Hi,

this is not really an issue, but more of small guide how to use Mumble docker container behind Traefik.
In the last few days I experimented to use Mumble behind Traefik and I though this might be helpful to others and if there is the need this can be integrated in the docs of this project.

So in case you want to use Mumble behind Traefik here are my simple example configs using Docker Compose.

I am sure you can translate these settings to something like Kubernetes using Traefik as ingress controller.

traefik.yml (static config):

# Use docker as provider.
providers:
  docker: {}

# Define two entry points in Traefik. One for UDP and one for TCP.
# If you need more entry points like port 80/443 you need to define them here as well.
entryPoints:
  mumble_udp:
    address: ":64738/udp"
  mumble_tcp:
    address: ":64738"

docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:v2.2
    # Expose TCP/UDP port from Traefik container.
    ports:
      - 64738:64738
      - 64738:64738/udp
    volumes:
      # Mount static config for Traefik.
      - ./traefik.yml:/etc/traefik/traefik.yml
      # Let Traefik listen to Docker events.
      - /var/run/docker.sock:/var/run/docker.sock

  mumble:
    image: phlak/mumble
    volumes:
      # Mount entire Let's Encrypt directory from host.
      - /etc/letsencrypt:/le_certs
    labels:
      # Define UDP router called 'mumble' which listens on entry point 'mumble_udp'
      # and proxies requests to service 'mumble'.
      - traefik.udp.routers.mumble.entrypoints=mumble_udp
      - traefik.udp.routers.mumble.service=mumble
      # Tell Traefik to send UDP requests for the service 'mumble' to port 64738 of the container.
      # You don't need to specify the protocol of the port like '64738/udp' as this is detected automatically
      # because we are defining an UDP service.
      - traefik.udp.services.mumble.loadbalancer.server.port=64738

      # Define TCP router called 'mumble' which listens on entry point 'mumble_tcp'
      # and proxies requests to service 'mumble'.
      - traefik.tcp.routers.mumble.entrypoints=mumble_tcp
      - traefik.tcp.routers.mumble.service=mumble
      # A TCP router needs a hostname to listen to.
      - traefik.tcp.routers.mumble.rule=HostSNI(`mumble.example.com`)
      # Tell Traefik to send TCP requests for service 'mumble' to port 64738 of the container.
      - traefik.tcp.services.mumble.loadbalancer.server.port=64738
      # As TCP routers always try to terminate SSL/TLS traffic, but Mumble does this by itself
      # tell the TCP router to pass encrypted traffic to the service directly.
      - traefik.tcp.routers.mumble.tls.passthrough=true

As Mumble always encrypts traffic by itself and Traefik saves its certificates in a JSON file you can't use the certificate resolver from Traefik.

So you still have to install Certbot on the host or in a separate container and mount the Let's Encrypt directory into the mumble container or use your own certificates.

Furthermore, for Let's Encrypt to work, you have to change some permissions:

chown root:1000 /etc/letsencrypt/archive /etc/letsencrypt/live
chmod 750 /etc/letsencrypt/archive /etc/letsencrypt/live

chown root:1000 /etc/letsencrypt/archive/mumble.example.com/privkey*.pem
chmod 640 /etc/letsencrypt/archive/mumble.example.com/privkey*.pem

I tried to be as strict as possible to not expose the private keys to the world.

To automatically reload the certificate after a renewal you can simply add a post renewal hook to restart the container:

/etc/letsencrypt/renewal-hooks/post/mumble_docker.sh (Needs 755 as permissions):

#!/bin/sh
docker restart id_or_name_of_your_mumble_container

I hope someone finds this helpful.

Best regards
Florian

Hello,

I am deploying this Docker container in a Kubernetes cluster. I have an Nginx Ingress set up, which forward the subdomain mumble.domain.com to the Mumble Docker container. I am able to hit the container, but receive the following error when connecting:

SSL Version Mismatch: This server is using an older encryption standard, and is no longer supported by modern versions of Mumble.

Any ideas on what I need to do in order to resolve this?

https://www.mumble.info/blog/mumble-1.4.230/

I see this image uses murmur-static that supports only x86, which I assume makes this image not work on devices with non-x86 cpu architectures like the Raspberry Pi (model 4B in my case)

Error message when launching on raspi:

docker logs mumble
standard_init_linux.go:219: exec user process caused: exec format error

Would it be possible to use the non-static version? eg from here https://github.com/mumble-voip/mumble/releases/tag/1.3.4 mumble-1.3.4.tar.gz

Hi,

Thank a lot for your job 👍
But, it's possible to specify de path of certificat for LetsEncrypt on my docker-compose.yml?
Or when I add the information in Dockerfile ?

sslCert=/etc/letsencrypt/live/somehost.example.com/fullchain.pem
sslKey=/etc/letsencrypt/live/somehost.example.com/privkey.pem

version: '3'

services:
  mumble-server:
    build: ./
    container_name: ${CONTAINER_MUMBLE_SERVER}
    restart: unless-stopped
    environment:
      - TZ=UTC
      - VIRTUAL_HOST= ${DOMAINS}
      - LETSENCRYPT_HOST= ${DOMAINS}
      - LETSENCRYPT_EMAIL= ${LETSENCRYPT_EMAIL}
networks:
    default:
       external:
         name: ${NETWORK}

For LetsEncrypt, I use : https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion

Thank a lot for your help

Best regards,

1.3 is here!

...

As reported by user @tylerszabo on upstream mumble the openssl version in the static murmur build is very outdated, it's from 2017(!), see:
mumble-voip/mumble#4001 (comment)

You might argue that this is an upstream problem, but the Mumble Team is refusing to change it, see:
mumble-voip/mumble#4001 (comment)

So in the best interest of your users, could you rewrite your dockerfile to use the murmur package from the alpine repo?
This will use alpines openssl version, which is recent.

Edit: Sorry for the confusion with the names, I somehow misread things twice...