Chained traefik instances

Thecrafterja · September 1, 2025, 8:10pm

Hi, I need your help:

I have traefik instance A and B.

Instance A takes all the traffic from the outside of my network and redirects them to the needed services. It also takes care of all the certificate stuff.

One of these services is using a traefik instance (B) itself. s.mydomain.com should lead to the dashboard of this service, *.d.mydomain.com to other interfaces of this service. Traefik instance B is correctly configured.

My problem: No matter if using the s.mydomain.com or one of the wildcard domain, I will always be routed to the dashboard. My guess is that A removes the requested domain, so that B thinks the requested domain is its internal IP address.

May that be the case? And do you have suggestions for fixing it?

Looking forward to your help

Greetings, Thecrafterja

bluepuma77 · September 1, 2025, 8:21pm

Share your full Traefik static and dynamic configs.

Thecrafterja · September 2, 2025, 5:37am

Config of instance A:

traefik.yml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to:  websecure
          scheme: https
  websecure:
    address: ":443"

certificatesResolvers:
  lets-encrypt-resolver:
    acme:
      email: "some_email@example.example"
      storage: /etc/traefik/acme.json
      httpChallenge:
        entryPoint: web
  ionos-resolver:
    acme:
      email: "some_email@example.example"
      storage: /etc/traefik/acme_ionos.json
      dnsChallenge:
        provider: ionos
        resolvers:
          - "ns1039.ui-dns.com"
          - "ns1114.ui-dns.org"
          - "ns1021.ui-dns.de"
          - "ns1017.ui-dns.biz"

providers:
  file:
    filename: "/etc/traefik/standard-config.yml"

log:
  level: DEBUG

standard-config.yml

http:
  middlewares:
        authentik:
            [...]
  routers:
    [...]
    dokploy-router:
      entryPoints:
        - websecure
      service: service-dokploy
      rule: "Host(`s.mydomain.com`)"
      tls:
        certResolver: lets-encrypt-resolver
    dokploy-services-router:
      entryPoints:
        - websecure
      service: service-dokploy
      rule: "HostRegexp(`[A-Za-z0-9]+\\.d\\.mydomain\\.com`)"
      tls:
        domains:
          - main: "*.d.mydomain.com"
        certResolver: ionos-resolver
    [...]

  services:
    [...]
    service-dokploy:
      loadBalancer:
        servers:
          - url: "http://192.168.178.229:3000"
    [...]

  serversTransports:
    pve:
      insecureSkipVerify: true

Thecrafterja · September 2, 2025, 5:41am

Config of instance B

This configuration is managed by the hosted software itself, but can be modified by me.

traefik.yml

global:
  sendAnonymousUsage: false
providers:
  swarm:
    exposedByDefault: false
    watch: true
  docker:
    exposedByDefault: false
    watch: true
    network: dokploy-network
  file:
    directory: /etc/dokploy/traefik/dynamic
    watch: true
entryPoints:
  web:
    address: ':80'
  websecure:
    address: ':443'
    http3:
      advertisedPort: 443
    http:
      tls:
        certResolver: letsencrypt
api:
  insecure: true
certificatesResolvers:
  letsencrypt:
    acme:
      email: test@localhost.com
      storage: /etc/dokploy/traefik/dynamic/acme.json
      httpChallenge:
        entryPoint: web

# Added by myself for debugging purposes
accessLog:
  format: json
  filePath: "/etc/logs/t_access.json"
  fields:
    defaultMode: keep

dynamic/dokploy.yml (for the dashboard)

http:
  routers:
    dokploy-router-app:
      rule: Host(`dokploy.docker.localhost`) && PathPrefix(`/`)
      service: dokploy-service-app
      entryPoints:
        - web
      middlewares: []
  services:
    dokploy-service-app:
      loadBalancer:
        servers:
          - url: http://dokploy:3000
        passHostHeader: true

dynamic/backend-bdjidbw.yml (other view)

http:
  routers:
    backend-bdjidbw-router-2:
      rule: Host(`bbb.d.mydomain.com`)
      service: backend-bdjidbw-service-2
      middlewares: []
      entryPoints:
        - web
  services:
    backend-bdjidbw-service-2:
      loadBalancer:
        servers:
          - url: http://backend-bdjidbw:8080
        passHostHeader: true

bluepuma77 · September 2, 2025, 5:56am

By default, Traefik keeps the original host header (doc):

The passHostHeader allows to forward client Host header to server.
By default, passHostHeader is true.

You can adapt the header manually by using middleware (example).

Thecrafterja · September 2, 2025, 11:17am

Thanks, I also stumbled across this part of the docs. I have now set this property explicitly to true, but the issue still persists.

Do you have any other idea?

bluepuma77 · September 2, 2025, 11:28am

Traefik A will receive request with Host: s.mydomain.com and forward/proxy it to Traefik B at http://192.168.178.229:3000 with same Host: s.mydomain.com.

Traefik B should receive request with Host: s.mydomain.com, but entrypoints are not configured for port 3000, maybe you re-map in Docker compose. Also the request can not be matched, because you use Host(`dokploy.docker.localhost`).

Thecrafterja · September 3, 2025, 8:28am

Thanks, the port was the issue. Sometimes it is just to late in the evening to see the problems

system · September 6, 2025, 8:29am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Forward to other Traefik instance Traefik v3 (latest) docker	2	320	September 6, 2024
How would you forward test.example.com to test.local.example.com when it hits traefik? Traefik v3 (latest) docker , letsencrypt-acme , tcp	9	100	April 29, 2025
Multiple domains pointing to one traefik instance help Traefik v3 (latest) docker	8	1437	November 22, 2024
Connecting another server to traefik under an another domain Traefik v3 (latest) docker	14	444	September 22, 2024
I want to redirect https to https Traefik v2 file	13	2743	December 12, 2023

Chained traefik instances

Related topics