Config with multiple entrypoints

Traefik Traefik v3 (latest)
,
1

I am trying to optimise my config but since I'm pretty new with traefik I'm hitting some walls and was wondering if anyone could enlighten me and clarify a few things to me.

What I want to achieve:

General rules:

Entrypoints:
http, https, http-external, https-external

Redirection:
from http to https for each pair

Rules:
I think this can be extracted outside of the service docker compose files, the logic is:

  • internal: myservice.home
  • external: myservice.mydomain.com
  • both: both

Network:
I have external and internal docker networks, needs to be referenced somewhere (not sure where)

External services:
I am using cloudflare as cert resolver for external services

If I'm able to have all these rules in traefik's config files (I'm using traefik.yml and config.yml files), then all I need to do in my service's docker compose is to add labels for :

  • name of the service
  • service either internal, external or both

Can anyone provide me with a rough structure of all the elements I need? Like where I need to define each things? I'm a bit lost between routers, middlewares and where to define what.

What I have at the moment in traefik.yml:

entryPoints:
  http:
    address: ":80"
      http:
        redirections:
           to: https
           scheme: https

# each of the 4 entrypoints are defined there with the http ones 
# having the redirection to the https

providers:
  docker:
    endpoint: tcp://socket-proxy:2375
    exposedByDefault: false
    network: "internal_proxy,external_proxy"
  file:
    filename: /config.yml

certificatesResolvers:
  cloudflare:
    acme:
      email: myemail
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        # disablePropagationCheck: true 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

Probably I need to add more things there as well as in the config.yml file but not sure what exactly.

Thanks!

2

I have this working :

    labels:
      - traefik.enable=true
      #### `internal` configuration
      #### `http` router configuration
      - traefik.http.routers.myservice-internal.entrypoints=http
      - traefik.http.routers.myservice-internal.rule=Host(`myservice.home`)
      #### `secure` router configuration
      - traefik.http.routers.myservice-internal-secure.entrypoints=https
      - traefik.http.routers.myservice-internal-secure.rule=Host(`myservice.home`)
      - traefik.http.routers.myservice-internal-secure.tls=true
      - traefik.http.routers.myservice-internal-secure.service=myservice-internal
      ### `network` configuration
      - traefik.http.services.myservice-internal.loadbalancer.server.port=1234
      - traefik.docker.network=internal_proxy

      #### `external` configuration
      #### `http` router configuration
      - traefik.http.routers.myservice.entrypoints=http-external
      - traefik.http.routers.myservice.rule=Host(`myservice.mydomain.com`)
      #### `secure` router configuration
      - traefik.http.routers.myservice-secure.entrypoints=https-external
      - traefik.http.routers.myservice-secure.rule=Host(`myservice.mydomain.com`)
      - traefik.http.routers.myservice-secure.tls=true
      - traefik.http.routers.myservice-secure.tls.certresolver=cloudflare
      - traefik.http.routers.myservice-secure.service=myservice-external
      ### `network` configuration
      - traefik.http.services.myservice-external.loadbalancer.server.port=1234
      - traefik.docker.network=external_proxy

Service can either be internal or external. What I want is maybe a way to refactor this so that I don't have to write this for each service. Not sure what are the best practices though. But my software engineer lazy brain tell me if I could avoid copy pasting this for each service it could be helpful.

3

This seems wrong, it’s singular, so I don’t think you can use multiple.

As you want to use different ones, you would need to assign the Docker network per service/container with label traefik.docker.network (doc).

4

Yes this is what I ended up doing, cfr the config posted in the 2nd message.

Do you think this could be improved?
Like creating reusable routers or something like that?
Not sure what are traefik's best practices. But I'm thinking the more copy paste to do the more errors and bugs possible.

5

usually it makes no sense to expose an application using different internal and external fqdn. I would recommend to access publicly available server using public FQDN only and use "split brain DNS/split horizon DNS" for internal access.

6

Can you explain what is "split brain DNS/split horizon DNS" ? I'm using Pihole for local DNS and Cloudflare for external DNS.

7

Split-Brain DNS Approach
Split-Brain DNS is a DNS configuration method that enables proper name resolution of local resources inside and outside your local network. It provides different data regarding the contents of a DNS zone based on the location that the DNS query originates. Separate DNS namespaces are administered for external computers and internal ones.
Example: The DNS query for the host www.test.com may return a public IP address and a private IP address on the organization's internal network.
The goal of a Split-Brain DNS is to provide abstraction and enhance security by not divulging the correct internal IP address of the requested resource. You can implement Split-Brain DNS on Microsoft appliance using DNS Resolution Policies and DNS Zone Scopes.

look at the linked post above - there is self-explaining picture.

8

Interesting.
I'm using Cloudflare DDNS for my dynamic dns (GitHub - favonia/cloudflare-ddns: 🌟 A small, feature-rich, and robust Cloudflare DDNS updater)
I'll have to look up how to set this up with Pihole / Cloudflare and Cloudflare DDNS.