configure traefik for use with scriptrunner in docker swarm mode

docker-compose.yml

version: "3.8"
services:
  traefik:
    image: traefik:2.10.0
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    deploy:
      mode: global
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
        failure_action: rollback
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.constraint-label=proxy"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy

dyn.yml

# dynamic configuration
# dyn.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
  certificates:
    - certFile: /etc/certs/domain.tld.crt
      keyFile: /etc/certs/domain.tld.key

tcp:
  routers:
    # ScriptRunner
    scriptrunner:
      entryPoints:
        - "https"
      rule: "HostSNI(`host.domain.tld`)"
      tls:
        options: default
        passthrough: true
      service: scriptrunner

  services:
    # ScriptRunner
    scriptrunner:
      loadBalancer:
        servers:
          - address: "sr-server.domain.tld:443"

swarmX.yml

version: "3.8"
services:
  traefik:
    volumes:
      - /mnt/gv0/stack-traefik/conf/swarmX/traefik/:/etc/traefik/
      - /mnt/gv0/stack-traefik/data/swarmX/traefik/certs/:/etc/certs/
      - /mnt/gv0/stack-traefik/data/swarmX/traefik/logs:/var/log/
    deploy:
      labels:
        - "traefik.http.routers.traefik.entrypoints=http"
        - "traefik.http.routers.traefik.rule=HostRegexp(`{subdomain:swarm[A-Z]+}.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/metrics`))"
        - "traefik.http.routers.traefik.middlewares=default-https-redirect@file"
        - "traefik.http.routers.traefik-secure.entrypoints=https"
        - "traefik.http.routers.traefik-secure.rule=HostRegexp(`{subdomain:swarm[A-Z]+}.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/metrics`))"
        - "traefik.http.routers.traefik-secure.middlewares=default-auth@file"
        - "traefik.http.routers.traefik-secure.tls=true"
        - "traefik.http.routers.traefik-secure.tls.domains.main=`domain.tld`"
        - "traefik.http.routers.traefik-secure.tls.domains.sans=`*.domain.tld`"
        - "traefik.http.routers.traefik-secure.service=api@internal"
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"

traefik.yml

api:
  dashboard: true
  insecure: true
  debug: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    constraints: "Label(`traefik.constraint-label`, `proxy`)"
    swarmMode: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: "proxy"
  file:
    filename: "/etc/traefik/dyn.yml"
    watch: true

log:
  filePath: "/var/log/traefik.log"
  format: json
  level: "ERROR" #DEBUG, PANIC, FATAL, ERROR, WARN, and INFO

# Limiting the Logs to Specific Fields
accessLog:
  filePath: "/var/log/access.log"
  format: json
  fields:
    defaultMode: keep
    names:
      ClientUsername: drop
    headers:
      defaultMode: keep
      names:
          User-Agent: keep #redact
          Authorization: keep #drop
          Content-Type: keep

serversTransport:
  insecureSkipVerify: true

this is an excerpt of a working configuration to use the ScriptRunner via traefik reverse proxy running on docker swarm mode cluster.

instead of calling the portal direct from the scriptRunner server via https://sr-server.domain.tld/ (which should be installed in a non-public network segment),it can than be called via https://host.domain.tld/ from a public accessible network segment.

there are only TCP routers used in the traefik conf, since NTLM and Kereberos Authentication do not work with http routers.

you have to allow the TCP ports 443 to be used from host.domain.tld to sr-server.domain.tld.

ScriptRunner server (sr-server.domain.tld)

create ssl certificates for sr-server

https://support.scriptrunner.com/articles/#!server/create-certificate

set SPN for sr-server to host for use with reverse proxy

https://support.scriptrunner.com/articles/#!server/http-to-https/a/h2__565733207

setspn -s http/host.domain.tld sr-server

edit baseUri

from https://host.domain.tld to sr-server.domain.tld

• C:\Program Files\ScriptRunner\Service\uri.js
• C:\Program Files\ScriptRunner\Service\ScriptRunnerService.config

renew SR-backend certificate to use the one from reverse proxy host.domain.tld:

• dyn.yml /etc/certs/domain.tld.crt

import cert:

https://support.scriptrunner.com/articles/#!server/install-ssl

https://support.scriptrunner.com/articles/#!server/renew-certificate

Set-AsrURI -SSLCertThumbprint THUMBPRINT -SSLReplaceExisting -SSLEnable -Restart

check Thumbprint of used certificate:

Test-AsrUri -Verbose

AUSFÜHRLICH: Checking port 443 certificate binding...
AUSFÜHRLICH: netsh>
AUSFÜHRLICH: SSL-Zertifikatbindungen:
AUSFÜHRLICH: -------------------------
AUSFÜHRLICH:
AUSFÜHRLICH:
AUSFÜHRLICH:
AUSFÜHRLICH:     IP:Port                      : 0.0.0.0:443
AUSFÜHRLICH:     Zertifikathash              : af459df0ed47a6fg4b8f6a20caf2488d3bb6e1bb
...
AUSFÜHRLICH: netsh>
AUSFÜHRLICH: Ignoring certificate errors...
AUSFÜHRLICH: GET https://localhost/ScriptRunner/Health/ with 0-byte payload
AUSFÜHRLICH: received 0-byte response of content type

Uri                                    Status Code
---                                    ------ ----
https://localhost/ScriptRunner/Health/ OK      200```

## hosts file entry for local use

127.0.0.1 host.domain.tld

traefik on docker swarm mode (host.domain.tld)

DNS

have host (A) entry for ONE node ip of the swarm to host.domain.tld. i tried using dns round-robin, but this will create issues (404).

docker swarm mode traefik directory structure:

# tree /mnt/gv0/stack-traefik/
/mnt/gv0/stack-traefik/
├── configuration
│   └── swarmX
│       └── traefik
│           ├── dyn.yml
│           └── traefik.yml
├── data
│   └── domain_tld
│       └── traefik
│           └── certs
│                ├── domain.tld.crt
│                └── domain.tld.key
├── docker-compose.yml
└── swarmX.yml

deploy stack

docker stack deploy -c docker-compose.yml -c swarmX.yml traefik

added reports site to dyn.yml

added comment to repeat after update:

from https://host.domain.tld to sr-server.domain.tld

C:\Program Files\ScriptRunner\WebApps\AdminApp\uri.js
C:\Program Files\ScriptRunner\WebApps\Portal\app.json

and:

Set-AsrURI -SSLCertThumbprint THUMBPRINT -SSLReplaceExisting -SSLEnable -Restart

update the files and description for the use with ScriptRunner Version 6.9 where no IIS is used anymore.

changed baseuri containing file to C:\Program Files\ScriptRunner\Service\uri.js + C:\Program Files\ScriptRunner\Service\ScriptRunnerService.config