Proxy to another server if URL is not served locally

Hello folks,

I want to make the following happen:

I have a server reachable trough the internet ( which runs traefik and a bunch of HTTP services (in Docker containers). The services are made available through http routers with different subdomains:

However the main machine ran out of resources recently and i wanted to move some services to a new host that is not connected to the internet. In addition, the new server will host other webservices who's names are pretty much random (=choosen by user). I wanted to make them availed as

My plan was the following: have traefik run on the first machine and check if the service is know to it. If not forward the request to the second machine. I setup routers for each service using docker labels on the first machine and a "catch all" http router "*" pointing to the 2nd server using a static load-balancer service with a single entry. On the 2nd server, another instance of traefik is running which is then again configured by docker labels to know about the services hosted on that machine.

This works with http only, yet I would like to have the first machine to do TLS via let's encrypt for me. So it would need to create not only certificates for the services "" but also for my catch-all router "". This seems to not be possible because my catch all router is effectively a wildcard router and would require a DNS challenge. This is not possible due to our internal policies. So I would basically need traefik to create certificates based on the requested domain name.

So I tried to depict my planned setup here: traefik 1 doing TLS for all routers, and forwards requests to either local containers or the other traefik instance based on the HostRegex rule.

  • how can I get traefik on server 1 to create certificates for the services on the 2nd host if the service names (=subdomains) are not known in advance and i can not do DNS challenges?

  • i could use a TCP router listening on the same port i suppose, but how can I make traefik first check if the url rules and if non matches forward the request to the other machine? Is that even possible?

  • maybe I am totally off here. Can I solve this any better?

I would see two possible options:

  1. Create a Docker Swarm with your two nodes. Assign your containers to the nodes using labels. You just need a single Traefik instance on first node, that must be the swarm leader.

  2. Create a script that fetches the configuration from Traefik2 via the Traefik API (or Docker API) and then creates a dynamic configuration file with router (host) and service from it. Have Traefik1 use provider.file in the static config to load and watch the file for updates.

Both are not easy plug&play solutions, sorry.

Thanks for your reply, it's perfectly fine if it's not a straight forward solution, it's just good to know that i didn't miss the easy way before I go and try out the harder ones.

So I guess I'll give both versions a try and see what works better for me.