DiscussionSLA
Sign inSign up

How to configure web UI for reverse proxy

Published 4 months ago

# SafeLine WAF

Published 4 months ago

profile_photo

DNAblue2112

Updated 4 months ago

0

I am using Safeline with my pre existing Traefik reverse proxy. That part I got working using the Traefik plugin. But now I want to put the management UI behind the same proxy so that I can access it with my domain instead of the IP and Port. But when I do try to access via Traefik I get a nginx 404 so I assume there is a setting I need to enable or something to allow it to be proxied. Any help would be appreciated.

profile_photo

Carrie

Updated 4 months ago

Have you set the upstream as https://wafip:9443 in Traefik? Please note it's https.

profile_photo

Warhangel

Updated 4 months ago

0

settings for wafs domen
test_SafeLine_WAF.png

profile_photo

DNAblue2112

Updated 4 months ago

0

unfortunately that doesn't work, I assume it's because I am using Traefik. "listen tcp :80: bind: address already in use"

profile_photo

DNAblue2112

Updated 4 months ago

0

I currently have the 9443 port exposed and was hoping to simply place Traefik in front of that like I do with every other service. Is there any way to to this?

profile_photo

kekw

Updated 4 months ago

0

To help you properly a bit more details would be great - Assuming safeline and traefic dont share the same host, your reverse proxy should work as with every other application.

Please share your traefic conf. Your error msg "listen tcp:80" only appears if you want to bind more than one service to given port (80). So I currently wonder why it happens, if your safeline uses the default 9443 port?

profile_photo

Carrie

Updated 4 months ago

0

Could you please tell us how you configured? Also, could you provide a screenshot of the 404 error? If the URL is accessible from the public internet, could you DM it to me?

profile_photo

DNAblue2112

Updated 4 months ago

0

Sure thing. In the standard compose.yml I have added these labels for Traefik to configure with

    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik

      - traefik.http.routers.safeline.entrypoints=websecure
      - traefik.http.routers.safeline.rule=Host("safeline.MYDOMAIN.com")
      - traefik.http.routers.safeline.tls=true
      - traefik.http.routers.safeline.tls.certresolver=production
      - traefik.http.services.safeline.loadbalancer.server.port=1443
      #- traefik.http.services.safeline.loadbalancer.server.scheme=https
      #- traefik.http.services.safeline.loadBalancer.server.url=https://172.18.0.81:1443/
    ports:
      - ${MGT_PORT:-9443}:1443

If I remove all of the services labels, thats when I get a 404, I have determined that it was going to port 80 on the container and that was why. Now I only get 500 Errors or an infinite refresh with a white page. The version above with the last two labels commented out is the one that gives me infinite refreshes of the page, I suspect this is it trying to redirect to HTTPS. Adding either of the last two labels results in a 500 error from Firefox.
I will send a screenshot of the 500 error and the console in a PM with the domain as it is publicly accessible.

profile_photo

Carrie

Updated 4 months ago

Our engineer says that based on all the information you‘ve provided so far, there doesn’t seem to be any issue. You may need to investigate Traefik to find out why the 500 error is occurring.

profile_photo

DNAblue2112

Updated 4 months ago

0

Okay, is there anything I need to configure on the Safeline side that I might have missed? I know some services need you to tell them the IP address of the proxy or what the forwarded IP header is or they wont accept the connection. Or is there a way to disable HTTPS on the web UI so that I can use HTTP from traefik to Safeline?

profile_photo

Carrie

Updated 4 months ago

You can create an HTTP application to proxy port 9443 (set the upstream to: https://127.0.0.1:9443.

profile_photo

DNAblue2112

Updated 4 months ago

0

I get the error "listen tcp :9443: bind: address already in use" in the UI
But I was able to set it to listen on 9442, setting Traefik to point to the port has resulted in a bad gateway error
I enabled the access and error logs but got nothing, attached is the application settings
image.png

profile_photo

DNAblue2112

Updated 4 months ago

0

Figured I'd try a static Traefik config as well.

http:
  routers:
    safeline-alt:
      tls:
        certResolver: production
      entryPoints:
        - "websecure"
      rule: "Host(`safeline-alt.MYDOMAIN.com`)"
      service: safeline-alt
  services:
    safeline-alt:
      loadBalancer:
        servers:
          - url: "https://SERVERIP:9443"
        passHostHeader: true

This still returns a 500 error

profile_photo

DNAblue2112

Updated 4 months ago

0

Got it working but I can't understand how it is working.

http:
  routers:
    safeline-alt:
      tls:
        certResolver: production
      entryPoints:
        - "websecure"
      rule: "Host(`safeline-alt.MyDomain.com`)"
      service: safeline-alt
  services:
    safeline-alt:
      loadBalancer:
        servers:
          - url: "http://LocalNetworkIP:9441"
        passHostHeader: true

with the SafeLine application listening on http 9441 Proxying to https://127.0.0.1:9443/
But port 9441 isn't open on any of the containers so I'm not sure how traefik is sending data into the management container when that port isnt open.
But it is now working. So I will move these settings into the containers labels and see if it still works there

Related Posts
#
[Documentation request] Documentation about the type of regular expression at SafeLine
#
INSTALLATION ERROR
#
User-Agent group
#
Feature License For Lite Version
#
Asset caching