How to move from nginx-proxy Docker to traefik Docker with proxy-protocol and wildcard certificate

Traefik Traefik v2
,
1

Hi all,

we currently use nginx-proxy and would like to move to traefik as we heard so much appraisal. I spent multiple hours now researching, reading and trying to put the right configuration together but I am failing miserably, even on a single host.

What I got:

  • External TCP Load-Balancer forwarding with Proxy-Protocol (to get request IP)
    (using plain TCP forward on all used ports with proxy protocol)
  • Traefik in Docker
  • WebApp in Docker
  • Wildcard SSL certificate

What I would like to achive:

  • Forward WebApp port 80 to 443
  • Run WepApp on port 443 with fixed wildcard certificate
  • Run dashboard on port 8443 with same fixed wildcard certificate and password

Static config:

# /data/traefik/traefik.yml
# Entrypoints
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
  internal:
    address: :8080
  internalsecure:
    address: :8443

# Docker configuration backend
providers:
  docker:
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.localhost`)"
  file:
    directory: /etc/traefik/dynamic

# API and dashboard configuration
api:
  dashboard: true
  insecure: true

Dynamic config:

# /data/traefik/dynamic/traefik_dynamic.yml
http:
  routers:
    api:
      rule: Host(`traefik.domain.eu`)
      service: api@internal
      entryPoints:
        - internal
      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" # user: test password:test

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/domain.eu.crt
        keyFile: /etc/traefik/certs/domain.eu.key

Docker Traefik:

docker run \
  --name traefik \
  --restart always \
  --publish 80:80 \
  --publish 443:443 \
  --publish 8080:8080 \
  --publish 8888:8888 \
  -v /data/traefik:/etc/traefik \
  -v /data/certs:/etc/traefik/certs \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --detach traefik:v2.4

Docker WebApp:

docker run \
  --name whoami \
  --label "traefik.enable=true" \
  --label 'traefik.http.routers.whoami.rule=Host(`whoami.domain.eu`)' \
  --label "traefik.http.routers.whoami.entrypoints=websecure" \
  --detach containous/whoami

Various questions arise:

  • Will ProxyProtokoll be recognized by default?
  • Will it run like this without docker compose?
  • How do I add the wildcard cert to the docker provider?
  • How do I add the wildcard cert to the dashboard?
2

More hours spent with documentation and various examples and forum posts. Slowly getting the pieces together. Traefik uses a "static" config file, you can include multiple "dynamic" ones. This example enables proxy protocol and a regular wildcard certificate for the web-app.

traefik.yml:

log:
  level: DEBUG # <- this helps during setup

# Entrypoints
entryPoints:
  web:
    address: ":80"
    proxyProtocol: # <- enable proxy protocol
      trustedIPs:
        - "1.2.3.4"
    http:
      redirections: # <- just redirect to SSL
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    proxyProtocol: # <- enable proxy protocol
      trustedIPs:
        - "1.2.3.4"

# Docker configuration backend
providers:
  docker:
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.localhost`)"
  file:
    directory: /etc/traefik/configuration # <- include all files in folder
    watch: true

# API and dashboard configuration
api:
  dashboard: true
  insecure: true

accessLog: # <- enable regular access log
  filePath: "/var/log/traefik/traefik.log"
  bufferingSize: 10

configuration/ssl.yml:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/domain.eu.crt
        keyFile: /etc/traefik/certs/domain.eu.key
  certificates: # <- not sure if this is required again
    certFile: /etc/traefik/certs/domain.eu.crt
    keyFile: /etc/traefik/certs/domain.eu.key

WebApp container:

docker run \
  --name whoami \
  --label "traefik.enable=true" \
  --label 'traefik.http.routers.whoami.rule=Host(`whoami.domain.eu`)' \
  --label "traefik.http.routers.whoami.entrypoints=websecure" \
  --label "traefik.http.routers.whoami.tls=true" \
  --detach containous/whoami

All that is left is the dashboard with SSL and password...