Double docker traefik instances in same server

Hi all,

I'm familiar with traefik and I have several services works with it but I'm stuck in that situation

I have two traefik container in my server, let's call them master and slave.

The master traefik manage a domain and I want the slave manage a secondary.

I try to figured it out with a draw

Screenshot 2024-08-21 alle 15.00.341776×1208 224 KB

The configuration of slave traefik is

networks:
  default:
    name: "chibi.net"
  traefik:
    name: reverse-proxy
    external: true

traefik:
    image: traefik:v3.0.2
    container_name: chibi.proxy
    restart: unless-stopped
    ports:
      - "1080:80"
      - "10443:443"
      - "1088:8080"
      # - "80:80"
      # - "443:443"
      # - "8080:8080"
    networks:
      default:
      traefik:
    security_opt:
      - no-new-privileges:true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/ssl-certs:/ssl-certs
      - ./traefik/config:/etc/traefik/config
      - ./traefik/ssl-certs:/letsencrypt
    command:
      - "--global.sendAnonymousUsage=false"
      - "--global.checkNewVersion=false"
      - "--log.level=INFO"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      # HTTP
      - "--entrypoints.http.address=:80"
      # HTTPS
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.email=my@email.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=letsencrypt/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.constraints=Label(`traefik.inst`,`mcit`)"
      - "--providers.file.directory=/etc/traefik/config"
      - "--providers.file.watch=true"
    labels:
      traefik.enable: true
      traefik.inst: main
      # HTTP
      traefik.http.routers.chibiweb.entrypoints: web
      traefik.http.routers.chibiweb.rule: HostRegexp(`^.+\.2nddomain\.com$`)
      traefik.http.services.chibiweb.loadbalancer.server.port: 80
      # HTTPS
      traefik.http.routers.chibiwebsecure.entrypoints: websecure
      traefik.http.routers.chibiwebsecure.rule: HostSNIRegexp(`^.+\.2nddomain\.com$`)
      traefik.http.services.chibiwebsecure.loadbalancer.server.port: 443
      traefik.docker.network: reverse-proxy

Master traefik has constraint providers.docker.constraints=Label(traefik.inst,master)"
Slave traefik has constraint providers.docker.constraints=Label(traefik.inst,slave)"

If I try with http only everything works fine (I tested using CURL command, first time I serve slave traefik dashboard and second time I forward app1.2nddomain.com to an ngnix server).

With this configuration https doesn't work.

What I try to achieve is:
*I want that master traefik simply bypass (or forward) the .2nddomain.com, I want that my slave traefik solve the certificate for that domain and make it's own forward the traffic to other container or physical server (with file provider)

I read all related topics like this but here I don't work with docker in swarm mode or something else.

It just a matter to forward the traffic based on domain to both slave traefik ports (80 and 443).

Thanks for anyone help.
Just ask questions if I miss to report something.

For Traefik to match and proxy/forward a https request, it needs a matching TLS cert to read HostSNI.

Hi,

Interesting question, could you elaborate why you need 2 traefiks ?
Maybe i missed the point...

You could proxy several domains and have different configs with a single traefik.

THX

I have several reasons to do that.
Eg. let's assume I have several domain with Cloudflare DNS.

I don't want to use CF global API KEY, I want to use zone api key instead.

How can I manage certificate through CF api using zone api?

Right now I have not 2, but three traefik in cascade, and they works (It's a personal project)
But the https certificates don't