Reverse Proxy

[arunoruto]

I am trying to run a derper container behind a traefik proxy. I am not sure what I am doing wrong, but my config seems to work until I turn on verification.
Here is my service:

services:
  derp:
    image: fredliang/derper:latest
    container_name: tail-derp
    restart: unless-stopped
    environment:
      DERP_DOMAIN: derper.your-hostname.com
      DERP_ADDR: :80
      DERP_STUN: 'true'
      DERP_STUN_PORT: 3478
      DERP_HTTP_PORT: 443
      DERP_VERIFY_CLIENTS: 'true'
    networks:
      - web
    labels:
      traefik.enable: 'true'
      traefik.http.routers.derper.rule: Host(`derper.your-hostname.com`)
      traefik.http.routers.derper.tls.certresolver: myresolver
      traefik.http.routers.derper.entrypoints: websecure
      traefik.http.services.derper.loadbalancer.server.port: 80
      traefik.udp.routers.derper.entrypoints: stun
      traefik.udp.services.derper.loadbalancer.server.port: 3478

Derper is giving me constant errors like:

...
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: read EOF
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: removing connection
...

where 172.19.0.19 is the docker IP address of traefik, my reverse proxy. The service is available at https://derper.your-hostname.com and I also get the webpage, but it seems like I am missing something.

Sometimes I also do get errors like this:

...
2023/05/28 00:54:42 derp: 172.19.0.19:55912: client <id> rejected: client nodekey:<node key> not in set of peers
...

[mrrfv]

2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers

This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.

I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.

[arunoruto]

@mrrfv thanks for the respons!
Websockets are enabled out of the box for traefik as explained here and here.
What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.
Also, would HTTP to HTTPS redirecting be a problem?

[mrrfv]

Also, would HTTP to HTTPS redirecting be a problem?

The Tailscale documentation says HTTPS should be optional (i.e. HTTP should still work) just in case you're using a network that blocks encrypted connections. Forcing HTTPS shouldn't cause that big of a problem though.

What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.

Mounting the Tailscale socket (as a volume) worked for me on the first try, so I don't really know how to help you in that regard. Using the same network or host networking doesn't work in my experience. Are you running Tailscale in a container, or bare-metal?

Also:

    environment:
      DERP_DOMAIN: derper.your-hostname.com

Is <NAME>:<VALUE> the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE.

[arunoruto]

I don't know if something has changed since I last tackled the problem, but it seems like this compose file works for now:

  derp:
    image: fredliang/derper:latest
    container_name: tail-derp
    restart: unless-stopped
    environment:
      DERP_DOMAIN: derper.example.com
      DERP_ADDR: :80
      DERP_HTTP_PORT: -1
      DERP_VERIFY_CLIENTS: 'true'
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - default
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
    labels:
      traefik.enable: 'true'
      # HTTPS
      traefik.http.routers.derper.rule: Host(`derper.example.com`)
      traefik.http.routers.derper.tls.certresolver: myresolver
      traefik.http.routers.derper.entrypoints: websecure
      traefik.http.routers.derper.service: derper
      traefik.http.services.derper.loadbalancer.server.port: 80
      # STUN
      traefik.udp.routers.derper.entrypoints: stun
      traefik.udp.services.derper.loadbalancer.server.port: 3478

I am not sure if the devices tag was needed, but I made sure to include it too for the TUN device.

Also:

    environment:
      DERP_DOMAIN: derper.your-hostname.com

Is <NAME>:<VALUE> the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE.
The key:value syntax also works for environments and labels. I like them more since the syntax highlighters pick them up easier. The only downside is, that you need to specify the true and false values in quotes, so they don't get mixed up with the yaml logical values.

I will test this setup for a few days and report if any problems arise. If not, I will close the issue then.

[londbell]

2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers

This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.

I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.

Thanks for you!

[Cheesman97]

Hi @arunoruto
Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api

[arunoruto]

Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api

I am currently running tailscale on the host machine. Therefore, I am mounting the tailscale.sock file inside the container.
I just switched servers, and the configuration is working so far. But sometimes I got weird behavior. I will try it again with the new server and give feedback.

[wang1zhen]

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?

I have tried several times, but there is always an error of 502 openresty.

[wodepig]

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?

I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl:
proxy_pass http://127.0.0.1:3443;

访问:
derper.hostname.com:3443(必须带端口)

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查)
并且确认访问3443端口
如果访问3443端口还是不行,请检查ssl证书的有效期
ps: 不知道为什么要添加:3443端口

[conancheng]

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;

访问: derper.hostname.com:3443(必须带端口)

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好，我按照你的方法部署了，但是在网站上Access Controls里面添加了
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "guangzhou",
"RegionName": "TX guangzhou",
"Nodes": [
{
"Name": "guangzhou-derp",
"RegionID": 900,
"DERPPort": 3443, //更换为自己的PORT
"HostName": "derper.XXX.com", //这里更换为自己的域名
"InsecureForTests": true,
},
],
},
},
},
按照这么写了后，找的到derp，但是无法连接的上

[cz19860416]

@conancheng hi，I also can not connect to the relay server, Only one have any idea about it ?

[caixiaomao]

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
访问: derper.hostname.com:3443(必须带端口)

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好，我按照你的方法部署了，但是在网站上Access Controls里面添加了 "derpMap": { "OmitDefaultRegions": true, "Regions": { "900": { "RegionID": 900, "RegionCode": "guangzhou", "RegionName": "TX guangzhou", "Nodes": [ { "Name": "guangzhou-derp", "RegionID": 900, "DERPPort": 3443, //更换为自己的PORT "HostName": "derper.XXX.com", //这里更换为自己的域名 "InsecureForTests": true, }, ], }, }, }, 按照这么写了后，找的到derp，但是无法连接的上

一样的问题，请问你解决了，用的是阿里云，是不是阿里云有什么限制？ @conancheng

[SenLief]

Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.

我也有同样的问题.但我最近解决了:

dockerCompose.yml

version: '3.3'
services:
    derper:
        ports:
            - '380:80'
            - '3443:443'
            - '3478:3478/udp'
        container_name: derper
        restart: always
        volumes:
# 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件
            - '/www/wwwroot/derper/certs:/app/certs'
        environment:
            - 'DERP_CERT_MODE=manual'
            - 'DERP_DOMAIN=derper.hostname.com'
        image: fredliang/derper

启动后的日志:

2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key
2024/05/19 04:02:23 STUN server listening on [::]:3478
2024/05/19 04:02:23 derper: serving on :443 with TLS

宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
访问: derper.hostname.com:3443(必须带端口)

如果提示**Client sent an HTTP request to an HTTPS server.**请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口

你好，我按照你的方法部署了，但是在网站上Access Controls里面添加了 "derpMap": { "OmitDefaultRegions": true, "Regions": { "900": { "RegionID": 900, "RegionCode": "guangzhou", "RegionName": "TX guangzhou", "Nodes": [ { "Name": "guangzhou-derp", "RegionID": 900, "DERPPort": 3443, //更换为自己的PORT "HostName": "derper.XXX.com", //这里更换为自己的域名 "InsecureForTests": true, }, ], }, }, }, 按照这么写了后，找的到derp，但是无法连接的上

你的udp都没有开，阿里云和腾讯云都有自己的网络防火墙，需要在网页后台开一下对应的端口和协议。