Reverse Proxy Documentation #1056
Comments
|
Hi, first the hue app requires port 80 and 443. You want te be able to rout the ports inside to a different port, so diyhue listen to port 8080 and 8443 and out side it is reachable on port 80 and 443? |
|
Depending on how the url parameters are you could also very specifically route some traffic to to diyhue. For example everything to /api on the ip adress itself could get routed to diyhue using traefik. Or things that alway appear in the header. Being able to change the port in the docker compose would also work I guess. |
|
I i understand you correctly, you want to redirect url endpoints to something else? |
|
I also have a docker compose and traefik reverse proxy setup and I'm looking to add diyhue. Not sure when I'll get to it but once I've figured it out I'll post my config here. Traefik listens on 80 and 443 and proxies to different services/web servers using rules, mostly by checking the host in the http request (subdomain). Doing this has many benefits like SSL offloading and running multiple services on a server with just one IP. In a perfect world we would be able to use a subdomain to reach the diyhue bridge emulator, but from what I gather, the apps are limited to IP only. This shouldn't be a problem though: It should be possible to configure traefik to send any http/https traffic for the IP (no subdomain) to the diyhue container. Any traffic to a subdomain still goes to the other services. As for the diyhue container, it can continue running using default http/https ports, but we do not publish them in the docker compose file anymore. The ports are still accessible from the docker network but docker won't try binding those ports on the host. Which is good because those ports are already bound by traefik. Instead we can put the diyhue container on the proxy/traefik network and configure traefik to send requests for the ip (with no host/subdomain) to diyhue. Here are some links to some potential puzzle pieces:
As I wrote above, I'll be sure to update you when I've had the time to actually put my plan to the test, but maybe this already gives you a couple ideas.
|
|
you can change the port of diyhue with docker environment variable |
|
Can I choose any port or just 80/443 and 8080/8443? |
|
you can use any port except 1900 and 2100, the hue app needs 80 and 443 its not possible to change that. |
|
I've gotten around to it now and as promised - this is my working setup: Brief OverviewTraefik listens on 80 and 443 for http/https requests. If the requests go to a subdomain etc., forward it to those services as usual. If they go to the IP directly, we let diyHue answer the request instead - it might be the Hue app. The TLS encryption is handled by traefik (SSL offloaded) using the certificate generated and provided by diyHue. Ports 1900, 1982 and 2100 are handled directly by diyHue. For more on the concept, see my previous post. diyHue docker-compose.ymlIn my docker-compose.yml (based on the examples in the repo), I made the following changes:
Afterwards, the docker compose file might look something like this: # docker-compose.yml
services:
diyhue:
container_name: diyhue
image: diyhue/core:latest
volumes:
- ./diyHue:/opt/hue-emulator/config
restart: unless-stopped
ports:
- "1900:1900/udp"
- "1982:1982/udp"
- "2100:2100/udp"
environment:
- DEBUG=false
- MAC=dc:a6:32:fe:XX:XX
- IP=192.168.XXX.XXX
- TZ=Europe/Berlin
# special config for traefik
labels:
- "traefik.enable=true"
- "traefik.http.services.diyhue-service.loadbalancer.server.port=80"
- "traefik.http.routers.diyhue-route.service=diyhue-service"
- "traefik.http.routers.diyhue-route.rule=Host(`192.168.XXX.XXX`)"
- "traefik.http.routers.diyhue-route.entrypoints=web, websecure"
networks:
- "proxy"
# declare external traefik network
networks:
proxy:
external: trueCertificateIn order to get the official Hue app to work, the correct TLS certificate is needed. diyHue generates one and puts it in the same directory as the config files ( To achieve this I simply replaced the default certificate (see documentation). ACME certificates are still prioritized if available so it only really applies for requests to the IP directly. # config.yml
# put this in the dynamic config, not in the static config in traefik.yml
tls:
stores:
default:
defaultCertificate:
certFile: /path/to/cert.pem
keyFile: /path/to/cert.pemYou can check if it's working using this method from the diyHue docs. Disabling diyHue serving httpsWe don't actually need diyHue to listen for https requests anymore because traefik has that job now. There is a parameter @hendriksen-mark If you want me to create a pull request somewhere (like the examples folder or readthedocs), just let me know what and where to put it. Also, can you verify that the --no-serve-https option is not available as an environment variable or through the diyHue config file? Maybe it's worth doing a pr for that as well. |
|
@eckynde Could you provide an instruction on how to add the dynamic configurations in Traefik? The documentations doesn't help me much, diyHue works, though it's showing
So the certs doesn't seem to work or isn't picked up by Traefik. |
@Nickk888SAMP Sure! (By the way, if you want to properly censor your MAC address, you also need to redact the bridgeid.) Conceptually:
More practically speaking, do this: Step 1 - Let traefik know where to lookIf you use command line arguments in your traefik # docker-compose.yml
services:
traefik:
command: --api.insecure=true --providers.docker --providers.file.filename=/config.yml
# ...If, in your traefik # traefik.yml / static config
providers:
file:
filename: /config.yml(For extra neat config management: The file provider also supports specifying a directory instead of a single file. See docs) Step 2 - Mount filesWe've just told traefik that it should expect to find a configuration file in To do that, we mount it. We do the same for the certificate file that diyhue generated: # docker-compose.yml
services:
traefik:
volumes:
- ./config.yml:/config.yml:ro
- ./cert.pem:/cert.pem:ro
# ...(The left part is the path on the host system, the right part is the path inside the docker container and the Step 3 - Create filesWe also need to actually put those files there. So create # config.yml / dynamic config
tls:
stores:
default:
defaultCertificate:
certFile: /cert.pem
keyFile: /cert.pemNext, copy over the certificate that diyhue generated. Make sure you have put the correct MAC address in the diyhue config or the app won't pair. The certificate doesn't expire until 2037, so you should be fine for a while. If you want to get fancy, instead of copying, you could also change your traefik # docker-compose.yml
# replacing the line
# - ./cert.pem:/cert.pem:ro
# with (adjust path)
- /srv/compose/diyhue/diyHue/cert.pem:/cert.pem:roFinishing upTo apply your changes and watch the logs as it starts up, you can run this and wait: sudo docker compose up -d && sudo docker compose logs -fTo check everything is working, use this method from the diyhue docs. |
Feature does not already exist?
I searched and did not find an existing feature request
Summarize feature
I think many people run diyhue hue and their whole setup inside docker. The limitation that you need the http ports open in order to run diyhue is bad when using a reverse proxy for other services. I saw the issue and some solutions but they where 5 years old and the source code looks way different now.
Especially a documentation to have some specific traefik rule to forward only hue request to port 80 or 443 internally would be great because setting a host name doesn't work if I understood correctly.
The text was updated successfully, but these errors were encountered: