and you only have the possibility to issue wildcard certificates that will be valid for all the subdomains that we're using later in teleport that's why we're going to need a DNS challenge you can also start with uncommenting this line and then you can select if you want to use the staging template or the production template the difference of both is that with the staging certificate resolver that's using a different CA server from let's encrypt and these certificates won't be valid but you will be able to test it if you're not sure how to use it I would definitely start getting the staging certificate resolver working because you might run into any issues that you need to fix later but in my case I'm yeah I'm pretty optimistic so I'm going to use the production template of course we need to remove this section here because we are not going to use an HTTP Challenge and we also need to enter the email address so I'm just going to use the info address of my domain that I'm going to use for the TLs certificate then you also need to add your provider again I'm going to use the cloudflare provider of course what we also need to do is we need to uncomment this line here so this is going to disable the TLs verification check on traffic itself if you need to expose any https Services internally that use self-signed certificate so what do I mean by that well if you deploy teleport it's going to issue self-signed certificates that are not valid publicly and usually by default traffic will check these certificates if they are valid and if they are not you will get an internal server error if you try to expose these https services with untrusted TLS certificates but it's not going to be an issue because we don't want to access teleport directly we want to expose it with traffic it's not a big deal if the internal https certificates of teleport aren't trusted and we just need to disable this a step or we need to skip this verification step and you can also set some specific TLS settings I'm not going over these and also the other provider settings are totally fine so we can yeah we can basically start deploying this now and so what I will do is I will switch back to my terminal and I will go into the traffic demo one project so hopefully I've done everything right but we will find out let's execute a Docker compose up first let's run it in the foreground to see if I've made any mistakes to the configuration okay so as I knew I would get an error so sometimes this error happens if you don't create this folder here in the config file first so let's stop this for a second go into the config folder and let's just create a new folder for the certificates now it should be working so you can see the configuration is loaded and the traffic reverse proxies up and running let's fire up a new console and test if I can reach this service so you can see I'm getting a move permanently so this is to check if the redirection from HTTP to https works so let's try to open HTTP website you can see this of course gets a TLS certificate error because it's using the traffic's default internal TLS certificate it only starts issuing new certificates once you start exposing any applications or services using traffic okay so but that's good yeah traffic should be running we can no stop the container and run it in the background with a dash gear parameter so now we can check Docker compose PS to see the container is up and running it does its thing in the background we can all start deploying the teleport container I'm going to open this in vs code as well so this is where we can start adding our second Docker compose file go into the teleport folder and copy everything okay great so because we're using traffic and we want to connect those two containers to the same Docker Network we need to of course uncomment this section again and rename this with front end and then we're going to start creating a new teleport container using this image here so that's using the latest version teleport 13. I'm going to set the container name to teleport of course and if you just deploy a Teleport instance without a reverse proxy you will need to expose all of these ports here but because we're using traffic as a load balancer slash reverse proxy in front of teleport we don't need to expose these containers directly anymore so we can just remove this section here we just need to make sure that we are mounting those two uh folders into the Container so we need to create a new config folder this is where we can add our teleport config later and we also need to create a data folder that is for storing the persistent data of teleport something like yeah the audit logging or the session recordings and so on and yeah we also want to use traffic so we're going to uncomment all these lines here as well I know these are a lot of labels that we need to add to our container to make this work but don't worry I will go through all of this in a second I'm just going to uncomment this network here as well and yeah so that's basically what you need to do um to make this working in traffic so one thing that is pretty important is if you don't expose all of the darker containers by default which I have told you not to do you need to add this label here to enable traffic to expose this Docker container and what we also need to make sure is that we configure the port and the protocol what traffic needs to expose and we also want to create um two routers here we're going to create one HTTP router and one https router so these first two lines here are always the same for both routers that will make sure that we are selecting the entry point here and we create a new rule that is listening on an on a host regular expression in the past I've always used just the host and then the simple server URL so it has looked something like this here pretty simple but um that's not going to work in combination with the teleport app service because the app service of teleport is using a subdomain in the front of the usual server URL so that's why we also need to add this regular expression to not just pick up and forward requests to the teleport URL but also to all the subdomains that could be in front of the server URL and what we also need to make sure of course is that we replace this placeholder your server URL with the server UL yeah that you're going to use for teleport so I've explained this in a bit more detail in my DNS server video what I've done is in my internal Network I have created a rule that is forwarding all requests to the SRV demo 5 home.cr crave.de here to the internal IP address of that particular server so on my internal DNS server config you can see I've created DNS records for all of these different entries here in the domain home.cl creative.e so I'm going to add a new Wildcat for SRV demo5 Dot home.cocreative.de add the asterisk so that matches anything to the same IP address as the SRE demo 5 server I'm going to need to restart the DNS server this should now resolve anything in front of this SRE demo 5 server to this internal IP address so I'm going to use just the name teleport demo 1 in front of that and if it would have a subdomain for some of the application Services later maybe test app Dot that should always resolve to this internal IP address so that's what we're going to use we are going to use this DNS name here edit change the value of the placeholder and then it's also important to add these lines here we need to change our certificate resolver otherwise traffic doesn't know which search result are to use to issue The Trusted TLS certificate let me quickly go back I just I just can't remember what was the name I think I've just named it production okay so that always needs to match this name here reduction and these other two lines that make sure that traffic issues a wild card certificate for this domain as well so yeah just to make sure that this certificate is is not just valid for this teleport service but also all the other subdomains for the app service of teleport okay great so that's it about the docker compose now we need to create the teleport config file I'm going to go back to my project I'm going to grab this example file so this is just a basic teleport template that I've created to deploy a new teleport instance there are just a few things that need to be changed first the server name which should be teleport demo one as I'm not going over any of the specifics here like passwordless authentication teleport assist again I've done this in some of my older videos if you want to know how to use passwordless authentication go check out this video the other one was about the teleport assist and other features going to link that in the description as well we don't need the SSH or service on this instance don't worry you can later add any other remote resources to this teleport instance so don't worry about this this would just if you want to create a new node into the Container shell so we don't need that but we need to add the proxy service here the web listener address is a 3080. um and because we're using a reverse proxy we also need to change the public address of teleport and change it to the port 443 because that's very important teleports internal https servers with self-sign certificates is using this port internally but to any external client we want to expose this using traffic and of course we don't want to use this port here externally externally it should be the standard port for hddps which is 443 so that's why we need to tell teleport hey if you want to make any redirects it should be redirected to the address of where traffic picks it up okay great so now we have everything I hope everything is working so we can go back to my server and just hit a Docker compose up in the foreground let's see if that runs that looks all good I'm going to access my teleport demo um URL on the server demo 5. and yeah we can all start using telepod if you are entirely new to teleport I just want to quickly show you what you need to do now because now you need to create a user first to be able to authenticate so let's go back here I'm just restarting the telepod servers in the background so that should be fine and now we need to add a user using the administrative shell of the teleport service and you can invoke any commands into the containers files or into the containers Shell by using the darker compose exec command and uh just name the container that should be teleport and then we need to add the command that should be executed so this executes the tctl command in the container of teleport and you can see this is the admin tool for the teleport access platform you can create users you can update users you can remove users you can add tokens you can authenticate new resources and so on I've explained some of this stuff in my older videos I'm not going through this detail by the way if you want to see the walkthrough of some of the teleport services to add remote servers and so on yeah I'm open for any tutorial so please leave me a comment and by the way you should also give this video a thumbs up and subscribe to the channel if you want to see that so that would be really amazing okay so now we need to create a new user here so let's um go use the users command let's add a new user that's called xstat and yeah let's just hit enter so I also need to add a role to this user roles is editor and normally need to set up our credentials here so we need to follow this link here open it in the browser and that should walk you through the onboarding process of creating a new user so that's our teleport instance um this is where we can manage our remote servers or remote applications we haven't added any of these yet so I I just quickly want to demonstrate how that's working this should not be a deep dive tutorial of all the features in teleport because that would probably take a few hours but just to add a simple application if you want to for example if you want to expose like an administrative service like my my proxbox server that is running on my internal Network so let's go back into the configuration file of teleport I've already prepared a section for the app service in here but it's not enabled yet so let's do this let's enable the app servers on our teleport instance if you usually would deploy teleport in a cloud environment for example that would be different of course because then you would usually add this configuration not to the cloud instance but to a Teleport node that is running inside your remote networks so the point where the app service is deployed and where you want to access your application that should be able to reach this target right um so let's enable this it's very important that you use the correct formatting for the app servers I've I've had a a case on our Discord server where somebody used numbers in here or a dash inside the app server's name something like proxmox I usually deploy my resources like this for example I always use proxmox proj 2 or something like this this is not working and I don't know if it's back in teleport or if this is against their app service name encodings whatever it is but you can't use numbers and you can't use any symbols you just can't use names right so if you have a different proxbox servers you need to name them something like proximox2 or proxmox1 I know it's a bit unconvenient so maybe they're going to fix that in an upcoming version but just don't use numbers in you okay so let's call it proxmox just for testing and then we of course need to give it the URI for the Target application so on my case this is and here you can use any IP address you can use DNS names as you know I I have DNS names for all of this stuff here so this is the location of my uh proxmox web you are and you can also add this line here insecure skip very file if you're using self-signed certificates or untrusted TLS certificates in your internal Services if yeah then you can add this to true and then teleport won't verify the TLs certificate if if that's an https protocol of your internal Services okay let's um quickly just restart restart the teleport service you will notice that you don't see the resource here and that's probably the case because I haven't really edited the role correctly so I need to add the access role to my user and the auditor role to add all the permissions that are necessary we need to log out and log in again go into the application settings and then you can see there's a new entry that should securely authenticate us to the proxmox application or the proxmox web interface in my internal Network you can use this to securely administrate your internal Services you click on launch and this will add a redirection you can see this is my proxmox web UI and just as simple as that you can do that with any other application servers you can add all your services to this configuration file and then you can use it to securely authenticate from any other location to your teleport proxy servers and from there to your internal web applications of course you can also add any of the other resources kubernetes servers databases you just need to go to management enroll new resources and see what's all possible so I hope this helped you to set up teleport on your home lab and it infrastructure please tell me in the comments if you like to see more tutorials about this or if you want to have a specific tutorial about any technical topic you want to know join our Discord and let me know let's have a chat about this and as always thanks everybody for watching I will catch you in the next video take care bye bye
Info
Channel: Christian Lempa
Views: 33,172
Rating: undefined out of 5
Keywords:
Id: NzSdNoR-JPo
Channel Id: undefined
Length: 23min 49sec (1429 seconds)
Published: Tue Aug 22 2023
Related Videos
Is this the BEST Reverse Proxy for Docker? // Traefik Tutorial
Christian Lempa
451K
Is it time to switch from Docker to Podman?
Christian Lempa
126K
Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes Tutorial
Techno Tim
78K
You should NOT use Cloudflare Tunnel (if you do this...)
Christian Lempa
173K
Open Source & Collaborative Security with CrowdSec and Traefik - CrowdSec & Traefik Tutorial
Techno Tim
75K
You want a real DNS Server at home? (bind9 + docker)
Christian Lempa
206K
STOP using VPN, embrace Zero-Trust networking!
Christian Lempa
62K
Manage all your SSH servers with teleport
Christian Lempa
72K
This web UI for Ansible is so damn useful!
Christian Lempa
370K
Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial
Techno Tim
518K
How to create a valid self signed SSL Certificate?
Christian Lempa
296K
How to protect Linux from Hackers // My server security strategy!
Christian Lempa
194K
Zitadel, Single Sign On, and OAuth. It's Impressive!
Jim's Garage
27K
Best for Homelab? Traefik vs Nginx Proxy Manager
Christian Lempa
139K
How to use Cloudflare Tunnel in your Homelab (even with Traefik)
Christian Lempa
113K
Quick and Easy Local SSL Certificates for Your Homelab!
Wolfgang's Channel
515K
TRAEFIK - the BEST reverse proxy? The Ultimate Setup Guide with Docker & Let's Encrypt
Tech with Marco
19K
NEW features in Teleport 13! (AI Assist, Traefik support)
Christian Lempa
12K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.