Looking for a way for Traefik to ignore a host match to allow a different local server to process

Traefik Traefik v2
1

I have a domain example.com, and I would like to temporarily house a second host server locally, under the same public IP, with Traefik, at sub.example.com. However example.com's Traefik instance continues to grab connections heading to sub.example.com. Once I move the server under a different IP, this wont be an issue, but for now is there a way to globally tell Traefik not to interfere at all with a certain host match?

2

The picture is not clear yet.

  1. Is Traefik your reverse proxy for all (sub-)domains on ports 80/443 on your server?
  2. Is it running as container?
  3. Are your target services in containers?
  4. Are you using Traefik Docker Configuration Discovery?
  5. Can you share your Docker/Traefik configuration?
3

My apologies.

  1. Yes, Traefik is my reverse proxy for both ports on both servers.
  2. Yes, as a Docker container.
  3. Most of them are, however I have a couple of routers that forward to non-docker services.
  4. I am uncertain, perhaps my configuration can clear that up.
  5. Certainly.

reverse-proxy.yml

version: '3'

services:

  traefik:
    image: traefik:v2.9.5
    restart: always
    environment:
      TZ: ${TIMEZONE}
      CF_API_EMAIL: ${CLOUDFLARE_EMAIL}
      CF_DNS_API_TOKEN: ${CLOUDFLARE_DNS_CHALLENGE_TOKEN}
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    networks:
      - web_net
    volumes:
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml
      - ./traefik/config:/etc/traefik/config
      - ./traefik/acme.json:/acme.json
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`monitor.home.example.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certResolver=example-com-domain"
      - "traefik.http.routers.api.middlewares=trusted-local-only@file"

networks:
  web_net:
    name: web_net
    external: true

traefik.yml

global:
  checkNewVersion: true

log:
  level: INFO

api:
  dashboard: true

ping: {}

serversTransport:
  insecureSkipVerify: true

providers:

  docker:
    exposedByDefault: false
    watch: true
    network: web_net

  file:
    directory: "/etc/traefik/config"
    watch: true

entryPoints:

  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

certificatesResolvers:

  example-com-domain:
    acme:
      email: "my-email@example.com"
      storage: "acme.json"
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0

routers.yml

http:

  routers:

    netdata:
      service: netdata
      rule: "Host(`netdata.home.example.com`)"
      entryPoints:
      - websecure
      middlewares:
      - trusted-local-only
      tls:
        certResolver: example-com-domain

    opnsense:
      service: opnsense
      rule: "Host(`router.home.example.com`)"
      entryPoints:
      - websecure
      middlewares:
      - trusted-local-only
      tls:
        certResolver: example-com-domain

    sub-example-com:
      service: sub-example-com
      rule: "HostRegexp(`sub.example.com`, `{subdomain:[a-z]+}.sub.example.com`)"
      entryPoints:
      - websecure
      tls:
        certResolver: example-com-domain

  services:

    netdata:
      loadBalancer:
        servers:
        - url: "http://172.17.0.1:19999"

    opnsense:
      loadBalancer:
        servers:
        - url: "https://192.168.10.1"
  
    sub-example-com:
      loadBalancer:
        servers:
        - url: "https://192.168.10.115"

middlewares.yml

http:

  middlewares:

    local-only:
      ipWhiteList:
        sourceRange:
          - "192.168.10.0/24"
          - "192.168.20.0/24"
          - "192.168.40.0/24"

    trusted-local-only:
      ipWhiteList:
        sourceRange:
          - "192.168.10.0/24"
          - "192.168.40.0/24"

These are the configuration files from the domain server.

4

I don't see a simple example.com router.

In general: Traefik checks the routers according to priority if the rule matches. The first match will be used. The rule priority is set by its length. Longer rule, more characters, higher priority (number).

If it happens that example.com rule is longer then sub.example.com, then you need to adjust the priority. Just set priority for sub.example.com to 4096 and you should be fine.

Make sure your rule (especially HostRegexp) works correctly, maybe remove higher example.com completely to test your sub-domain.

5

Note that you probably run into issues with LetsEncrypt. The domain for LE needs to be explicitly defined or LE uses rule=Host() entries. As you have neither on sub.domain.com it should not get a valid LE certificate.

Further note that you have a forward from websecure to websecure, that is not common practice. You can add TLS directly to the entrypoint websecure.

6

Thanks so much for your time, @bluepuma77

As you might have suspected, I left out a file listing my web services to simplify the issue, and that contains my router for example.com. Thank you also for educating me about how traefik deals with priorities, I looked into it further afterword.

I had been having further issues with my configuration. I was able to access sub.example.com, but not further subdomains under that. I realized it was a DNS problem within my own network and it's working smoothly now.