Hi there,
I'm very new to Traefik, but we want to configure this scenario, which is almost working, but I need some help figuring out what is left.
We have Traefik running on a Linux VM and it's working properly as a proxy to another container. We access this additional container like this IP/containername/. The "containername" gets automatically created when a new instance of the secondary container is created, so we can have IP/containername1/ and so on.
In order to add some authentication in front of the "containername ", we created an Azure Web app that hosts an Nginx proxy set up. The authentication is done on the web app so that it's tied to Azure AD. If the authentication works, then the Nginx proxy grabs the web app's URL and then uses it to access the "containername". For example, "https://azurewebapp.azurewebsites.net/containername". That part is also working fine.
Now, the part that I'm having a problem with is that now I was asked to secure the "containername" access that is done from the Nginx proxy to the VM that hosts the "containername" instance. For that, I created a new SSL certificate that is tied to a domain, for example, securedomain.domain.com. I added the correct labels to the "containername" container docker-compose.yml file so that it would accept the connection under "securedomain.domain.com", which is working. But because I have that working, the original URL, "azurewebapp.azurewebsites.net/containername", isn't working anymore. I need to somehow get that one to still work so that authentication can happen properly.
Hopefully that makes sense, but what am I missing that I would have broken the connection under Azure? Are there any additional labels I need? Since this Nginx web app is in Azure, do I need to do anything there so that Traefik can accept the connection, maybe?
Thank you in advance, this is driving me crazy!
-Christian
Can you describe the roles of Traefik, nginx and Azure? In what order are they chained? It’s not clear to me.
No problem.
- We have a VM that has Traefik running in a container, which is working fine. Another application that runs inside another container is initialized and the .sh script that creates it has a whole bunch of information tied to Traefik so that Traefik will recognize it and proxy access to this new container. So within this VM, someone can access IP/container1 and Traefik will proxy the connection. That too has been working fine.
- Once this additional container has been created, the user will receive a URL that will look like https://azurewebappname.azurewebsites.net/container1, which will require the user to authenticate to access it.
- Once the user has authenticated against Azure AD, the user will be redirected to the right container and shown the application.
- Now what I had to do is secure the Traefik proxy connection so that instead of going to IP/container1, it would have an SSL certificate configured and then the local connection would be https://local.domain.com/container1. I did get this to work as well by setting up TLS and configuring docker-compose.yml file for container1 to accept that domain. This is the line I put in:
-l "traefik.http.routers.$NAME.rule=Host(`local.domain.com`)"
-l "traefik.http.routers.$NAME.tls=true"
-l "traefik.http.routers.$NAME.entrypoints=web,websecure" \
But when I did step 4 above, the https://azurewebappname.azurewebsites.net/container1 stopped working. We need it to work because that's where the authentication takes place and externally, that is the URL we're going to send to clients. What did I do to break that Azure URL? If I remove the "Host" entry in the docker-compose.yml file, it works fine.
Thanks, hopefully that helps more.
Christian
I would enable debug log and access log to see what’s happening in Traefik. If you just switch it on you see the output in the Traefik container stdout.
Are requests from Azure actually getting to Traefik? Does Azure accept the Traefik SSL certs?
Are you aware of Traefik ForwardAuth middleware? Maybe that can be used by Traefik to use Azure for auth.
Hi there,
Apologies, I just had a meeting with the team that needs this implemented and it looks like I was trying to configure the wrong container. I actually need to get SSL configured on Traefik itself so that it is secured with a domain and certificate. Since it's not related to this request, I can go ahead and create a new thread.
Thank you any ways for your help bluepuma77!
-Christian