Https termination - redirection to multiple apps (owncloud, rocket, jitsi)

awedmondson · March 27, 2023, 1:37pm

I'm new to traefik, so here goes. Using treafik docker.
I have my own certificate and key (not wildward), The SSL is terminated by Traefik. Is it possible for the requests to FQDN/rocketchat and FDQN/Jitsi to be forwarded to their respective containers?
Thanks
Here below is my attempt, starting with app one.

> docker-compose.yml: below

version: '3'

services:
traefik:
# The latest official supported Traefik docker image
image: traefik:latest
ports:
# Exposes port 80 for incomming web requests
- "80:80"
- "443:443"
# The Web UI port http://0.0.0.0:8080 (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
# Copies the certificate locally for ease of backing up
- ~/github/certs:/ssl
# Mounts the Traefik static configuration inside the Traefik container
- ./traefik.yml:/etc/traefik/traefik.yml
- ./data/configurations:/dynamic_config
# logfile path
- ./logs/:/logs/
rocketchat:
image: rocketchat/rocket.chat:3.17.0
command: bash -c 'for i in seq 1 30; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
restart: always
volumes:
- ./uploads:/app/uploads
environment:
- PORT=3000
- ROOT_URL=http://fedora.adal-vimba.ts.net
- VIRTUAL_HOSTs=fedora.adal-vimba.ts.net
- MONGO_URL=mongodb://mongo:27017/rocketchat
- MONGO_OPLOG_URL=mongodb://mongo:27017/local
- Accounts_UseDNSDomainCheck=false
depends_on:
- mongo

 labels:
   - "traefik.enable=true"
# Routers
   - "traefik.http.routers.rocketchat.rule=Host(`fedora.adal-vimba.ts.net`)  && PathPrefix(`/rocketchat`)"
   - "traefik.http.routers.rocketchat.entrypoints=web"
   - "traefik.http.routers.rocketchat.middlewares=test-redirectscheme"
   - "traefik.http.routers.rocketchat-secure.rule=Host(`fedora.adal-vimba.ts.net`)  && PathPrefix(`/rocketchat`)"
   - "traefik.http.routers.rocketchat-secure.entrypoints=websecure"

  # Services
   - "traefik.http.services.rocket-secure.loadbalancer.server.port=3000"

  # Define middleware for rocketchat-app
   - "traefik.http.middlewares.rocket-strip-prefix.stripprefix.prefixes=/rocketchat"
  # Apply path /rocketchat to middleware to router
   - "traefik.http.routers.rocketchat-secure.middlewares=rocket-strip-prefix"
  # Redirect Scheme HTTP -> HTTPS
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"

mongo:
image: mongo:4.0
restart: always
volumes:
- ./data/db:/data/db
command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1

mongo-init-replica:
image: mongo:4.0
command: 'bash -c "for i in seq 1 30; do mongo mongo/rocketchat --eval "rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})" && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)"'
depends_on:
- mongo

traefik.ymlyml below

################################################################
# API and dashboard configuration
################################################################
api:
# Dashboard

dashboard: true
insecure: true
################################################################
# Docker configuration backend
################################################################
providers:
docker:
exposedByDefault: false
file:
directory: ./dynamic_config/
watch: true

################################################################
# Traefik Logging
################################################################
log:
level: INFO

################################################################
# Entrypoint
################################################################
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls: {}

dynamic_config below:

# Dynamic configuration
# in configuration/certificates.yaml
tls:
  certificates:
    # first certificate
    - certFile: /ssl/fedora.adal-vimba.ts.net.crt
      keyFile: /ssl/fedora.adal-vimba.ts.net.key

bluepuma77 · March 27, 2023, 3:02pm

Please format your code with 3 backticks or the </> button for better readability.

Have you looked at the examples posted in this community, like this simple example, and start from there?

Own TLS certs need to be loaded in static config with provider.file from a dynamic config file, Traefik will automaticallyy use the right one matching the domain in Host():

tls:
  options:
    myDefault:
      minVersion: VersionTLS12
  certificates:
    - certFile: /path/to/cert.crt
      keyFile: /path/to/cert.key

awedmondson · March 28, 2023, 7:36am

Thank you for your response. The SSL isn't the issue, that terminates ok (I now include the dynamic yaml with the certs for better clarity).

The problem is how to redirect different apps identified by https://FDQN/app1 and https://FDQN/app2 to different containers after SSL termination.

bluepuma77 · March 28, 2023, 10:33am

Do you want to redirect (return a new HTTP URL) or just route the request to the service?

Redirect is done via middlewares, see example linked above. Routing is done via routers and rule.

Service1 / App1:

    labels:
      - traefik.enable=true
      - traefik.http.routers.app1.rule=Host(`example.com`) && PathPrefix(`/app1`)

Service2 / App2:

    labels:
      - traefik.enable=true
      - traefik.http.routers.app2.rule=Host(`example.com`) && PathPrefix(`/app2`)

If you need to remove the path in the final request to your service, you need to create and assign a StripPrefix() middleware.

Note that routing by path works well with APIs, but usually not with applications, as they are mostly not path-aware. They can return redirects or links without your path-prefix, then the app does not work as desired.