Giter VIP home page Giter VIP logo

docker-teleport's Introduction

docker-teleport

A docker image of teleport. DockerHub repository is here.

You can use these tags as teleport version.

  • 2.0.5, latest

Usage

  • Run services in single node.
docker run -d -p 3080:3080 -p 3022-3025:3022-3025 shufo/teleport
  • persistence

To persist the data (users, session), mount the host directory to /var/lib/teleport inside the container. Or you can use storage backend in teleport v2.0 (DynamoDB, etcd) for data persistence.

docker run -v $(pwd)/teleport:/var/lib/teleport shufo/teleport
  • Using custom teleport configuration file

To use custom configuration file, mount custom configuration file to /etc/teleport.yml inside the container.

docker run -v /path/to/teleport.yml:/etc/teleport.yml shufo/teleport

If custom configuration file is provided, custom environment value will be ignored.

Environment Variables

TELEPORT_ROLES

You can use auth, proxy, node as a teleport roles.

docker run -d -e TELEPORT_ROLES=proxy,node shufo/teleport

TELEPORT_AUTH_SERVER TELEPORT_TOKEN

To specify auth server, you can use TELEPORT_AUTH_SERVER with TELEPORT_TOKEN.

docker run -d -e TELEPORT_ROLES=proxy,node -e TELEPORT_AUTH_SERVER=10.0.1.1:3025 -e TELEPORT_TOKEN=foobar shufo/teleport

TELEPORT_NODENAME

To specify node name, you can use TELEPORT_NODENAME environment value.

docker run -d -e TELEPORT_NODENAME=teleport.example.com shufo/teleport

Examples

Separate hosts by roles

docker-compose.yml

version: '2'
services:
  auth:
    image: shufo/teleport
    volumes:
      - ./teleport:/var/lib/teleport
      - ./teleport.yml:/etc/teleport.yml
    ports:
      - "3025:3025"
    expose:
      - 3025

  proxy:
    image: shufo/teleport
    ports:
      - "3023:3023"
      - "3024:3024"
      - "3080:3080"
    expose:
      - 3080
    environment:
      TELEPORT_ROLES: proxy
      TELEPORT_AUTH_SERVER: auth
      TELEPORT_TOKEN: all_your_base_are_belong_to_us

  node:
    image: shufo/teleport
    ports:
      - "3022:3022"
    environment:
      TELEPORT_ROLES: node
      TELEPORT_AUTH_SERVER: auth
      TELEPORT_TOKEN: all_your_base_are_belong_to_us

teleport.yml

ssh_service:
  enabled: no
auth_service:
  enabled: yes
  tokens:
    - "node,proxy:all_your_base_are_belong_to_us"
proxy_service:
  enabled: no

Nginx with automatically update certs by Let's Encrypt

In production environment, it is recommended to use certificates signed by CA.

To make it possible, we will use nginx-proxy and letsencrypt-nginx-proxy-companion.

  • Create docker-compose.yml and replace teleport.example.com, and LETSENCRYPT_EMAIL with your own domain and email address.

docker-compose.yml

version: '2'
services:
  teleport:
    image: shufo/teleport
    volumes:
      - ./teleport:/var/lib/teleport
      #- ./certs/teleport.example.com:/etc/teleport
      - ./teleport.yml:/etc/teleport.yml
    ports:
      - "3080:3080"
      - "3022:3022"
      - "3023:3023"
      - "3024:3024"
      - "3025:3025"
    expose:
      - 80
    environment:
      VIRTUAL_HOST: teleport.example.com
      VIRTUAL_PORT: 3080
      VIRTUAL_PROTO: https
      LETSENCRYPT_HOST: teleport.example.com
      LETSENCRYPT_EMAIL: [email protected]
    depends_on:
      - letsencrypt-nginx-proxy-companion

  nginx-proxy:
    image: jwilder/nginx-proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/nginx/vhost.d
      - ./certs:/etc/nginx/certs
      - /usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro

  letsencrypt-nginx-proxy-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    volumes_from:
      - nginx-proxy
  • Create teleport.yml
# By default, this file should be stored in /etc/teleport.yaml
teleport:
    # nodename allows to assign an alternative name this node can be reached by.
    # by default it's equal to hostname
    nodename: teleport.example.com
    #storage:
      #type: dynamodb
      #region: ap-northeast-1
      #table_name: teleport.state
      #access_key: BKZA3H2LOKJ1QJ3YF21A
      #secret_key: Oc20333k293SKwzraT3ah3Rv1G3/97POQb3eGziSZ

auth_service:
    enabled: true
    #
    # statically assigned token: obviously we recommend a much harder to guess
    # value than `xxxxx`, consider generating tokens using a tool like pwgen
    #
    # tokens:
    #  - "proxy,node:eiJieha0nie1yiequ4Joedou3NiDep"

ssh_service:
    # Turns 'ssh' role on. Default is 'yes'
    enabled: true

# This section configures the 'proxy servie'
proxy_service:
    # Turns 'proxy' role on. Default is 'yes'
    enabled: yes

    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
    # SSH sessions by connecting to this port
    listen_addr: 0.0.0.0:3023

    # Reverse tunnel listening address. An auth server (CA) can establish an
    # outbound (from behind the firewall) connection to this address.
    # This will allow users of the outside CA to connect to behind-the-firewall
    # nodes.
    tunnel_listen_addr: 0.0.0.0:3024

    # The HTTPS listen address to serve the Web UI and also to authenticate the
    # command line (CLI) users via password+HOTP
    web_listen_addr: 0.0.0.0:3080

    # TLS certificate for the HTTPS connection. Configuring these properly is
    # critical for Teleport security.
    #https_key_file: /etc/teleport/key.pem
    #https_cert_file: /etc/teleport/fullchain.pem
  • Run containers
docker-compose up -d
  • Comment out the following lines to enable certificates.
# docker-compose.yml

- ./certs/teleport.example.com:/etc/teleport

# teleport.yml

https_key_file: /etc/teleport/key.pem
https_cert_file: /etc/teleport/fullchain.pem
  • Restart teleport to enable certificates.
docker-compose restart teleport

It's all done. Access to your web UI.

https://teleport.example.com/

docker-teleport's People

Contributors

shufo avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

aknysh behzad-ost cesargomez

docker-teleport's Issues

Web UI default port

virtual_port 3080 returns

teleport-teleport-1 | 2023/01/13 11:46:25 http: TLS handshake error from 172.18.0.3:53002: tls: first record does not look like a TLS handshake

virtual_port 80 returns

error code 503

Now, what is the correct port? I'm using nginx jwilder by the way.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.