My problem is that I have an IdentityServer4 instance that must be available in front of and behind my reverse proxy. So far it looks like everything is good in front but not behind.
-
[x] https://api.mydomain.com is available from any public browser
-
[x] https://portal.mydomain.com is available from any public browser
-
[ ] userportalmvc cannot consume from https://api.mydomain.com (Internal Server Error)
I was having this problem in Apache httpd and a few people suggested that Traefik could be a better fit for what I am doing. I got Traefik set up easily but I am still having the same problems. When I attach a shell to userportalmvc and use curl, my calls to https://api.mydomain.com time out. I am not sure if this is an issue with the DNS or with the SSL certificate not showing the correct issuer.
I can get everything to work if I add ports to each call but this does not seem desireable because I would then need to open a new port for each new service and users would see the port number in their web browsers
-
[x] https://api.mydomain.com:3333 is available from any public browser
-
[x] https://portal.mydomain.com:4444 is available from any public browser
-
[x] userportalmvc can consume from https://api.mydomain.com:3333
I also tried to use a local address but the CA will not accept this because it expects the public facing ip address for my domain.
- [ ] userportalmvc cannot consume from https://172:100:100:13:3333 (cert rejected)
Please let me know if there is some detail that I am missing or if my entire approach needs reconsidered. Any guidance will be appreciated.
Here is my docker-compose file:
version: '3.4'
services:
traefik:
image: "traefik:v2.2"
command:
- --entrypoints.web.address=:80
- --entrypoints.web-secure.address=:443 #Declares the web-secure entrypoint in Traefik
- --providers.docker=true
- --providers.file.directory=/configuration/
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
networks:
mmsbridge:
ipv4_address: 172.100.100.10
volumes:
- sslskeys:/etc/ssls/
- "/home/coder/traefik/configuration/:/configuration/"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
identityapi:
image: identityapi
build:
context: api/.
dockerfile: Dockerfile
expose:
- 5000
networks:
mmsbridge:
ipv4_address: 172.100.100.13
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://+:5000
labels:
- "traefik.http.routers.api.rule=Host(`api.mydomain.com`)"
- "traefik.http.routers.api.tls=true"
- "traefik.backend=primeapi"
userportalmvc:
image: userportalmvc
build:
context: userportalmvc/.
dockerfile: Dockerfile
expose:
- 5000
networks:
mmsbridge:
ipv4_address: 172.100.100.14
environment:
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=http://+:5000
labels:
- "traefik.http.routers.portal.rule=Host(`portal.mydomain.com`)"
- "traefik.http.routers.portal.tls=true"
- "traefik.backend=userportalmvc"
volumes:
sslskeys:
external: true
networks:
mmsbridge:
external: true
and here is /home/coder/traefik/configuration/traefik.TOML ...
[providers.docker]
[[tls.certificates]]
certFile = "/etc/ssls/mydomain.com/cert.pem"
keyFile = "/etc/ssls/mydomain.com/privkey.pem"
[[tls.certificates]]
certFile = "/etc/ssls/identity.mydomain.com/cert.pem"
keyFile = "/etc/ssls/identity.mydomain.com/privkey.pem"
[[tls.certificates]]
certFile = "/etc/ssls/api.mydomain.com/cert.pem"
keyFile = "/etc/ssls/api.mydomain.com/privkey.pem"
[[tls.certificates]]
certFile = "/etc/ssls/portal.mydomain.com/cert.pem"
keyFile = "/etc/ssls/portal.mydomain.com/privkey.pem"