Skip to content

Instantly share code, notes, and snippets.

@GridexX

GridexX/README.md

Last active February 6, 2024 14:42
Show Gist options
  • Save GridexX/429d25e54f0374a6ed2f0e3a7c99f057 to your computer and use it in GitHub Desktop.
Save GridexX/429d25e54f0374a6ed2f0e3a7c99f057 to your computer and use it in GitHub Desktop.
Download ZIP
Deploy Teleport behind a Caddy Reverse Proxy with Docker compose and Terraform
Raw
README.md

This repository contains the Dockerfile and the necessary files to provision a Debian VM with Terraform into Openstack, install Teleport and Caddy, and configure the latter to act as a reverse proxy for the former.

Requirements

  • Cloudflare account
  • Openstack cluster
  • Terraform CLI

Installation and usage

Clone the repository and navigate to the terraform directory. Edit the variables.tf file to match your environment. Here are the commands to run:

git clone https://github.com/GridexX/teleport-openstack-caddy
cd ./teleport-openstack-caddy/terraform

# Edit the variables in the `variables.tf` file
terraform init
terraform plan
terraform apply

Configuration

Create the DNS records

Once the VM is provisioned, you need to configure the docker-compose.yml file with the Teleport URL and the Cloudflare API token.

First, retrieve the floating IP address with the following command:

terraform output -json | jq '.instance_fip_address.value' | sed -e 's/"//g'

Inside Cloudflare, create the DNS record for the Teleport instance.

Note

Teleport use the wildcard DNS record *.example.com to create subdomains for each user. So you need to create a wildcard DNS record for the domain name you want to use. Also, you need to create a DNS record for the Teleport instance itself.

Create the Cloudflare API token

We will link the Openstack VM to a Cloudflare DNS record, so we need to create a Cloudflare API token with the following permissions:

  • Zone > DNS > Edit
  • Zone Resources > Specific Zone > example.com
  • Client IP Address Filtering is In

Once created, save the API token in a variable called CLOUDFLARE_API_TOKEN. Connect into the VM with SSH and run the following commands:

cd ~/compose-teleport
export TELEPORT_URL="your-teleport-url"
envsubst < tmp-docker-compose.yml > docker-compose.yml
export CLOUDFLARE_API_TOKEN="your-api-token"

Important

Replace your-api-token with the Cloudflare API token and your-teleport-url with the URL of the Teleport instance. The exportation of the Cloudflare api token is done after the envsubst command to avoid saving it in the docker-compose.yml file.

This repository use a custom Caddy image with the Cloudflare DNS plugin. Also, it uses the Docker-proxy to allows configuring Caddy from the labels of the Docker containers.

You can modify the Docker Image to match your needs.

Launch the Docker containers

Once the docker-compose.yml file is created, run the following command to start the Caddy and Teleport containers:

docker-compose up -d

Access the Teleport web interface

The Teleport web interface is now accessible at https://teleport.example.com. Replace example.com with your domain name.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

Made by GridexX during February 2024 🏰

Raw
docker-compose.yml
version: "3.8"
services:
teleport:
image: public.ecr.aws/gravitational/teleport-distroless:15.0.0
volumes:
- ./teleport/config:/etc/teleport
- ./teleport/data:/var/lib/teleport
networks:
- caddy
labels:
caddy: "${TELEPORT_URL}, *.${TELEPORT_URL}"
caddy.reverse_proxy: "{{upstreams https 3080}}"
caddy.tls.dns: cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
caddy.reverse_proxy.transport: http
caddy.reverse_proxy.transport.tls: ""
caddy.reverse_proxy.transport.tls_insecure_skip_verify: ""
caddy:
image: gridexx/caddy-docker-cloudflare:1.0.0
ports:
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=caddy
- CLOUDFLARE_AUTH_TOKEN=${CLOUDFLARE_AUTH_TOKEN}
networks:
- caddy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- caddy_data:/data
restart: unless-stopped
networks:
caddy:
external: true
volumes:
caddy_data: {}
Raw
teleport.yaml
version: v3
teleport:
nodename: teleport
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
cluster_name: ${TELEPORT_URL}
proxy_listener_mode: multiplex
ssh_service:
enabled: "no"
proxy_service:
enabled: "yes"
https_keypairs: []
public_addr: ${TELEPORT_URL}:443
web_listen_addr: 0.0.0.0:3080
https_keypairs_reload_interval: 0s
acme: {}
trust_x_forwarded_for: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment