0

Situation: I run Home Assistant on an Ubuntu server on my home LAN network. Because my home network is behind a double NAT, I have set up an SSH tunnel to tunnel the Home Assistant web interface to a VPS server running Ubuntu as well.

When I run the following on the VPS, I notice that the SSH tunnel works as expected:

$ curl localhost:8045 | grep -iPo '(?<=<title>)(.*)(?=</title>)'
Home Assistant

On the VPS, I run a bunch of web services via docker-compose and traefik. The other services (caddy, portainer) run without problems.

When I try to serve the Home Assistant service through traefik and access https://ha.mydomain.com through a web browser, I get an Error 504 Gateway Timeout.

Below are my configuration files. What am I doing wrong?

docker-compose yaml file:

version: "3.7"

services:
  traefik:
    container_name: traefik
    image: traefik:latest
    networks:
      - proxy
    extra_hosts:
      - host.docker.internal:host-gateway
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${HOME}/docker/data/traefik/traefik.yml:/traefik.yml:ro
      - ${HOME}/docker/data/traefik/credentials.txt:/credentials.txt:ro
      - ${HOME}/docker/data/traefik/config:/config
      - ${HOME}/docker/data/traefik/letsencrypt/acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dashboard.tls.domains[0].main=traefik.mydomain.com"
      - "traefik.http.routers.dashboard.tls.domains[0].sans=traefik.mydomain.com"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.usersfile=/credentials.txt"
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    networks:
      - proxy
    volumes:
      - ${HOME}/docker/data/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ${HOME}/docker/data/caddy/site:/srv
      - ${HOME}/docker/data/caddy/data:/data
      - ${HOME}/docker/data/caddy/config:/config
    labels:
      - "traefik.http.routers.caddy-secure.rule=Host(`vps.mydomain.com`)"
      - "traefik.http.routers.caddy-secure.service=caddy"
      - "traefik.http.services.caddy.loadbalancer.server.port=80"
  portainer:
    image: portainer/portainer-ce
    container_name: portainer
    networks:
      - proxy
    command: -H unix:///var/run/docker.sock --http-enabled
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${HOME}/docker/data/portainer:/data
    labels:
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.mydomain.com`)"
      - "traefik.http.routers.portainer-secure.service=portainer"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
    restart: unless-stopped

networks:
  # proxy is the network used for traefik reverse proxy
  proxy:
    external: true

traefik static configuration file:

api:
  dashboard: true
  insecure: false
  debug: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: web_secure

  web_secure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt

providers:
  docker:
    network: proxy
    endpoint: "unix:///var/run/docker.sock"
  file:
    filename: /config/dynamic.yml
    watch: true


certificatesResolvers:
  letsencrypt:
    acme:
      email: myname@mydomain.com
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

traefik dynamic configuration file:

# dynamic.yml
http:
  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
    user-auth:
      basicAuth:
        users:
          - "username:hashedpassword"
  routers:
    home-assistant-secure:
      rule: "Host(`ha.mydomain.com`)"
      service: home-assistant
  services:
    home-assistant:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: http://host.docker.internal:8045

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12
malfroid
  • 139
  • 2
  • 9

0 Answers0