Connecting another server to traefik under an another domain

AlexanderZhirov · September 16, 2024, 4:43pm

I have Traefik configured for a specific domain zone along with subdomains. I need to redirect a request coming from a different domain name to another IP address (another physical machine). I can't figure out how to implement this in Traefik.

traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: "always"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.network=main_net"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=my@email.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/volumes/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.traefik-compress.compress=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain1.local`)"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.service=api@internal"

All subdomains located on the CURRENT machine are working in the current configuration. But I need to make the request from *.domain2.tech redirect to another physical machine that is on the shared network.

bluepuma77 · September 16, 2024, 7:06pm

You want to redirect (return a http response with a new location) or want to proxy (forward) the request?

If you want to proxy to a remote target, just use a dynamic config file, see simple Traefik external example.

AlexanderZhirov · September 17, 2024, 5:25am

I have other services running on the second physical server. They must be linked to another domain name. The request arrives at the first physical server on which Traefik is located. I need to make sure that the services from the second server are visible to the outside when the request arrives on the first server.

bluepuma77 · September 17, 2024, 5:45am

So check the example to declare rules with domains in a dynamic config file, with an external server target via domain/IP.

AlexanderZhirov · September 17, 2024, 6:56am

I set up the dynamic configuration like this:

http:
  routers:
    forward:
      rule: Host(`traefik.mysite.tech`)
      service: forward
      entryPoints:
        - "websecure"
      tls: true

  services:
    forward:
      loadBalancer:
        servers:
          - url: https://192.168.0.91

Traefik is also installed on the second physical server.

When I try to access a domain name, I get these errors in the main server log:

2024-09-17T06:32:43Z DBG log/log.go:245 > http: TLS handshake error from 192.168.0.5:33512: remote error: tls: bad certificate
2024-09-17T06:32:43Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "traefik.mysite.tech"
2024-09-17T06:46:24Z DBG github.com/traefik/traefik/v3/pkg/server/service/proxy.go:100 > 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 192.168.0.91 because it doesn't contain any IP SANs"

AlexanderZhirov · September 17, 2024, 8:04am

It was solved by adding this parameter --serverstransport.insecureskipverify=true. Is this the right decision?

The redirection is now working. But the second Traefik cannot get certificates from letencrypt

traefik  | 2024-09-17T07:22:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:619 > Loading ACME certificates [traefik.mysite.tech]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme routerName=traefik@docker rule=Host(`traefik.mysite.tech`)
traefik  | 2024-09-17T07:22:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:251 > Building ACME client... providerName=myresolver.acme
traefik  | 2024-09-17T07:22:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:257 > https://acme-v02.api.letsencrypt.org/directory providerName=myresolver.acme
traefik  | 2024-09-17T07:22:41Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:322 > Using HTTP Challenge provider. providerName=myresolver.acme
traefik  | 2024-09-17T07:22:41Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [traefik.mysite.tech] acme: Obtaining bundled SAN certificate lib=lego
traefik  | 2024-09-17T07:22:41Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [traefik.mysite.tech] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/404710130156 lib=lego
traefik  | 2024-09-17T07:22:41Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [traefik.mysite.tech] acme: Could not find solver for: tls-alpn-01 lib=lego
traefik  | 2024-09-17T07:22:41Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [traefik.mysite.tech] acme: use http-01 solver lib=lego
traefik  | 2024-09-17T07:22:41Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] [traefik.mysite.tech] acme: Trying to solve HTTP-01 lib=lego
traefik  | 2024-09-17T07:22:50Z DBG github.com/go-acme/lego/v4@v4.17.4/log/logger.go:48 > [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/404710130156 lib=lego
traefik  | 2024-09-17T07:22:50Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:396 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.mysite.tech]: error: one or more domains had a problem:\n[traefik.mysite.tech] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 62.33.138.36: Invalid response from http://traefik.mysite.tech/.well-known/acme-challenge/V-PprNbPkiVmc3NKQSAGST10XW-s8JbqQligtFK8s_w: 404\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.mysite.tech"] providerName=myresolver.acme routerName=traefik@docker rule=Host(`traefik.mysite.tech`)
traefik  | 2024-09-17T07:26:53Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
traefik  | 2024-09-17T07:26:53Z DBG log/log.go:245 > http: TLS handshake error from 192.168.0.5:50172: remote error: tls: bad certificate

But the site opens with a self-signed certificate

AlexanderZhirov · September 17, 2024, 10:28am

My scheme looks like this. Speaking conditionally, then first.com fully configured and receives certificates from Letsencrypt. I need to redirect requests to a second server, which will also request certificates from Letsencrypt for its domain zone second.net

bluepuma77 · September 17, 2024, 12:08pm

You could use tlsChallenge for main Traefik and httpChallenge for secondary Traefik.

AlexanderZhirov · September 17, 2024, 12:10pm

Is there an example of such a configuration?

AlexanderZhirov · September 17, 2024, 1:05pm

I am unable to get certificates on the second Traefik

AlexanderZhirov · September 17, 2024, 1:33pm

Main Traefik

traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: "always"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=azhirov1991@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--providers.file.filename=/traefik-dynamic.yml"
      - "--providers.file.watch=true"
      - "--log.level=ERROR"
      - "--serverstransport.insecureskipverify=true"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/volumes/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/traefik-dynamic.yml:/traefik-dynamic.yml"

http:
  routers:
    forward:
      rule: "HostRegexp(`mysite.net`) || HostRegexp(`[a-z0-9]+\\.mysite\\.net`)"
      service: forward
      tls: true

  services:
    forward:
      loadBalancer:
        servers:
          - url: "https://192.168.0.91"

Second Traefik

traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    command:
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.myresolver.acme.email=azhirov1991@gmail.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --log.level=DEBUG
      - --api.dashboard=true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /volumes/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro

Errors

traefik  | 2024-09-17T13:30:32Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:396 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik.mysite.net]: error: one or more domains had a problem:\n[traefik.mysite.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 62.33.138.36: Invalid response from http://traefik.mysite.net/.well-known/acme-challenge/HMaOuJkUw1ZO1yS_mBnVvtCrikJpk0FcxRiUZzYHDX0: 404\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik.mysite.net"] providerName=myresolver.acme routerName=traefik@docker rule=Host(`traefik.mysite.net`)

AlexanderZhirov · September 17, 2024, 3:43pm

It seems that this can be done only through Nginx

bluepuma77 · September 17, 2024, 5:29pm

Traefik uses Host() and HostSNI() to identify domains to create TLS certs. Or explicit main/sans.

Your Regex will not really work, as you would need a wildcard cert, that can only be created with dnsChallenge.

But with insecureskipverify=true you don’t need any LetsEncrypt certs, secondary Traefik will just generate a default cert.

Section1977 · September 21, 2024, 2:25pm

hi, do not know how to solve with traefik.

I have solved such a thing with haproxy.
Haproxy as a loadbalancer has in this case the only task to distribute domains to several servers.
on each server you can have your traefik handling creation and managing of certificates.

So you can add easily more and more servers.

bluepuma77 · September 22, 2024, 9:13am

But haproxy would need access to the Traefik created TLS certs to receive the https requests, decode the TLS to read HostSNI and then forward to matching server.

Topic		Replies	Views
2 domain redirect to 2 different local machine Traefik v2 docker	6	1568	August 30, 2023
Redirect non-existing site Traefik v2 docker	12	1723	October 28, 2021
Redirect example.com -> subdomain.example.com Traefik v2 docker , middleware	2	4281	March 1, 2022
Redirect problem to another server Traefik v2 docker	5	2757	April 8, 2023
Trying to connect multiple app to one domain Traefik v3 (latest) docker	9	36	December 28, 2024

Connecting another server to traefik under an another domain

Related topics