hello everyone, I would like to install netmaker v...
# installs
stocky-balloon-63105
03/02/2023, 12:09 PMhello everyone, I would like to install netmaker via docker compose on a vm in aws with a NLB in front of it doing SSL offloading. Do I just need to remove any reference to the reverse proxy configurations (traefik/caddy) in the sample docker compose file and just map the nlb listeners/target listeners accordingly? Any pointers appreciated. Thanks
j
jolly-london-20127
03/02/2023, 1:18 PMthat should work, if you remove caddy, but you will need to make sure SSL certificates are configured. That goes for MQTT as well, which requires websockets, so you need to make sure your LB + certificate setup will support that.
jolly-london-20127
03/02/2023, 1:19 PMlast thing is the wireguard piece, which will not work if there's no public IP attached to the machine, in which case you may want to use the 0.18 pre-release, which removes the requirement for wireguard on the server
s
stocky-balloon-63105
03/02/2023, 2:02 PMThanks for the reply @jolly-london-20127 , I have been hosting a standalone wireguard server behind a NLB for quite some time without issues. The VM does have a public ip, but the UDP traffic goes thru the LB and is forwarded to the VM based on its instance id. Can i ask what is driving the requirement that the VM have its own public IP as opposed to making use of the LB's public IP?
stocky-balloon-63105
03/02/2023, 2:20 PMactually, after i am looking more closely at the setup, i am not sure that the forwarding is working for the udp traffic.
stocky-balloon-63105
03/02/2023, 2:39 PMso, after looking at my loadbalancer setup, I am going to attach a public ip for wireguard only for the UDP traffic. For the rest of the access, I am understanding that if I eliminate traefik/caddy, I will need to generate self signed certs for the various netmaker components, is that correct? would it be easier to keep caddy or traefik and configure it to generate self signed certs and just pass thru the traffic from the NLB?
My main reasoning for not wanting to manage certs via letsencrypt is that as I destroy and rebuild envs, i end up triggering SLAs with LE. Using the staging server doesn't really work for trusted CA purposes if you can't control all the clients that will be hitting the servers with the staging-based certs.