Routing from a Traefik to another one

Traefik Traefik v2
1

I have two traefik instances, the first one (ext) is accessible from internet, and route to another services (e.g.: a portal) and to a internal traefik (also on the same swarm). I used the constraints settings to enable dynamically deploy any service on the desired traefik instance.

The second traefik is used to create and expose many services (by other people). That's why I prefer to use a second one, instead break anything on the first one and cause unavailability on the Portal.

The first traefik (external) will receive requests to *.domain.tld, and route portal.domain.tld to the proper service (it's already working). Also when it receives the *.labs.domain.tld it should forward to the second traefik (labs). Is it possible to configure the routing on the ext traefik or just on the second one?

The fist traefik yaml:

version: '3.3'

services:

  traefik-proxy-ext:
    image: traefik:v2.10
    ports:
      - target: 443
        published: 443
        mode: host
    deploy:
      placement:
        constraints:
          - node.hostname == reverse-proxy-ext-${ENVIRONMENT?Variable not set}
      labels:
        - traefik.enable=true
        - traefik.docker.network=public
        - traefik.external-service=true

        # Traefik Frontend
        - traefik.http.routers.traefik-ext-https.rule=Host(`${TRAEFIK_EXT_HOSTNAME?Variable not set}`)
        - traefik.http.routers.traefik-ext-https.entrypoints=ext-https
        - traefik.http.routers.traefik-ext-https.tls=true
        - traefik.http.routers.traefik-ext-https.tls.certresolver=resolver-dns
        - traefik.http.routers.traefik-ext-https.tls.domains[0].main=${LABS_DOMAIN_BASE?Variable not set}
        - traefik.http.routers.traefik-ext-https.tls.domains[0].sans=*.${LABS_DOMAIN_BASE?Variable not set}
        - traefik.http.routers.traefik-ext-https.service=api@internal
        - traefik.http.services.traefik-ext.loadbalancer.server.port=8080

        # Only accesible from admin network
        - traefik.http.middlewares.vpn-only-ipwl.ipwhitelist.sourcerange=${ADMIN_NETWORKS?Variable not set}

        # Basic Authentication
        - traefik.http.middlewares.admin-auth.basicauth.realm=Auth
        - traefik.http.middlewares.admin-auth.basicauth.users=${TRAEFIK_EXT_USERNAME?Variable not set}:${TRAEFIK_EXT_HASHED_PASSWORD?Variable not set}

        - traefik.http.routers.traefik-ext-https.middlewares=admin-auth,vpn-only-ipwl

    environment:
      - DO_AUTH_TOKEN=${DO_AUTH_TOKEN?Variable not set}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /data/certificates:/certificates
    command:
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.docker.constraints=Label(`traefik.external-service`,`true`)
      - --providers.docker.swarmmode
      # - --providers.docker.swarmModeRefreshSeconds=5 # edit it
      - --entrypoints.ext-http.address=:80
      - --entrypoints.ext-https.address=:443
            
      - --certificatesresolvers.resolver-dns.acme.dnschallenge=true
      - --certificatesresolvers.resolver-dns.acme.dnschallenge.provider=digitalocean
      - --certificatesresolvers.resolver-dns.acme.dnschallenge.delaybeforecheck=0
      - --certificatesResolvers.resolver-dns.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --certificatesresolvers.resolver-dns.acme.email=${EMAIL?Variable not set}
      - --certificatesresolvers.resolver-dns.acme.storage=/certificates/acme.json
      #- --certificatesresolvers.resolver-dns.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

      # - --accesslog
      - --log.level=DEBUG
      - --api

    networks:
      - public

volumes:
  traefik-certificates:
    external: true

networks:
  public:
    external: true

The second traefik (labs):

version: '3.3'

services:

  traefik-proxy-labs:
    image: traefik:v2.10
    # ports:
    #   - target: 443
    #     published: 443
    #     mode: host
    deploy:
      placement:
        constraints:
          - node.hostname == reverse-proxy-labs-${ENVIRONMENT?Variable not set}
      labels:
        - traefik.enable=true
        - traefik.docker.network=public
        - traefik.external-service=true
        - traefik.internal-service=true

        - traefik.http.routers.traefik-labs-router.rule=Host(`${TRAEFIK_LABS_HOSTNAME?Variable not set}`)
        - traefik.http.routers.traefik-labs-router.entrypoints=labs-https
        - traefik.http.routers.traefik-labs-router.tls=true
        - traefik.http.routers.traefik-labs-router.service=api@internal
        
        - traefik.http.routers.traefik-labs-router.tls.certresolver=resolver-dns
        - traefik.http.routers.traefik-labs-router.tls.domains[0].main=${LABS_DOMAIN_BASE?Variable not set}
        - traefik.http.routers.traefik-labs-router.tls.domains[0].sans=*.${LABS_DOMAIN_BASE?Variable not set}

        # - traefik.http.services.traefik-labs-service.loadbalancer.server.url=http://127.0.0.1:8080
        - traefik.http.services.traefik-labs-service.loadbalancer.server.port=8080
        # - traefik.http.routers.traefik-labs-router.service=traefik-labs-service

        #- traefik.http.services.traefik-proxy-labs-services.loadbalancer.server.port=80
        

        # ---
        # Labs Redirection
        - traefik.http.routers.traefik-proxy-labs-routers.rule=HostRegexp(`{subdomain:[a-z\-]+}.${LABS_DOMAIN_BASE?Variable not set}`)
        - traefik.http.routers.traefik-proxy-labs-routers.entrypoints=ext-https
        - traefik.http.routers.traefik-proxy-labs-routers.tls=true
        - traefik.http.routers.traefik-proxy-labs-routers.tls.certresolver=resolver-dns
        - traefik.http.routers.traefik-proxy-labs-routers.tls.domains[0].main=${LABS_DOMAIN_BASE?Variable not set}
        - traefik.http.routers.traefik-proxy-labs-routers.tls.domains[0].sans=*.${LABS_DOMAIN_BASE?Variable not set}
        - traefik.http.routers.traefik-proxy-labs-routers.service=traefik-proxy-labs-service
        - traefik.http.services.traefik-proxy-labs-service.loadbalancer.server.port=443
        - traefik.http.services.traefik-proxy-labs-service.loadbalancer.server.scheme=https


    environment:
      - DO_AUTH_TOKEN=${DO_AUTH_TOKEN?Variable not set}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /data/certificates:/certificates
    command:
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.docker.constraints=Label(`traefik.internal-service`,`true`)
      - --providers.docker.swarmmode
      - --entrypoints.labs-http.address=:80
      - --entrypoints.labs-https.address=:443

      - --certificatesresolvers.resolver-dns.acme.dnschallenge=true
      - --certificatesresolvers.resolver-dns.acme.dnschallenge.provider=digitalocean
      - --certificatesresolvers.resolver-dns.acme.dnschallenge.delaybeforecheck=0
      - --certificatesResolvers.resolver-dns.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      - --certificatesresolvers.resolver-dns.acme.email=${EMAIL?Variable not set}
      - --certificatesresolvers.resolver-dns.acme.storage=/certificates/acme.json

      - --log.level=INFO
      - --api.insecure=true
      - --api

    networks:
      - public

 

volumes:
  traefik-certificates:
    external: true

networks:
  public:
    external: true

Can someone tell me what am I doing wrong? I appreciate any help.

2

See your other post.

1 Like
3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.