Last active
September 9, 2024 21:52
-
-
Save Nikos410/427234dfef5aca1d89f35c07b6e8a55f to your computer and use it in GitHub Desktop.
Signal TLS proxy behind Traefik
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| nginx-relay: | |
| build: ./nginx-relay/ | |
| restart: unless-stopped | |
| volumes: | |
| - ./data/nginx-relay:/etc/nginx/conf.d | |
| command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'" | |
| expose: | |
| - "4433" | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.docker.network=traefik-net" | |
| - "traefik.tcp.services.signal-proxy.loadbalancer.server.port=4433" | |
| - "traefik.tcp.routers.signal-proxy.rule=HostSNI(`signal-proxy.my-domain.de`)" | |
| - "traefik.tcp.routers.signal-proxy.entrypoints=websecure" | |
| - "traefik.tcp.routers.signal-proxy.tls.certresolver=myresolver" | |
| - "traefik.tcp.routers.signal-proxy.tls.domains[0].main=signal-proxy.my-domain.de" | |
| networks: | |
| - traefik-net | |
| networks: | |
| traefik-net: | |
| external: true |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey @aburgd!
You are correct that 443 should be the publicly exposed port. But Port 4433 is correct here. You have to understand that the signal TLS proxy consists of two components:
nginx-terminate:1 This is the publicly accessible container your signal client connects to. It should listen to port 443:
https://github.com/signalapp/Signal-TLS-Proxy/blob/ac94d6b869f942ec05d7ef76840287a1d1f487f9/data/nginx-terminate/nginx.conf#L29
This container terminates the client's traffic (hence the name), handles SSL and forwards the traffic to the nginx-relay using port 4433.
nginx-relay: This is a container that should not be publicly accessible. It listens on port 4433 and forwars all traeffic to Signal's servers. So, long story short: The relay listens on port 4433, so this container has to expose that port (docker-compose expose does not mean that the port is publicly accessible, only that the port is accessible for other containers in the same network.)
Footnotes
This setup does away with the nginx-terminate container and uses traefik instead. The configuration for the traefic container is not included in this setup (Using this setup only makes sense if you are already using traefic). ↩