Hi. I might have the wrong impression of using a domain to access local servoces so wanted to confirm.
Ultimately for now I just want to be able to access internal services by a domain. I went through this guide...
Which seems to use your external domain to access internal. It's not clear to me whether setting this up as the guide describes also exposes services externally but that's not what I want. I just want to be able to say...
adguard -> on my router so I want to be able access like ad.mydomain.com which hits a specific port on the router
router -> access router (running opnsense) homepage with router.mydomain.com which is just port 80. I think I can do this via DNS rewrites
docker services -> docker-name.mydomain.com
But no matter what I do that does not seem to work. Even having Traefik and the dockersocket container on the same docker network does not work.
I also see this in the logs that would indicate to me that it should work?
time="2024-02-14T17:50:44-08:00" level=debug msg="Adding route for ad.mydomain.com with TLS options default" entryPointName=https
time="2024-02-14T17:50:44-08:00" level=debug msg="Adding route for traefik.mydomain.com with TLS options default" entryPointName=https
But I cannot access it by the domain the Traefik logs are showing. Should I be able to? If so, can there be some configuration issue? Those details are below...
Docker fields*
traefik.http.routers.api.service -> api@internal
traefik.enable -> true
traefik.http.routers.api.rule -> Host(traefik.mydomain.com)
DOCKER_HOST -> dockersocket
traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
redirections:
entryPoint:
to: https
scheme: https
# HTTPS endpoint, with domain wildcard
https:
address: :443
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http:
tls:
# Generate a wildcard domain certificate
certResolver: letsencrypt
domains:
- main: mydomain.com
sans:
- '*.mydomain.com'
middlewares:
- securityHeaders@file
providers:
providersThrottleDuration: 2s
# File provider for connecting things that are outside of docker / defining middleware
file:
filename: /etc/traefik/fileConfig.yml
watch: true
# Docker provider for connecting all apps that are inside of the docker network
docker:
watch: true
network: proxynet # Add Your Docker Network Name Here
# Default host rule to containername.domain.example
defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.mydomain.com`)" # Replace with your domain
swarmModeRefreshSeconds: 15s
exposedByDefault: false
endpoint: "tcp://dockersocket:2375" # Uncomment if you are using docker socket proxy
# Enable traefik ui
api:
dashboard: true
insecure: true
# Log level INFO|DEBUG|ERROR
log:
level: DEBUG
# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
letsencrypt:
acme:
email: an@email.com
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
experimental:
plugins:
plugin-log4shell:
moduleName: "github.com/traefik/plugin-log4shell"
version: "v0.1.2"
fileConfig.yml - Authelia not installed or used for now
http:
## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
routers:
# Adguard routing - Remove if not used
adguard:
entryPoints:
- https
rule: 'Host(`ad.mydomain.com`)'
service: adguard
## SERVICES ##
services:
# adguard service
adguard:
loadBalancer:
servers:
- url: http://192.168.10.1:8080/
## MIDDLEWARES ##
middlewares:
# Only Allow Local networks
local-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32 # localhost
- 192.168.10.1/24 # LAN Subnet
- 10.0.0.0/24 # VPN
my-plugin-simplecache:
plugin:
plugin-simplecache:
path: /tmp
my-plugin-log4shell:
plugin:
plugin-log4shell:
errorCode: "200"
# Authelia guard
auth:
forwardauth:
address: http://authelia:9091/api/verify?rd=https://identity.adhsrv.com/ # replace auth with your authelia container name
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
# Authelia basic auth guard
auth-basic:
forwardauth:
address: http://authelia:9091/api/verify?auth=basic # replace auth with your authelia container name
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
# Security headers
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
X-Forwarded-Proto: "https"
server: ""
customRequestHeaders:
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: "https"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305