Docker Traefik to K3S Traefik subdomain reverse proxy

Hi all,

I'm new to the entire Traefik and reverse proxy stuff but I'm currently in the process of setting up my own homelab and was looking for a specific setup.

I've got a main server (192.168.1.100) that is running Docker on which I run Traefik and several other services. My local DNS points any connection on mydomain.com directly to that Traefik instance which it then resolves to one of the Docker containers running. The setup also includes HTTPS with letsencrypt through cloudflare DNS challenge.

Now I'm looking into running a VM on this same server which will get a different IP in my main range (e.g. 192.168.1.101) that will host a K3S instance. This instance on it's own has a Traefik running for everything that is running inside that cluster and I wish to connect on a subdomain k3s.mydomain.com to this cluster. Preferably I would be able to use my same wildcard certificate from mydomain.com here, but it can also be on HTTP if not easily done.

Very simplified drawing of setup:

Router --test.mydomain.com--> Main Traefik (192.168.1.100) --> test-container

Router --newtest.k3s.mydomain.com--> Main Traefik (192.168.1.100) --> K3S Traefik (192.168.1.101) --> newtest-container

I've tried the following static config for this:

http:
  routers:
    k3s:
      rule: "HostRegexp(`k3s.mydomain.be`,`{subhost:[a-zA-Z0-9-]+}.k3s.mydomain.be`)"
      service: k3s-service
      entryPoints:
        - http
      tls: {}

  services:
    k3s-service:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://192.168.1.101"

But I keep getting 404 page not found and in my main Traefik instance I get the following error:

http: TLS handshake error from 172.18.0.1:53692: remote error: tls: bad certificate

I tried adding --serversTransport.insecureSkipVerify=true to my main Traefik configuration but it did not resolve this issue.

Could anyone help me with this?

Hi @tourna! Thanks for your interest in Traefik!

You can use passthrough to route traffic from the first to the second Traefik Proxy.

See this blog post as a potential starting point.
It does not cover 100% of your use case, but it should help explaining a bit.