Design questions: What do you think about using Traefik in DMZ "in front" of another Traefik in a more secure zone

As the title indicated, I've got an "IOT" network that has devices that I trust and control to a lesser extent then those that I have in a "GUEST" network. I've got that IOT Traefik instance running but I realized if I have it forwarding to the GUEST network container host normally it will by default use HTTP so I think I'd have to manually set up the backends, set up the cert file lines for each, and deal with the multiple firewall and routing rules to get traffic from this one IOT docker host to the multiple containers on the GUEST host.

It struck me that maybe I can have the IOT Traefik instance forwarding to the IP and varying ports on a GUEST Traefik instance, I could probably set up SSL once, that single backend, and much simpler firewall and routing rules. I'm pretty optimistic this isn't a crazy design, but I wanted to get some thoughts. I do have my own domain so I access my current services via, and I imagine I'll have to set up the docker compose and toml files on the backend differently to deal with the fact it will be matching services based on port rather than hostname, but other than that I'm optimistic I can wrestle through this.

Can anyone comment on this design or alternatives to achieve this end, and are there any example configs out there from someone with a similar setup?

Hello @BurntOC,

Many infrastructures use layers on layers of proxies to accomplish different tasks and route differently.

Mmany modern production infrastructures have between 4-7 proxies that route traffic (some stateless, some not). This is not unusual at all. Often people will mix and match Traefik with other proxies to provide features that Traefik does not offer.

Hope this helps!

Thanks for validating the thinking. I've become increasing concerned with my recent approach of following guides that have docker.sock mounted as a volume for some exposed containers. I've found a couple of "separate container" approaches for nginx that seem to work well with straightforward guides and I guess I'll ask here and hope someone can supply on for Traefik as I'd rather use this.