I currently want to build a basic DMZ reverse proxy with SSL termination with traefik v3. The proxy should be used for local services on HTTP(S) but should also deal with requests from outside which are coming from another reverse proxy (NGINX). For the second part I would like to utilize the Proxy Protocol.
I cannot seem to find good documentation on implementing such a system securely. I am aware of the entrypoint documentation at Traefik EntryPoints Documentation | Traefik | v3.1, but I don't know exactly how to implement it in practice.
I have found a somewhat comparable deployment of the Proxy Protocol at https://github.com/RealOrangeOne/infrastructure/blob/master/ansible/roles/traefik/files/traefik.yml:
...
web:
address: :80
http:
redirections:
entryPoint:
to: web-secure
scheme: https
proxyProtocol:
trustedIPs:
- "{{ wireguard.cidr }}"
- "{{ pve_hosts.internal_cidr }}"
- "{{ tailscale_cidr }}"
web-secure:
address: :443
http:
...
proxyProtocol:
trustedIPs:
- "{{ pve_hosts.ingress.ip }}/32"
forwardedHeaders:
trustedIPs:
- "{{ wireguard.server.ip }}/32" # This is obtained from the connecting `proxy_protocol`
...
What I am a little surprised about: the ProxyProtocol Specification specifically forbids port sharing between proxy-protocol and non-proxy-protocol ports:
The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access. Otherwise it would open a major security breach by
allowing untrusted parties to spoof their connection addresses. The receiver
SHOULD ensure proper access filtering so that only trusted proxies are allowed
to use this protocol.
Therefore I am wondering the following:
1.) Is the above configuration described above insecure?
2.) Should I instead set up a specific entrypoint with a specific port dealing with the proxy protocol?
I would be also be very happy about an example .yaml file (or snippet), which works as a basic reverse proxy with a a) Proxy Protocol to HTTPS and b) HTTP to HTTPS redirect.