Example for teleport with traefik proxy

Docker/traefik & teleport/etc/teleport.yaml

@@ -0,0 +1,61 @@
+version: v2
+teleport:
+  nodename: example
+  data_dir: /var/lib/teleport
+  log:
+    output: stdout
+    severity: INFO
+    format:
+      output: text
+  ca_pin: ""
+  diag_addr: ""
+auth_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3025
+  public_addr: teleport.example.de:3025
+  cluster_name: teleport.example.de
+  proxy_listener_mode: multiplex
+  session_recording: "off"
+  web_idle_timeout: 10m
+ssh_service:
+  enabled: "yes"
+  permit_user_env: true
+  commands:
+    - name: Compose
+      command: ["/bin/sh", "-c", "docker compose version --short"]
+      period: "168h"
+    - name: Docker
+      command: ["/bin/sh", "-c", "docker system info | grep Running | cut -d' ' -f4"]
+      period: "30m"
+    - name: Engine
+      command: ["/bin/sh", "-c", "docker version --format '{{.Server.Version}}'"]
+      period: "168h"
+    - name: Kernel
+      command: ["/bin/uname", "-r"]
+      period: "168h"
+    - name: Teleport
+      command: ["/bin/sh", "-c", "teleport version | cut -d' ' -f2"]
+      period: "168h"
+    - name: Restic
+      command: ["/bin/sh", "-c", "restic version | cut -d ' ' -f2"]
+      period: "168h"
+    - name: Rclone
+      command: ["/bin/sh", "-c", "rclone version | head -1 | cut -d ' ' -f2"]
+      period: "168h"
+proxy_service:
+  enabled: "yes"
+  web_listen_addr: 0.0.0.0:3080
+  public_addr: teleport.example.de:443
+  ssh_public_addr: teleport.example.de:3023
+  tunnel_public_addr: teleport.example.de:3024
+  https_keypairs: []
+  acme:
+    enabled: "yes"
+    email: "mail@example.de"
+app_service:
+  enabled: "yes"
+  apps:
+    - name: "proxy"
+      description: "Traefik"
+      public_addr: "proxy.teleport.example.de"
+      uri: "http://localhost:8080"

Docker/traefik & teleport/proxy/docker-compose.yml

@@ -0,0 +1,32 @@
+version: "3.9"
+
+networks:
+  proxy:
+    external: true
+
+secrets:
+  hetzner:
+    file: ./secrets/hetzner_key
+
+services:
+  traefik:
+    image: traefik:2.8
+    container_name: traefik
+    restart: always
+    secrets:
+      - hetzner
+    environment:
+      - TZ=Europe/Berlin
+      - HETZNER_API_KEY_FILE=/run/secrets/hetzner
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik/static.toml:/etc/traefik/traefik.toml
+      - ./traefik/dynamic.toml:/dynamic.toml
+      - ./secrets/acme.json:/acme.json
+    ports:
+      - "80:80"
+      - "443:443"
+      - "127.0.0.1:8080:8080"
+    networks:
+      - proxy

Docker/traefik & teleport/proxy/traefik/dynamic.toml

@@ -0,0 +1,31 @@
+[http]
+  [http.middlewares]
+    [http.middlewares.sec-headers.headers]
+      frameDeny = true
+      browserXssFilter = true
+      contentTypeNosniff = true
+      forceSTSHeader = true
+      stsIncludeSubdomains = true
+      stsPreload = true
+      stsSeconds = 63072000
+      customFrameOptionsValue = "SAMEORIGIN"
+
+[tcp]
+  [tcp.routers]
+    [tcp.routers.teleport]
+      entryPoints = ["websecure"]
+      rule = "HostSNIRegexp(`teleport.unjx.de`, `{subdomain:[a-z]+}.teleport.unjx.de`)"
+      service = "teleport"
+      [tcp.routers.teleport.tls]
+        passthrough = true
+
+  [tcp.services]
+    [tcp.services.teleport.loadBalancer]
+      [[tcp.services.teleport.loadBalancer.servers]]
+          address = "172.18.0.1:3080"
+
+[tls]
+  [tls.options]
+    [tls.options.default]
+      minVersion = "VersionTLS13"
+      sniStrict = true

Docker/traefik & teleport/proxy/traefik/static.toml

@@ -0,0 +1,40 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = false
+
+[serversTransport]
+  insecureSkipVerify = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+    [entryPoints.web.http.redirections]
+      [entryPoints.web.http.redirections.entryPoint]
+        to = "websecure"
+        
+  [entryPoints.websecure]
+    address = ":443"
+
+[providers]
+  [providers.file]
+    filename = "dynamic.toml"
+    watch = true
+
+  [providers.docker]
+
+[api]
+  dashboard = true
+  insecure = true
+
+[log]
+# uncomment in needed
+# [accessLog]
+
+################################################################
+# Lets's Encrypt
+################################################################
+[certificatesResolvers.hetzner.acme]
+  email = "mail@example.de"
+  storage = "acme.json"
+  [certificatesResolvers.hetzner.acme.dnsChallenge]
+    provider = "hetzner"