Traefik 3.0

[OisinHick]

Hey All,

First off to the maintainer: thanks for your hard work - love this tool.

Is this project's docker relay compatible with traefik 3 reverse proxy?

If so, I would love any direction/ideas as to how this can be implemented. Hopefully it can help me or anyone else at a later date!

[thelittlefox]

Traefik can proxy TCP/IP traffic, so I believe the answer is yes.

[OisinHick]

Ah so I would just proxy the ports as TCP traffic? and input the FQDN as the relay when transferring?

[OisinHick]

services:
  croc:
    # The 'ports' section maps ports directly from the HOST to the container.
    # If you ONLY want to access croc *through* Traefik, this section is
    # technically redundant and can be removed or commented out.
    # Traefik will route traffic via the shared Docker network ('traefik_proxy').
    # Keep it if you need direct host access *as well* as Traefik access.
    #ports:
    #  - 9009-9013:9009-9013
    container_name: croc
    environment:
      - CROC_PASS=$CROCPASSWORD # Ensure $CROCPASSWORD is set in your environment or a .env file
    image: schollz/croc
    networks: # Add this network section
      - traefikproxy # Connect the croc container to the shared Traefik network
                      # Replace 'traefik_proxy' if your network name is different.
    labels: # Add this entire labels section for Traefik configuration
      # --- Traefik Configuration ---
      - "traefik.enable=true" # Enable Traefik for this service

      # --- TCP Router Definition ---
      # Define how Traefik should handle incoming connections for croc
      - "traefik.tcp.routers.croc-router.rule=HostSNI(`*`)" # Match any TCP connection on the entrypoint
                                                          # Use HostSNI(`your.croc.domain`) if clients use SNI
      - "traefik.tcp.routers.croc-router.entrypoints=croc-tcp" # Route traffic coming from the 'croc-tcp' entrypoint
                                                               # ** Replace 'croc-tcp' with your actual entrypoint name **
      - "traefik.tcp.routers.croc-router.service=croc-service" # Forward matched traffic to the 'croc-service' backend

      # Optional: Add TLS if your entrypoint handles it (e.g., via Let's Encrypt)
      # - "traefik.tcp.routers.croc-router.tls=true"
      # - "traefik.tcp.routers.croc-router.tls.certresolver=myresolver" # Replace with your certificate resolver name

      # --- TCP Service Definition ---
      # Define how Traefik connects to the actual croc container
      - "traefik.tcp.services.croc-service.loadbalancer.server.port=9009" # Forward traffic to port 9009 inside the croc container
                                                                         # Croc handles the port range internally after initial connect.

Managed to come up with this but not totally sure if I set this up correctly. Would love community input here!

[OisinHick]

I have opened #916 to document and share the solution which worked for me

[vaygr]

This did not work for me. Are you sure traffic is going through the relay and not locally? I have the sending local machine completely firewalled and the receiving one failed to establish the connection.

To test: send with --no-local flag.

@schollz is it possible to use a single port on the relay -- the one that's also a base port? When I start the relay with relay --port 9009 --ports 9009, and try to receive, croc crashes with the following:

[debug] 06:43:55 comm.go:83: comm.NewConnection failed: dial tcp: lookup tcp/ok: unknown port
[debug] 06:43:55 tcp.go:493: comm.NewConnection failed: dial tcp: lookup tcp/ok: unknown port
panic: comm.NewConnection failed: dial tcp: lookup tcp/ok: unknown port

goroutine 37 [running]:
github.com/schollz/croc/v10/src/croc.(*Client).processMessagePake.func1(0x0)
        github.com/schollz/croc/v10/src/croc/croc.go:1461 +0x4ad
created by github.com/schollz/croc/v10/src/croc.(*Client).processMessagePake in goroutine 19
        github.com/schollz/croc/v10/src/croc/croc.go:1441 +0x745

The only way I could make it work was adding an additional port with port-forwarding directly on the container:

    ports:
      - 9012:9012

which will make traffic run not through traefik proxy,

and then running the relay with: relay --port 9009 --ports 9009,9012.

[OisinHick]

The magic bytes error you got on the pull request I am pretty sure I have encountered somewhere before? I will say it did work for me however you very well could have noticed an error I haven't. Did taking out the TLS part and just using lets encrypt fix your issues? @vaygr

[vaygr]

@OisinHick the comment here and in the PR are different and target different issues. The comment in the PR is about TLS, which I don't think will ever work regardless of the certificate vendor.

The comment here is talking about the error that I see when I use just one (base) port. I mentioned the --no-local flag above. Were you able to verify this, confirm it works and that traffic goes through traefik?

[OisinHick]

@OisinHick the comment here and in the PR are different and target different issues. The comment in the PR is about TLS, which I don't think will ever work regardless of the certificate vendor.

The comment here is talking about the error that I see when I use just one (base) port. I mentioned the --no-local flag above. Were you able to verify this, confirm it works and that traffic goes through traefik?

Hey @vaygr I cant access the machine I originally did my testing on right now so please let me test this and see what happens. At the time when I had tested it worked ok but obviously I have missed something! Let me come back to asap and I will let you know. Really appreciate your help and collaboration on fleshing this out.