Hey @spadazz no problem!
Here is a configuration I quickly drafted and tested.
I'm using docker for traefik, a "new backend" and the "legacy" backend.
Of course, the "legacy backend" is excluded from Traefik's docker automatic provider: it has its ports 9080
and 9443
published at the host level to simulate "another" machine. Then the file provider configures 2 services to reach these 2 ports through the Docker gateway IP.
And of course, the mode tls.passtrough
is enabled in a tcp router for the "legacy" HTTPS, while HTTP routers are used for the 3 other cases (HTTP on legacy, HTTP on new webapp and HTTPS on new webapp).
Please note you'll have to change the tls certificates provided from file to your own setup, and adapt the routing rule. Also, I have not added the HTTP -> HTTPS redirect.
Let me know if you don't understand the configuration or if you are having issue. Don't hesitate to use the dashboard available at http://dashboard.localhost/ in this example, it will help you for checking your configuration.
- Docker-Compose Manifest (docker-compose.yml):
version: '3'
services:
reverse-proxy:
image: traefik:v2.0
command:
- --providers.docker
- --providers.file.filename=/etc/traefik/dyn-conf.yml
- --entryPoints.web.address=:80
- --entryPoints.web-secure.address=:443
- --api.dashboard=true
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./dyn-conf.yml:/etc/traefik/dyn-conf.yml
- ./certs:/certs
labels:
- "traefik.http.routers.traefik.rule=Host(`dashboard.localhost`)" # Dashboard
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.service=api@internal"
new-webapp:
image: containous/whoami
expose:
- "80"
labels:
# Use Traefik's Docker provider to reach this service, through Docker network
- "traefik.http.routers.new-webapp.rule=Host(`new.localhost`)" # HTTP
- "traefik.http.routers.new-webapp.entrypoints=web"
- "traefik.http.routers.new-webapp-secure.rule=Host(`new.localhost`)" #HTTPS
- "traefik.http.routers.new-webapp-secure.entrypoints=web-secure"
- "traefik.http.routers.new-webapp-secure.tls=true"
legacy-webapp:
image: nginx:alpine
ports:
- "9080:9080"
- "9443:9443"
volumes:
- ./certs:/certs
- ./default.conf:/etc/nginx/conf.d/default.conf
labels:
# Use Traefik's file provider to reach this service, through the Docker bridge IP
- "traefik.enable=false"
- Traefik Dynamic Configuration for File Provider: (
dyn-conf.yml
):
tls:
certificates:
- certFile: /certs/new.localhost+1.pem
keyFile: /certs/new.localhost+1-key.pem
http:
routers:
legacy:
entryPoints:
- "web"
rule: "Host(`legacy.localhost`)"
service: legacy-web
services:
legacy-web:
loadBalancer:
servers:
- url: "http://172.17.0.1:9080" # Put here the IP of the Nginx server, port of HTTP
tcp:
routers:
legacy:
entryPoints:
- "web-secure"
rule: "HostSNI(`legacy.localhost`)"
service: legacy-websecure
tls:
passthrough: true
services:
legacy-websecure:
loadBalancer:
servers:
- address: "172.17.0.1:9443" # Put here the IP of the Nginx server, port of HTTPS
- Nginx conf (
default.conf
):
server {
listen 9080;
server_name legacy.localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 9443 ssl;
server_name legacy.localhost;
ssl_certificate /certs/new.localhost+1.pem;
ssl_certificate_key /certs/new.localhost+1-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}