Hello everybody,
In our lan already exists an old nginx proxy to to route the traffic towards the sites *.demo.x.y
Since these sites are not docker applications, I'd like to keep this proxy active, and define a new domain like *.stage.x.y to be handled by traefik.
I've managed to enable traefik to work with automatic ssl, changing the nat rules in our fw to enable http/https toward the traefik proxy.
Of course this impacts the old nginx proxy and so I had to restore the previous nat rules.
I need to find a solution to keep both proxies and use one (possibly traefik) to route traffic to the other.
Any suggestions ?
=> The idea is to use Traefik as the only entrypoint. If the domain is something in *.demo.x.y, then it points to your legacy proxy, seen as a "Backend Service" for Traefik.
If the domain is in *.stage.x.y, then let traefik handles with the Docker applications (or any other backend service you have).
=> With Traefik v2.0, you can even use tls.passtrough with a tcp router if you must terminate TLS for *.demo.x.y at Nginx level. If you don't need this, then easier to let Traefik do it's job and specifies an HTTP router with the "file provider".
If the setup is correct for you, let us know so we can help on the configuration to write.
Hello dduportal,
Yes, that's what I meant in my question.
Ideally Traefik would act as the 'main' proxy, routing all requests toward *.demo.x.y to the legacy nginx.
The legacy proxy is also used to handle the acme ssl certificates for all domains under *.demo..., so this functionality should be also preserved.
Thanks for your help.
Here is a configuration I quickly drafted and tested.
I'm using docker for traefik, a "new backend" and the "legacy" backend.
Of course, the "legacy backend" is excluded from Traefik's docker automatic provider: it has its ports 9080 and 9443 published at the host level to simulate "another" machine. Then the file provider configures 2 services to reach these 2 ports through the Docker gateway IP.
And of course, the mode tls.passtrough is enabled in a tcp router for the "legacy" HTTPS, while HTTP routers are used for the 3 other cases (HTTP on legacy, HTTP on new webapp and HTTPS on new webapp).
Please note you'll have to change the tls certificates provided from file to your own setup, and adapt the routing rule. Also, I have not added the HTTP -> HTTPS redirect.
Let me know if you don't understand the configuration or if you are having issue. Don't hesitate to use the dashboard available at http://dashboard.localhost/ in this example, it will help you for checking your configuration.
Docker-Compose Manifest (docker-compose.yml):
version: '3'
services:
reverse-proxy:
image: traefik:v2.0
command:
- --providers.docker
- --providers.file.filename=/etc/traefik/dyn-conf.yml
- --entryPoints.web.address=:80
- --entryPoints.web-secure.address=:443
- --api.dashboard=true
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dyn-conf.yml:/etc/traefik/dyn-conf.yml
- ./certs:/certs
labels:
- "traefik.http.routers.traefik.rule=Host(`dashboard.localhost`)" # Dashboard
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.service=api@internal"
new-webapp:
image: containous/whoami
expose:
- "80"
labels:
# Use Traefik's Docker provider to reach this service, through Docker network
- "traefik.http.routers.new-webapp.rule=Host(`new.localhost`)" # HTTP
- "traefik.http.routers.new-webapp.entrypoints=web"
- "traefik.http.routers.new-webapp-secure.rule=Host(`new.localhost`)" #HTTPS
- "traefik.http.routers.new-webapp-secure.entrypoints=web-secure"
- "traefik.http.routers.new-webapp-secure.tls=true"
legacy-webapp:
image: nginx:alpine
ports:
- "9080:9080"
- "9443:9443"
volumes:
- ./certs:/certs
- ./default.conf:/etc/nginx/conf.d/default.conf
labels:
# Use Traefik's file provider to reach this service, through the Docker bridge IP
- "traefik.enable=false"
Traefik Dynamic Configuration for File Provider: (dyn-conf.yml):
tls:
certificates:
- certFile: /certs/new.localhost+1.pem
keyFile: /certs/new.localhost+1-key.pem
http:
routers:
legacy:
entryPoints:
- "web"
rule: "Host(`legacy.localhost`)"
service: legacy-web
services:
legacy-web:
loadBalancer:
servers:
- url: "http://172.17.0.1:9080" # Put here the IP of the Nginx server, port of HTTP
tcp:
routers:
legacy:
entryPoints:
- "web-secure"
rule: "HostSNI(`legacy.localhost`)"
service: legacy-websecure
tls:
passthrough: true
services:
legacy-websecure:
loadBalancer:
servers:
- address: "172.17.0.1:9443" # Put here the IP of the Nginx server, port of HTTPS
