Hi all, new to traefik, and after some early advice…
”LAN” side, e.g. 192.168.0.0/24, I have various services, on different hosts/ips/ports.
I want to make these available via e.g. “https://something.mydomain.com/xxx”
With the SSL handled by traefik/acme, and a sprinkle of DNS…
LAN side, lets assume Traefik is on 192.168.0.54, and my router is setup to forward WAN ports 80 and 443 to it.
This is all quite straightforward if my single WAN IP was e.g. “1.1.1.1”.
However, I have multiple WAN’s, for example “1.1.1.1” and “2.2.2.2”.
What would be the “right” way to set this up?
DNS Side, multiple ‘A’ records would be fine, but bonus if I can use SRV instead.
WAN’s are very different speeds - “WAN1 / 1.1.1.1” is 1000/115 mbps down/up, while “WAN2 / 2.2.2.2” is only 80/20.
Extra bonus if Traefik can help here, if it got a request on WAN2, try an HTTP redirect to … but if cant access WAN1 for some reason, dont force it!
Then are there any special steps I need to ensure the SSL cert works on both IPs?
Apologies for the idiot questions - besides port forwarding I havent set anything up yet for either WAN/IP, just want to avoid doing anything now that will cause me bigger headaches down the road!
Usually requests come in via DNS and WAN. Traefik doesn’t really care about your WANs, it should listen on all available interfaces. Requests are then forwarded/proxied to local target services via LAN.
Its more about how to more effectively load balance traffic across my different WANs.
For example purposes, lets define:
”WAN1” = “1.1.1.1” and is a 1000mbps down, 100mbps up circuit
”WAN2” = “2.2.2.2” and is a 80mbps down, 20mbps up circuit.
Using pure DNS A records, I can list both ips, but which gets used is down to pure chance - different resolvers will return the 2 ips in random orders, and which gets used is up to whatever client (though would usually be the first answer).
Using DNS SRV records, I can do the same thing, but apply different priorities etc, essentially saying “I’d prefer you use 1.1.1.1”
However plain HTTP(s) will only look at A records afaik.
So is there any way to get traefik to help here - e.g. Initially, if it recieves a connection from a client to 2.2.2.2, it would first respond with a Location header to redirect to 1.1.1.1, but assuming theres “some issue” then on subsequent requests it will still allow them to use 2.2.2.2 without giving the redirect header.*
(* e.g. WAN1 is down, clients ISP has a routing issue, etc etc…)
Note: Can fully appreciate my traefik instance might need another interface/ip, or port, and my router/firewall rules need adjusting so it can know which WAN was used for the request.
Also I’ve now set this up successfully, albeit on a single WAN for now.
Traefik/Router/etc are all configured to forward both WANS, and it all works fine, I’ve just only published a single DNS A record with WAN1’s ip.
SSL wise, it simply doesnt care about the ip, so thats all fine
Incoming requests from external are not really "managed" by Traefik, those requests can’t really be steered by Traefik. Traefik just listens for incoming requests.
Or do you mean to control the forwarded/proxied requests by Traefik to the target services?
Yes, using Traefik to control/steer traffic is a good way to put it.
Client makes request
Clients browser/etc looks up address, makes connection on “ip”
Router forwards this to Traefik’s entrypoint
…..
Traefik forwards request to backend, and gets response
Traefik sends response to client
Its the 4. .… bit, quite likely with some custom code, where I’d like traefik to analyse the request, initially at least “which WAN did we recieve this request on?”
Currently theres just one entrypoint, with router forwarding requests from both WAN IPs, so this likely needs to be tweaked so we have seperate “WAN1 entrypoint” and “WAN2 entrypoint”, and adjust forwarding on the router, and perhaps specific DNS entries which only resolve to one of the IPs.
Essentially I just want WAN1 to get used all the time, unless theres some reason it cant be, at which point WAN2 becomes available for fallback.
But the Analysis would want to go along the lines of…
Which WAN/entrypoint did this request come in on?
If WAN1, just forward to backend, and send response.
If WAN2, check why…. e.g. respond with a custom interstital “page” with some javascript/etc, which can test clients ability to connect via WAN1 and WAN2, and based on the results,
If client can connect to WAN1, then redirect to it, or if not, process the request and reply via WAN2.
Thinking this through further, this almost wants to be a seperate “app” from my actual backend…
The DNS entry for “roundrobin.hostname.com” (with multiple A records) always goes to this “app”, and this is the only address clients ever get given.
And the app then redirects clients to the relevant “specificWAN.hostname.com” which only resolves to a single IP.
