How to move from nginx-proxy Docker to traefik Docker with proxy-protocol and wildcard certificate

bluepuma77 · March 21, 2021, 2:38pm

Hi all,

we currently use nginx-proxy and would like to move to traefik as we heard so much appraisal. I spent multiple hours now researching, reading and trying to put the right configuration together but I am failing miserably, even on a single host.

What I got:

External TCP Load-Balancer forwarding with Proxy-Protocol (to get request IP)
(using plain TCP forward on all used ports with proxy protocol)
Traefik in Docker
WebApp in Docker
Wildcard SSL certificate

What I would like to achive:

Forward WebApp port 80 to 443
Run WepApp on port 443 with fixed wildcard certificate
Run dashboard on port 8443 with same fixed wildcard certificate and password

Static config:

# /data/traefik/traefik.yml
# Entrypoints
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
  internal:
    address: :8080
  internalsecure:
    address: :8443

# Docker configuration backend
providers:
  docker:
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.localhost`)"
  file:
    directory: /etc/traefik/dynamic

# API and dashboard configuration
api:
  dashboard: true
  insecure: true

Dynamic config:

# /data/traefik/dynamic/traefik_dynamic.yml
http:
  routers:
    api:
      rule: Host(`traefik.domain.eu`)
      service: api@internal
      entryPoints:
        - internal
      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" # user: test password:test

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/domain.eu.crt
        keyFile: /etc/traefik/certs/domain.eu.key

Docker Traefik:

docker run \
  --name traefik \
  --restart always \
  --publish 80:80 \
  --publish 443:443 \
  --publish 8080:8080 \
  --publish 8888:8888 \
  -v /data/traefik:/etc/traefik \
  -v /data/certs:/etc/traefik/certs \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --detach traefik:v2.4

Docker WebApp:

docker run \
  --name whoami \
  --label "traefik.enable=true" \
  --label 'traefik.http.routers.whoami.rule=Host(`whoami.domain.eu`)' \
  --label "traefik.http.routers.whoami.entrypoints=websecure" \
  --detach containous/whoami

Various questions arise:

Will ProxyProtokoll be recognized by default?
Will it run like this without docker compose?
How do I add the wildcard cert to the docker provider?
How do I add the wildcard cert to the dashboard?

bluepuma77 · March 21, 2021, 9:08pm

More hours spent with documentation and various examples and forum posts. Slowly getting the pieces together. Traefik uses a "static" config file, you can include multiple "dynamic" ones. This example enables proxy protocol and a regular wildcard certificate for the web-app.

traefik.yml:

log:
  level: DEBUG # <- this helps during setup

# Entrypoints
entryPoints:
  web:
    address: ":80"
    proxyProtocol: # <- enable proxy protocol
      trustedIPs:
        - "1.2.3.4"
    http:
      redirections: # <- just redirect to SSL
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    proxyProtocol: # <- enable proxy protocol
      trustedIPs:
        - "1.2.3.4"

# Docker configuration backend
providers:
  docker:
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.localhost`)"
  file:
    directory: /etc/traefik/configuration # <- include all files in folder
    watch: true

# API and dashboard configuration
api:
  dashboard: true
  insecure: true

accessLog: # <- enable regular access log
  filePath: "/var/log/traefik/traefik.log"
  bufferingSize: 10

configuration/ssl.yml:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/domain.eu.crt
        keyFile: /etc/traefik/certs/domain.eu.key
  certificates: # <- not sure if this is required again
    certFile: /etc/traefik/certs/domain.eu.crt
    keyFile: /etc/traefik/certs/domain.eu.key

WebApp container:

docker run \
  --name whoami \
  --label "traefik.enable=true" \
  --label 'traefik.http.routers.whoami.rule=Host(`whoami.domain.eu`)' \
  --label "traefik.http.routers.whoami.entrypoints=websecure" \
  --label "traefik.http.routers.whoami.tls=true" \
  --detach containous/whoami

All that is left is the dashboard with SSL and password...

Topic		Replies	Views
Migrating to Traefik from Nginx Traefik v1 docker	3	6031	November 13, 2019
Getting started with Traefik Traefik v2 (latest) docker	0	342	October 1, 2020
Add Docker Microservices to Traefik Traefik v2 (latest) docker	3	1285	January 19, 2020
Proxy pass from my host to my application Traefik v2 (latest) docker	3	1476	June 20, 2023
How to forward requests to a local IP Traefik v2 (latest) docker , file , cli	6	13243	June 23, 2022

How to move from nginx-proxy Docker to traefik Docker with proxy-protocol and wildcard certificate

Related Topics