2 routers behind a single IP

Hello there,

I have a question I'm pretty sure many people will be able to answer without me having to scratch my head.

I have a single public IP, and 2 internal servers that are servicing containers behind a private IP.

Each of the 2 servers are intended to serve a different domain name:

              Public IP (*.domain1.com and *.domain2.com in the DNS)
             /                    \
         Server1(domain1)        Server2(domain2)

As I'm not a magician, ports 80 & 443 can only be redirected to a single server. Is there a simple way for me to have traefik on server1 servicing domain1 and redirecting everything for domain2 to server 2 ? Would that be a simple router? How can I achieve that easily (and I have multiple subdomains, so it really needs to send to server2 all the requests with *.domain2.com).

Thanks for your insights.

This is exactly what a reverse proxy like Traefik is used for. Note that it's not "redirect", as a redirect is a response to a (browser) client to request a different URL. It's "proxy" or "forward" a request.

Run Traefik in a Docker container (note that command is "static" config):

# docker-compose.yml
version: '3'

    image: traefik:v2.11
      - /path/to/local/config/folder:/traefik
      - 80:80
      - 443:443
      - --providers.file.directory=/traefik
      - --providers.file.watch=true
      - --entryPoints.web.address=:80
      - --entryPoints.web.http.redirections.entryPoint.to=websecure
      - --entryPoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --entryPoints.websecure.http.tls.certResolver=myresolver
      - --api.dashboard=true
      - --log.level=INFO
      - --accesslog=true
      - --certificatesResolvers.myresolver.acme.email=mail.example.com
      - --certificatesResolvers.myresolver.acme.storage=/traefik/acme.json
      - --certificatesresolvers.myresolver.acme.tlschallenge=true

Create a "dynamic" config file with routers (doc) and services (doc):

# /path/to/local/config/folder/traefik-dynamic.yml
      rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
        - myAuth
      rule: Host(`example.com`)
      service: myHomepage
      rule: Host(`landing.example.com`)
      service: myLanding

          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

          - url: http://server1
          - url: http://server2

This simple example opens ports http/80 and https/443 and automatically creates TLS certs with LetsEncrypt for the domains used in Host(). You need more complicated dnsChallenge to create wildcard certs.

Note that by default passHostHeader is true for every service. Change this if your target service expects the host name as in the Traefik service URL it is called by.

It's recommended to change the dashboard passwords before deploying this to a production site :slight_smile: Or remove dashboard router and service completely.

OK I'm sorry I didn't present myself enough :slight_smile:
I'm not looking to know if Traefik can be a good fit for my servers / domains.

I am already running traefik running on each server, each of them servicing with labels on the containers.

My point is that I want from the traefik on server1 to redirect *.domain2.com to the traefik on server2, while conserving the name, because the traefik on server 2 will need that name to service the appropraite container. If I proxy that to the first server, I'm not sure on how the 2nd traefik will behave.

You want the request to a server to be forwarded internally to a second server?

Or you want to send a real redirect to the client to access another URL?

I want the request to be forwarded, as the second server has routers and everything is setup to understand the name of domain2, not domain1.

EDIT to be as clear as possible, this is what I want:
Request comes for siteA.domain1.com > router > server1 traefik > siteA container
Request comes for siteB.domain2.com > Router > Server1 traefik > Server2 traefik > siteB container

Sure. You just need to decide how you manage TLS. Probably easiest with tlsChallenge on first and httpChallenge (or no TLS) on second.

That's why I'm asking for help : how do I do that correctly in the config ?

So I'm trying with individual domains that I control.

I tried something like this :
on server 2 I'm creating an internal entry on the container with xxx.home.arpa:

      - "traefik.http.routers.xyz.rule=Host(`xyz.home.arpa`)"
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.xyz.entrypoints=web,websecure"
      - "traefik.http.services.xyz.loadbalancer.server.port=8888"
      - "traefik.http.services.xyz.loadbalancer.server.scheme=http"
      - "traefik.http.routers.xyz.tls=true"

Then on my main traefik, the one that the Internet IP redirects ports 80 & 443 to, I created this in a file :

      rule: "Host(`xyz.domain1.com`)"
      service: xyz
        - "web"
        - "websecure"
      tls: "true"
          - url: https://xyz.home.arpa

When I try that, I get a 404.
If I add curl to the traefik container and try :

/ # curl -k https://xyz.home.arpa
<h1>401: Unauthorized</h1>/ 

Which is expected as this webserver has a Auth mechanism in place.

I don't know why is the router I created on server1 giving me a 404. Any ideas?

Maybe check this example using chained Traefik instances.

Those chained traefik are running on the same host in the same compose file.

My 2 servers are different computers and can't share docker networks, unless I'm misreading your link?