Redirect or Block External WAN IP Reachability

Hello,

I have set up traefik as reverse proxy to my services. My ISP blocks port 80 and 443 so I use other ports as port forwarding. I have an ASUS router so I use ASUS DDNS as hostname for pointing to my services running on forwarded ports since I have dynamic WAN IP. ASUS has a built-in letsencrypt certresolver so I export those certs from my router to my docker host using a custom ssh-script.

my current setup is
https://xxxxxx.asuscomm.com:52800 > Plex
https://xxxxxx.asuscomm.com:52801 > qBittorrent web ui
https://xxxxxx.asuscomm.com:52802 > Radarr
https://xxxxxx.asuscomm.com:52801 > Sonarr

All this works as expected. But when I use https://EXTERNALIP:PORT then it opens "404 page not found" with self signed traefik default certificate. I tried using sniStrict=true, but now I was unable to reach my services at https://xxxxxx.asuscomm.com:PORT, I got unrecongnized name error.

So my question is,

1. Is there a way to redirect https://EXTERNALIP:PORT to point to https://xxxxxx.asuscomm.com:PORT? (Eg. https://EXTERNALIP:52800 to https://xxxxxx.asuscomm.com:52800
   OR
2. Is there any other way to make sniStrict=true work with my existing certs?

I am open to any suggestions for improvement pf my set up.

Regards

traefik docker-compse

version: '3.8'
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    networks:
      default:
        ipv4_address: 10.0.0.100
    environment:
      TZ: Etc/UTC
    labels:
      - com.centurylinklabs.watchtower.enable=false
    ports:
      - 8080:8080  # (optional) expose the dashboard !don't use in production!
      - 52800:52800
      - 52801:52801
      - 52802:52802
      - 52803:52803
    extra_hosts:
      - host.docker.internal:172.17.0.1
    volumes:
      - /etc/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: always
networks:
  default:
    external: true
    name: servarr

services docker-compose

version: '3.8'
services:
  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
    restart: unless-stopped
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - VERSION=latest
    labels:
      - traefik.enable=true
      - traefik.http.routers.plex.entrypoints=plex
      - traefik.http.routers.plex.rule=Host(`xxxxxx.asuscomm.com`)
      - traefik.http.routers.plex.tls=true
      - traefik.http.services.plex.loadbalancer.server.port=32400
    volumes:
      - /mnt/hdd/docker/plex/config:/config
      - /mnt/hdd/Media/data/:/data
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:libtorrentv1
    container_name: qbittorrent
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - WEBUI_PORT=8112
    ports:
     - 52804:52804
    labels:
      - traefik.enable=true
      - traefik.http.routers.qbit.entrypoints=qbit
      - traefik.http.routers.qbit.rule=Host(`xxxxxx.asuscomm.com`)
      - traefik.http.routers.qbit.tls=true
      - traefik.http.services.qbit.loadbalancer.server.port=8112
    volumes:
      - /mnt/hdd/docker/qbittorrent/config:/config
      - /mnt/hdd/Media/data:/data
    networks:
      default:
        ipv4_address: 10.0.0.3
  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    labels:
      - traefik.enable=true
      - traefik.http.routers.radarr.entrypoints=radarr
      - traefik.http.routers.radarr.rule=Host(`xxxxxx.asuscomm.com`)
      - traefik.http.routers.radarr.tls=true
      - traefik.http.services.radarr.loadbalancer.server.port=7878
    volumes:
      - /mnt/hdd/docker/radarr/config:/config
      - /mnt/hdd/Media/data:/data
    networks:
      default:
        ipv4_address: 10.0.0.4
  sonarr:
    image: lscr.io/linuxserver/sonarr:develop
    container_name: sonarr
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    labels:
      - traefik.enable=true
      - traefik.http.routers.sonarr.entrypoints=sonarr
      - traefik.http.routers.sonarr.rule=Host(`xxxxxx.asuscomm.com`)
      - traefik.http.routers.sonarr.tls=true
      - traefik.http.services.sonarr.loadbalancer.server.port=8989
    volumes:
      - /mnt/hdd/docker/sonarr/config:/config
      - /mnt/hdd/Media/data:/data
    networks:
      default:
        ipv4_address: 10.0.0.6
networks:
  default:
    external: true
    name: servarr

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

api:
  dashboard: true  # true by default
  insecure: true  # Don't do this in production!

entryPoints:
  plex:
    address: :52800
    http:
      redirections:
        entryPoint:
          to: plex
          scheme: https
          permanent: true
          priority: 1

  qbit:
    address: :52801
    http:
      redirections:
        entryPoint:
          to: qbit
          scheme: https
          permanent: true
          priority: 1

  radarr:
    address: :52802
    http:
      redirections:
        entryPoint:
          to: radarr
          scheme: https
          permanent: true
          priority: 1

  sonarr:
    address: :52803
    http:
      redirections:
        entryPoint:
          to: sonarr
          scheme: https
          permanent: true
          priority: 1

tls:
  certificates:
    - certFile: /etc/traefik/certs/xxxxxx.cert
      keyFile: /etc/traefik/certs/xxxxxx.key
     
  options:
    default:
      minVersion: VersionTLS12
#    sniStrict: true
providers:
  docker:
    exposedByDefault: false 
  file:
    directory: /etc/traefik
    watch: true

You config seems unusual. You have a redirect to the entrypoint itself, so that should result in an endless loop.

Normally you have a http entrypoint that redirects to a https entrypoint.

Compare with simple Traefik example.

PS: usually only Traefik uses ports to expose ports in the host, not the other services/container.

Yes, it is unusual but it works. I added Redirections to entrypoints because “http” on xxxxxx.asuscomm.com:PORT was going to “404 page not found”. This config changes the scheme to “https” if the request is made as http://xxxxxx.asuscomm.com:PORT. I did not do it the standard way because then I will have to open another set of ports just for http redirection.

You can’t use https://ip:port because then you don’t have a domain and no Traefik router rule can match.

So to redirect from https://externalip:port to https://xxxxxx.asuscomm.com:port I will have to use a middleware? Btw I edited my post and comments to make it more clear what I want to achieve.

Traefik works as reverse proxy. It resolves requests to (sub-)domain names on the Internet and forwards those to matching internal services.

Usually you have a domain name sub1.example.com, that points to the IP of Traefik. Traefik then takes the request and forwards sub1 to an internal target service, either via internal domain name or internal IP.

Usually your DynDNS domain name would point to Traefik, you use those domain names in rule, use either Traefik dynamic configuration in file or just use labels on Docker services and Traefik Docker Configuration Discovery.

When you access Traefik via IP directly, then you need to place those IPs in rule to match.

Can you provide me an example of such rule? Since I have a dynamic IP, I am guessing, the rule needs to be dynamic as well.

@bluepuma77 I made a new config for traefik and used the standard way of doing things. I used same traefik docker-compse as above and made some modifications to services docker-compose. For this example, I am only using Sonarr as my service. With this configuration everything works as intended i.e xxxxxxxx.asuscomm.com:52800 changes the scheme to https and opens the service to me at https://xxxxxxxx.asuscomm.com:52801.

But when I type http://EXTERNALIP:52800 or https://EXTERNALIP:52800 it redirects to https://EXTERNALIP:52801 on my browser it opens up a page and shows 404 page not found.
How can I fix this?

service docker-compose

sonarr:
    image: lscr.io/linuxserver/sonarr:develop
    container_name: sonarr
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    labels:
      - traefik.enable=true
      - traefik.http.routers.sonarr.entrypoints=http, https
      - traefik.http.routers.sonarr.tls=true
      - traefik.http.services.sonarr.loadbalancer.server.port=8989
    volumes:
      - /mnt/hdd/docker/sonarr/config:/config
      - /mnt/hdd/Media/data:/data
    networks:
      default:
        ipv4_address: 10.0.0.6

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

entryPoints:
  http:
    address: :52800
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  https:
    address: :52801
    http:
      tls: {}

providers:
  providersThrottleDuration: 2s
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true
  docker:
    watch: true
    defaultRule: "Host(`xxxxxxxx.asuscomm.com`)"
    exposedByDefault: false

api:
  dashboard: true
  insecure: true

log:
  level: INFO

fileConfig.yml

tls:
  certificates:
    - certFile: /etc/traefik/certs/xxxxxxxx.cert
      keyFile: /etc/traefik/certs/xxxxxxxx.key
  options:
    default:
      minVersion: VersionTLS12

Why would you use an IP if your home router provides DynDNS with a domain name?

Traefik and service are running behind your home router?

A Traefik router always needs a rule.

I was using nmap on my external ip subnet, It showed these ports open. Since an attacker would not know my hostname he would try to open that ip:port normally. Thats why I am trying to block that request.
Yes, traefik is behind my home router.

What do you want to achieve? You want the services to be available externally via domain name? But it should not be available via IP?

Well, this is what you got, Traefik will not match the service name when using only the IP and Traefik will show 404.

More secure would be to use authentication via middleware (user/pass), use AuthFoward with an identity provider like (self-hosted) authelia or authentik (or a hosted provider). Or use a VPN like WireGuard (check wg-easy) to enable access to internal network.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.