Skip to content

Instantly share code, notes, and snippets.

@Nikos410

Nikos410/docker-compose.yml

Last active September 9, 2024 21:52
Show Gist options
  • Save Nikos410/427234dfef5aca1d89f35c07b6e8a55f to your computer and use it in GitHub Desktop.
Save Nikos410/427234dfef5aca1d89f35c07b6e8a55f to your computer and use it in GitHub Desktop.
Download ZIP
Signal TLS proxy behind Traefik
Raw
docker-compose.yml
version: '3'
services:
nginx-relay:
build: ./nginx-relay/
restart: unless-stopped
volumes:
- ./data/nginx-relay:/etc/nginx/conf.d
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
expose:
- "4433"
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-net"
- "traefik.tcp.services.signal-proxy.loadbalancer.server.port=4433"
- "traefik.tcp.routers.signal-proxy.rule=HostSNI(`signal-proxy.my-domain.de`)"
- "traefik.tcp.routers.signal-proxy.entrypoints=websecure"
- "traefik.tcp.routers.signal-proxy.tls.certresolver=myresolver"
- "traefik.tcp.routers.signal-proxy.tls.domains[0].main=signal-proxy.my-domain.de"
networks:
- traefik-net
networks:
traefik-net:
external: true
@aburgd
Copy link

aburgd commented Oct 19, 2022

is your exposed port meant to be 4433 and not 443?

@Nikos410
Copy link
Author

Hey @aburgd!

You are correct that 443 should be the publicly exposed port. But Port 4433 is correct here. You have to understand that the signal TLS proxy consists of two components:

  1. nginx-terminate:1 This is the publicly accessible container your signal client connects to. It should listen to port 443:
    https://github.com/signalapp/Signal-TLS-Proxy/blob/ac94d6b869f942ec05d7ef76840287a1d1f487f9/data/nginx-terminate/nginx.conf#L29
    This container terminates the client's traffic (hence the name), handles SSL and forwards the traffic to the nginx-relay using port 4433.

  2. nginx-relay: This is a container that should not be publicly accessible. It listens on port 4433 and forwars all traeffic to Signal's servers. So, long story short: The relay listens on port 4433, so this container has to expose that port (docker-compose expose does not mean that the port is publicly accessible, only that the port is accessible for other containers in the same network.)

Footnotes

  1. This setup does away with the nginx-terminate container and uses traefik instead. The configuration for the traefic container is not included in this setup (Using this setup only makes sense if you are already using traefic).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment