What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

Solved Confused regarding Traefik instructions

Status
Not open for further replies.

doperyde

Respected Member
Staff
I wanted to chime in with some DNS advice. Mostly because a lot of people don't truely appreciate its importance or understand what all it actually does. It is one of the foundational peices of the internet many take for granted and without it none of this would be here. It is simple at the high level, but somewhat unforgiving and can be tricky to implement well.

It is well worth the time to read up on DNS (cloudflare explains many things very well) if you want to understand how things work on the internet. Sure, you can make some * records and get stuff working, but why half a** it. Some here may disagree with me on some of this, but thats ok.

First:
The orange cloud in cloudflare is your friend! Take advantage of it. Not only does it provide possibilities for cdn and ddos mitigation, the main attraction is that it proxies through CF to obfuscate your origin ip. It also will only allow traffic through on a smaller subset of ports. That means it will help to hide your external wan ip and your internal network and services from all the botnets and other nasties and bored kids/script kiddies/l337h4x0rs. You want this feature. Yes, even without having any domainname.tld this threat is still possible, but by setting up DNS and linking a domain, thats like hanging a giant neon we're open sign in the middle of the desert at night. Oh, but I'm just joeshmoe with nothing valuable or important so it doesn't really matter to me, nobody is going to waste their time... fair enough. But I was once a bored teen learning how computers and the internet work and I poked around at anything just because I could. On top of that, botnets aren't a person. They just have a mission to find and comprimise any system to control. What they do with it later is just up to the controllers imagination. It's just a headache.
Maybe this meaphor would help? Do you leave your car doors unlocked, or the doors and windows unlocked/open in your home?
The orange cloud is like a deadbolt or king kong as your door man. Use it whenever possible. It is there and easy to take advantage of risk mitigation.

Second:
By using a wildcard (*) A record or even cname, its essentially going to redir any jibberish.yourdomainname.tld to your yourdomain.tld A record.
Remember that neon sign analogy, it just got brighter.
Yes, it makes things easier and it's quicker, but plain and simple - its half-assing it. Use it to test, but don't use it long term.
Instead, create a single A record for youdomain.tld pointing to your ip. Make that cloud orange!
Then, create a cname record for each of the subdomains (think app or container name) and easily point it to yourdomain.tld by entering an @. When you save the record CF will fill in yourdomain.tld and make the cloud orange.

More to come, hands cramping from typing on my phone...
 

needsomehelp

Junior Member
I know what DNS is but as I mentioned I am new to hosting using DDNS. In fact I've been an avid PiHole users for some time. I don't know why your tone was so negative/condescending but I found your post very informative and helpful. I will make the changes you mentioned in the morning.

P.S. Doesn't setting up traefik and port guard essentially mitigate the scenarios you described? Just curious from a purely academic standpoint. I get that the apps do their job on my front door and the orange cloud will stop it from even knowing im here. Just a question.
 

doperyde

Respected Member
Staff
Sorry i didn't mean to be condenscending. I just seem to come across that way. I've been in iT for far too long and am quite jaded any cynical, nearly BOFH level sysadmin cynasism.
I just try to share and educate and come across grumpy most of the time.

None of it was directed at you specifically, more just the internet population in general.
:)

Yes, traefik and pgshield help with the mitigation, but only after the traffic is already now inside your network and only on the system they're running on.

Edit:
Also wanted to add that hooper also gave very good advice in relation to the additional cloudflare settings for https, page rule, etc.
For some reason the site and typing posts on my phone lags horribly and it took me like over an hour to type that first post. Not to mention the couple times I hit back..
 
Last edited:

Sn0wed

Respected Member
Staff
I am pretty sure I know how to setup those CNAME entries, to be clear, I should then remove the wildcard entry correct?
Since you have a local server so the CNAME entries not completely necessary. Also, I have no idea about CNAME entries or how to set them up.
 

plex_noob

Senior Member
Staff
Donor
I watched the videos and read the wikis and now in the forums I see posts about creating additional dns records for each container? I thought traefik did all the that? I ask because I got it to work to my top application when I go to domain.com but it was not automatically https and container.doamin.com does not work. I am using cloudflare dns for a no-ip domain. Do I need to create additional records on no-ip or cloudflare? I just undid everything and am waiting for my ping to my domain to return my publiv facing IP before I start again.

To sum it all up, I have included what my dns records look like on cloudflare, do I need to do anything different or additionally so that https is automatic and container.domain.com will work?

View attachment 2692
Thank you and I love plexguide! So much I redid two machines with it!
Hi,

Really your comment is not clear enough to provide you with some decent help. Could you please summarize what is your current problem. What is working and what is not.

Thank you
 

needsomehelp

Junior Member
Hi,

Really your comment is not clear enough to provide you with some decent help. Could you please summarize what is your current problem. What is working and what is not.

Thank you
I apologize if it wasn't more clear but if you examine this thread I believe I've received the help I need already. I do appreciate your inquiry though. Cheers!
 

plex_noob

Senior Member
Staff
Donor
Hi,

Could you please set your post as "SOLVED" in the title in order to ease the support.

Thanks.
 

doperyde

Respected Member
Staff
I am pretty sure I know how to setup those CNAME entries, to be clear, I should then remove the wildcard entry correct?
Yep, you should remove the wildcard, once you validate connectivty is working.
Explicitly declare each app subdomain as a CNAME entry.

Typically you create your A record as such:

1547836570183.png

Then you create your cname(s) as such:

1547836459295.png

Using @ is just a shorthand way around having to constantly retype yourdomain.tld, more or less.

An address record (A record) is a DNS record which is used to point a domain name or subdomains to a static IP address. An A record specifies which IP is designated to a certain domain. You can associate multiple IP's to a single domain.tld as well.

Because we're mostly concerned about the use case in plexguide, and most people are typically running everything from 1 host (or external ip address if you will) you only really need (or want) 1 A record.

CNAMEs (Canonical name) are useful for pointing one host name at another. This eliminates the need for explicitly declaring an IP address and means that the IP address can be changed once rather than twice if a CNAME record simply points at an already established host name. Usually it indicates the true host name of a computer (A record) associated with its aliases (CNAME). It is essential when running multiple services from a single IP address.
CNAMEs save you time and you can even use them to make an CNAME of and CNAME so you can CNAME while you CNAME if you really want to. Use case for this would be something like CNAME dashboard pointing to another subdomain that maybe is harder to type - like heimdall or organizr or something pita...
The only caviat is that in the 2nd value box where you want the alias (cname) to redir to, you would have to type the full subdomain.yourdomain.tld.

example:
1547838979658.png


Here's my setup, I'm currently trying to utilize DNS-O-Matic (https://www.dnsomatic.com/) as a means for DDNS updates so that is why my A record is configured the way it is (not totally standard)

1547838544114.png

The magic of dns in action - my true origin ip, obfuscated by cloudflare. (and yes, I run DNS on my internal network as well)

1547839375853.png
 

doperyde

Respected Member
Staff
To address another question in your original post, regarding whether Traefik sets up DNS entries.

I think this causes a lot of people confusion because everything seems to imply that it does. However, Treafik didn't auto-magically create any DNS records in cloudflare, at least for me. You still have to do that manually.
(although... it should be possible to do so leveraging the cloudflare api)

Perhaps we all messed something with that part up somehow, idk. All I really can say is If it did, we wouldn't be having the discussion around how to setup DNS!

One of the things it does do, however, is the setting of the labels on the containers with the subdomains as specified by the plexguide scripts. That way it knows where to send requests/traffic to... It's kinda like it's own little DNS - CNAMEs/alias' to be more specific.
 

needsomehelp

Junior Member
I really appreciate the informative post. Truly, thank for taking the time. I got it working but I was concerned about security/privacy as well. Given the nature of what I am using this for I like the option to improve my anonymity. As for updating the your IP dynamically, you chose to go with DNS-O-MATIC, any particular reason? I went with a client that installed on my machine that makes us of API. Honestly the reason I went that route is because I didn't want to have to create another account somewhere.

https://github.com/LINKIWI/cloudflare-ddns-client
 

doperyde

Respected Member
Staff
Hey no problem. I find it better to try to explain things fully instead of just giving basics. Attention to detail makes a world of difference.

As per my choice of ddns provider - I mostly just wanted to try out dns-o-matic. It seemed to be more like an aggregate, which I could use to update multiple services (more testing possibilities). I used to use dyndns for many years when they had the free teir and then no-ip after that. Once I bought my own domain, i didn't really have a need or want to use those services. And dns-o-matic is supposed to work natively with cloudflare so win/win.

Also, it was one of the options pre-built into my router, so I didn't have to install any client. My thought then was that way as long as my internet is up (my router will then be online) then ddns would update and I don't have to worry about it as much if I'm tinkering away with the box running the ddns client. etc

In theory, it would be working great. However, in practice, dns-o-matic (opendns... now owned by cisco) and cloudflare seem to be in some type of pissing match or not playing nice together and it isn't working. I keep getting notified that it's failing to update due to over rate limits on api calls as it seems CloudFlare is counting them collectively as a whole from OpenDNS.

----
CloudFlare response for 'dynamic':
--------------------
err More than 1200 requests per 300 seconds reached. Please wait and consider throttling your request speed (10100)
----

There is absolutely no way i'm sending that high number. I opened a support ticket with OpenDNS and they confirmed/acknowledged it's a known issue they are working with CF on, but it has not been resolved.

So for now, I just check periodically and update it by hand. I also have a setting in my router that allows me to spoof my LAN DHCP Lease TTL values to the WAN which seems to help me keep the same external IP.
 

hooper

Legendary Member
Staff
Donor
@doperyde Really great information. I removed the wildcard (*) entry from my cloudflare DNS config and now all entries are orange clouded. My real IP address is also now hidden.
 

timekills

Legendary Member
Staff
Donor
https://plexguide.com/threads/plex-domain-com-not-working.2078/post-13381
Here is my DNS config in Cloudflare. I have 2 A records, one is * and the other is my FQDN. I have one A record that is my FQDN (see update 1 at the end of this post). I then use CNAMES for everything and point to my A record name (the scribbled out one on the 2nd line below). Make sure to click to get the orange icon next to each entry that you want to route through the Cloudflare CDN. If you don't do this, then you are just using Cloudflare for DNS (and that is totally fine).

Edit 1/26/2019
Almost forgot, I have also disabled ipv6 on cloudflare. Here is my post about the issue I ran into and why/how I disabled ipv6 https://plexguide.com/threads/tautulli-showing-docker-network-ip-addresses-instead-of-actual-client-ip-address.2778/#post-15400
Can i use this for the wiki *?*
I'd say this is valid, as it's the recommended CDN through Cloudflare technique for a while (see link below):
https://plexguide.com/threads/plex-domain-com-not-working.2078/post-13381
 
Status
Not open for further replies.

Similar threads


Top NZB NewsGroups!

Members - Up To a 58% Discount!

Development Donations

 

Online statistics

Members online
9
Guests online
102
Total visitors
111
Top