Hello folks,
I want to make the following happen:
I have a server reachable trough the internet (example.com) which runs traefik and a bunch of HTTP services (in Docker containers). The services are made available through http routers with different subdomains: .vm1.example.com
However the main machine ran out of resources recently and i wanted to move some services to a new host that is not connected to the internet. In addition, the new server will host other webservices who's names are pretty much random (=choosen by user). I wanted to make them availed as .vm2.example.com.
My plan was the following: have traefik run on the first machine and check if the service is know to it. If not forward the request to the second machine. I setup routers for each service using docker labels on the first machine and a "catch all" http router "*.vm2.example.com" pointing to the 2nd server using a static load-balancer service with a single entry. On the 2nd server, another instance of traefik is running which is then again configured by docker labels to know about the services hosted on that machine.
This works with http only, yet I would like to have the first machine to do TLS via let's encrypt for me. So it would need to create not only certificates for the services ".vm1.example.com" but also for my catch-all router ".vm2.example.com". This seems to not be possible because my catch all router is effectively a wildcard router and would require a DNS challenge. This is not possible due to our internal policies. So I would basically need traefik to create certificates based on the requested domain name.
So I tried to depict my planned setup here: traefik 1 doing TLS for all routers, and forwards requests to either local containers or the other traefik instance based on the HostRegex rule.
-
how can I get traefik on server 1 to create certificates for the services on the 2nd host if the service names (=subdomains) are not known in advance and i can not do DNS challenges?
-
i could use a TCP router listening on the same port i suppose, but how can I make traefik first check if the url rules and if non matches forward the request to the other machine? Is that even possible?
-
maybe I am totally off here. Can I solve this any better?