Routing to a different site

Traefik Traefik v2 (latest)
1

I'm looking on the best way to set up web and local (LAN) access to my gateway nodes

Traefik_gateways

I currently have Traefik set up on the cloud host so I can get to:

What I would like to add is access to the gateway service via the web and locally.

I have not tried any of the following yet, just trying to think ahead and explain my ideas in hope there is a better solution.

anyways:

I am thinking I could add labels to access lighttpd and node-RED if I expose the ports (don't really want to expose them). also I believe the the docker label traefik.http.services.xxx.loadbalancer.server.url can only be done in a file for now (haven't tested yet) .

cloud server Traefik labels:

    labels:
      # Web (Lighttpd)
      - "traefik.http.routers.gateway01-web-secure.entrypoints=websecure"
      - "traefik.http.routers.gateway01-web-secure.rule=Host(`gateway01.example.net`)"
      - "traefik.http.routers.gateway01-web-secure.tls=true"
      - "traefik.http.routers.gateway01-web-secure.tls.certresolver=resolver-lets-encrypt"
      - "traefik.http.routers.gateway01-web-secure.service=gateway01-web"
      - "traefik.http.services.gateway01-web.loadbalancer.server.url=http://10.8.2.2:80"
      # Node-RED
      - "traefik.http.routers.gateway01-nodered-secure.entrypoints=websecure"
      - "traefik.http.routers.gateway01-nodered-secure.rule=Host(`nodered.gateway01.example.net`)"
      - "traefik.http.routers.gateway01-nodered-secure.tls=true"
      - "traefik.http.routers.gateway01-nodered-secure.tls.certresolver=resolver-lets-encrypt"
      - "traefik.http.routers.gateway01-nodered-secure.service=gateway01-nodered"
      - "traefik.http.services.gateway01-nodered.loadbalancer.server.url=http://10.8.2.2:1880"

But what I hoping to do is route the full gateway request and let the gateway's Traefik route to the gateway services thus only exposing ports 80 and or 443. maybe some thing like:

cloud server Traefik labels:

    labels:
      # Gateway
      - "traefik.http.routers.gateway01-secure.entrypoints=websecure"
      - "traefik.http.routers.gateway01-secure.rule=HostRegexp(`gateway01.example.net`, `{subdomain:[a-z]+}.example.net`)"
      - "traefik.http.routers.gateway01-secure.tls=true"
      - "traefik.http.routers.gateway01-secure.tls.certresolver=resolver-lets-encrypt"
      - "traefik.http.routers.gateway01-secure.service=gateway01"
      - "traefik.http.services.gateway01.loadbalancer.server.url=http://10.8.2.2:80"

gateway lighttpd labels:

    labels:
      - "traefik.http.routers.lighttpd.entrypoints=web"
      - "traefik.http.routers.lighttpd.rule=Host(`gateway01.example.net`) || Host(`gateway.local`)"
      - "traefik.http.routers.lighttpd.service=lighttpd"
      - "traefik.http.services.lighttpd.loadbalancer.server.port=80"

gateway node-RED labels:

    labels:
      - "traefik.http.routers.nodered.entrypoints=web"
      - "traefik.http.routers.nodered.rule=Host(`nodered.gateway01.example.net`) || Host(`nodered.gateway.local`)"
      - "traefik.http.routers.nodered.service=nodered"
      - "traefik.http.services.nodered.loadbalancer.server.port=1880"

if you have done this or something like this, can you share how you did it, else if you think there is a better way please let me know.

Regards,

2

Ok so I have tried a few thing/setups, but they are not working as I would expect.

with everything setup when I goto gateway01.dev.example.net I get a 404,

In the Cloud server Traefik Debug logs I get:

traefik    | time="2020-06-22T03:21:52Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Cookie\":[\"aCookie\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36\"],\"X-Forwarded-Host\":[\"gateway01.dev.example.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"91fc236f132f\"],\"X-Real-Ip\":[\"xx.xx.xx.xx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"gateway01.dev.example.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xx.xx.xx.xx:50292\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik    | time="2020-06-22T03:21:52Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Cookie\":[\"aCookie\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36\"],\"X-Forwarded-Host\":[\"gateway01.dev.example.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"91fc236f132f\"],\"X-Real-Ip\":[\"xx.xx.xx.xx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"gateway01.dev.example.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xx.xx.xx.xx:50292\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.8.2.5"
traefik    | time="2020-06-22T03:21:53Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7\"],\"Cache-Control\":[\"max-age=0\"],\"Cookie\":[\"aCookie\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36\"],\"X-Forwarded-Host\":[\"gateway01.dev.example.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"91fc236f132f\"],\"X-Real-Ip\":[\"xx.xx.xx.xx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"gateway01.dev.example.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xx.xx.xx.xx:50292\",\"RequestURI\":\"/\",\"TLS\":null}"
traefik    | xx.xx.xx.xx - - [22/Jun/2020:03:21:52 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 1233 "gateway01@file" "http://10.8.2.5" 700ms

Doing a curl from the host I can get a web page:

curl http://10.8.2.5
<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <title>Gateway 01</title>
</head>

<body>
    <h1>Hello Gateway01</h1>
</body>

and from the traefik contanner the same:

wget http://10.8.2.5
Connecting to 10.8.2.5 (10.8.2.5:80)
saving to 'index.html'
index.html           100% |****************************************************************************************************************************|   160  0:00:00 ETA
'index.html' saved
/ # cat index.html 
<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <title>Gateway 01</title>
</head>

<body>
    <h1>Hello Gateway01</h1>
</body>

</html>

Edit Start:
A little more debug, doing a tcpdump @ the gateway on the vpn interface:

tcpdump -i wg0 -vv
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
03:59:32.590699 IP (tos 0x0, ttl 63, id 22839, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.2.1.35468 > 10.8.2.5.http: Flags [S], cksum 0xd4cb (correct), seq 2653437319, win 64240, options [mss 1460,sackOK,TS val 3645579350 ecr 0,nop,wscale 7], length 0
03:59:32.591322 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.2.5.http > 10.8.2.1.35468: Flags [S.], cksum 0x1844 (incorrect -> 0xeead), seq 2680464225, ack 2653437320, win 65160, options [mss 1460,sackOK,TS val 3732324567 ecr 3645579350,nop,wscale 7], length 0
03:59:32.940368 IP (tos 0x0, ttl 63, id 22840, offset 0, flags [DF], proto TCP (6), length 52)
    10.8.2.1.35468 > 10.8.2.5.http: Flags [.], cksum 0x18af (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 3645579700 ecr 3732324567], length 0
03:59:32.942496 IP (tos 0x0, ttl 63, id 22841, offset 0, flags [DF], proto TCP (6), length 842)
    10.8.2.1.35468 > 10.8.2.5.http: Flags [P.], cksum 0x7ba3 (correct), seq 1:791, ack 1, win 502, options [nop,nop,TS val 3645579701 ecr 3732324567], length 790: HTTP, length: 790
        GET / HTTP/1.1
        Host: gateway01.dev.example.net
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate, br
        Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
        Cache-Control: max-age=0
        Cookie: aCookie
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: none
        Sec-Fetch-User: ?1
        Upgrade-Insecure-Requests: 1
        X-Forwarded-For: xx.xxx.xxx.xxx
        X-Forwarded-Host: gateway01.dev.example.net
        X-Forwarded-Port: 443
        X-Forwarded-Proto: https
        X-Forwarded-Server: 91fc456f132f
        X-Real-Ip: xx.xxx.xxx.xxx

03:59:32.943062 IP (tos 0x0, ttl 63, id 59101, offset 0, flags [DF], proto TCP (6), length 52)
    10.8.2.5.http > 10.8.2.1.35468: Flags [.], cksum 0x183c (incorrect -> 0x1437), seq 1, ack 791, win 503, options [nop,nop,TS val 3732324919 ecr 3645579701], length 0
03:59:32.944634 IP (tos 0x0, ttl 63, id 59102, offset 0, flags [DF], proto TCP (6), length 228)
    10.8.2.5.http > 10.8.2.1.35468: Flags [P.], cksum 0x18ec (incorrect -> 0xf3f3), seq 1:177, ack 791, win 503, options [nop,nop,TS val 3732324920 ecr 3645579701], length 176: HTTP, length: 176
        HTTP/1.1 404 Not Found
        Content-Type: text/plain; charset=utf-8
        X-Content-Type-Options: nosniff
        Date: Mon, 22 Jun 2020 03:59:32 GMT
        Content-Length: 19

        404 page not found
03:59:33.293350 IP (tos 0x0, ttl 63, id 22842, offset 0, flags [DF], proto TCP (6), length 52)
    10.8.2.1.35468 > 10.8.2.5.http: Flags [.], cksum 0x1228 (correct), seq 791, ack 177, win 501, options [nop,nop,TS val 3645580053 ecr 3732324920], length 0

the request is been forwarded but the gateway Traefik does not want to pick it up.

There could be something to do with the X-Forwards??? but need to lean more.
Edit End.

So can anyone see anything that I'm doing wrong?? or got hint on tracing down the problem

Current non-working set up files.

Cloud server Traefik docker-compose.yaml

version: '3'

services:
  traefik:
    image: traefik:v2.2.1
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - external-network
      - internal-network
    ports:
      - 80:80
      - 443:443
      - 1884:1884
      - 5683:5683/udp
      - 9002:9002
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/.containers/traefik/data/acme.json:/acme.json
      - /root/.containers/traefik/data/gateways.toml:/gateways.toml
    command: 
      # Global
      - "--global.checkNewVersion=true"
      - "--global.sendAnonymousUsage=false"
      # Loggin
      - "--log.level=DEBUG"
      - "--accesslog=true"
      # api
      - "--api=true"
      - "--api.dashboard=true"
      # Entry Points
      # web
      - "--entryPoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entryPoints.websecure.address=:443"
      # Data
      # - "--entryPoints.mqtt.address=:1883"
      - "--entryPoints.mqttsecure.address=:1884"
      - "--entryPoints.coap.address=:5683/udp"
      # - "--entryPoints.websocket.address=:9001"
      - "--entryPoints.websocketsecure.address=:9002"
      # Providers
      - "--providers.docker=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.filename=/gateways.toml"
      - "--providers.file.watch=true"
      # Resolvers
      - "--certificatesresolvers.resolver-lets-encrypt.acme.email=admin@example.net"
      - "--certificatesresolvers.resolver-lets-encrypt.acme.storage=acme.json"
      # - "--certificatesresolvers.resolver-lets-encrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.resolver-lets-encrypt.acme.tlschallenge=true"

    labels:
      - "traefik.enable=true"
      # Middlewares
      - "traefik.http.middlewares.middleware-basicauth.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password
      # Routes to Dashboard
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.dev.example.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=middleware-basicauth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=resolver-lets-encrypt"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      # Routes to Gateways
      # in gateways.toml
      
networks:
  internal-network:
  external-network:
    external: true

cloud server gateway.toml

[http]
  [http.routers]
    [http.routers.gateway01]
      entryPoints = ["websecure"]
      rule = "Host(`gateway01.dev.example.net`) || Host(`traefik.gateway01.dev.example.net`)"
      service = "gateway01"
    [http.routers.gateway01.tls]
      certresolver = "resolver-lets-encrypt"
      [[http.routers.blog.tls.domains]]
          main = "gateway01.dev.example.net"
          sans = ["*.gateway01.dev.example.net"]


  [http.services]
    # Gateway 01
    [http.services.gateway01]
      [http.services.gateway01.loadBalancer]
        [[http.services.gateway01.loadBalancer.servers]]
          url = "http://10.8.2.5"

Gateway Traefik docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.2.1
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - external-network
      - internal-network
    ports:
      - 80:80
      - 443:443
      # Thinsboard
      - 1883:1883
      - 5683:5683/udp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/.containers/traefik/data/acme.json:/acme.json
    command: 
      # Global
      - "--global.checkNewVersion=true"
      - "--global.sendAnonymousUsage=false"
      # Loggin
      - "--log.level=DEBUG"
      - "--accesslog=true"
      # api
      - "--api=true"
      - "--api.dashboard=true"
      # Entry Points
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      # Providers
      - "--providers.docker=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      # Resolvers
    #   - "--certificatesresolvers.resolver-lets-encrypt.acme.email=admin@example.net"
    #   - "--certificatesresolvers.resolver-lets-encrypt.acme.storage=acme.json"
    #   - "--certificatesresolvers.resolver-lets-encrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
    #   - "--certificatesresolvers.resolver-lets-encrypt.acme.tlschallenge=true"

    labels:
      - "traefik.enable=true"
      # Middlewares
      - "traefik.http.middlewares.middleware-basicauth.basicauth.users=user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/" # user/password
      # Routes to Dashboard
      # http
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik.gateway.dev.example.net`) || (Host(`10.8.2.2`) && Path(`/traefik`)) || (Host(`192.168.1.36`) && Path(`/traefik`))"
      - "traefik.http.routers.traefik.middlewares=middleware-basicauth"
      - "traefik.http.routers.traefik.service=api@internal"
      # https
    #   - "traefik.http.routers.traefik-secure.entrypoints=websecure"
    #   - "traefik.http.routers.traefik-secure.rule=Host(`traefik.gateway.dev.example.net`)"
    #   - "traefik.http.routers.traefik-secure.middlewares=middleware-basicauth"
    #   - "traefik.http.routers.traefik-secure.tls=true"
    #   - "traefik.http.routers.traefik-secure.tls.certresolver=resolver-lets-encrypt"
    #   - "traefik.http.routers.traefik-secure.service=api@internal"
     

networks:
  internal-network:
  external-network:
    external: true

Gateway Lighttpd docket-compose.yml

version: '3'

services:
  lighttpd:
    image: "sebp/lighttpd"
    container_name: "lighttpd"
    restart: "unless-stopped"
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_internal-network
    volumes:
      - "/home/gateway/.containers/lighttpd/data/www-data/:/var/www/localhost/htdocs/"
      - "/home/gateway/.containers/lighttpd/data/logs/:/var/log/lighttpd/"
      - "/home/gateway/.containers/lighttpd/data/lighttpd:/etc/lighttpd"
    tty: true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.lighttpd.entrypoints=web"
      - "traefik.http.routers.lighttpd.rule=Host(`gateway01.dev.example.net`) || Host(`10.8.2.5`) || Host(`192.168.1.36`)"
      - "traefik.http.routers.lighttpd.service=lighttpd"
      - "traefik.http.services.lighttpd.loadbalancer.server.port=80"
      - "traefik.docker.network=traefik_internal-network"

networks:
  traefik_internal-network:
    external: true

Thanks for any help.