Running Traefik and Nginx Proxy Manager on the same Server

I'm looking for a way to run Traefik and Nginx side by side. I know I can't have both listening on the same ports 80/443. Is it possible to forward any request on 80/443 that is not configured in Traefik to be sent to 88/444 where Nginx Proxy Manager will be listening for them.

For example my use case is I have all my docker-compose containers using Traefik and SSL and on my other server I have Nginx accessing backend web services over a VPN and providing SSL etc. I want to move everything on the same server and just hit this road block.

The main reason I use Nginx Proxy Manger is I can easily use the GUI to dynamically setup new connections to any new VPN connections etc without having to access the server etc

Is there a GUI or anything coming for traefik, I know there's the dashboard but can't make any new routes/services etc or edit anything.

Hello @mrea , it's possible to declare a catch-all rule with low priority that would work as a fallback to antyhing that doesnt match any other router in Traefik, this is how it would look like with a File provider just for reference:

http:
  routers:
    to-nginx:
      rule: "HostRegexp(`{domain:.+}`)"
      #you must declare this service to point out to the actual address of nginx
      service: nginx
      priority: 1

And you're right as the Traefik Proxy Dashboard does not provide writable elements at the moment, you can do so using the HTTP provider, but it means you'll have to script / automate it yourself.

Hi @douglasdtm , I'm pretty new to Traefik and have read through the docs but still not very clear. Would you have an example how this would be done in a Traefik docker compose file?

Does it matter what ports Nginx Proxy Manager is listening on?

Thanks

Here is an example docker-compose with OSS nginx

version: '3'

networks:
  traefik:

services:
  nginx:    
    image: nginx
    environment:
      - NGINX_HOST=nginx.docker.localhost
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.nginx.entrypoints=web"
      - "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
      - "traefik.http.routers.nginx.priority=1"
      - "traefik.http.routers.nginx.service=nginx"
      - "traefik.http.services.nginx.loadbalancer.server.port=80"
    networks:
      - traefik

  traefik:
    image: "traefik:v2.8"  
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.entrypoints=web"
      - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
      - "traefik.http.routers.api.service=api@internal"
    command:
      - --providers.docker
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --entryPoints.web.forwardedHeaders.insecure
      - --api.dashboard=true
      - --log.level=DEBUG
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "80:80"
      - "443:443"
    networks:
      - traefik

It really doesn't matter what port nginx is listening on but you need to inform Traefik through the service label as seen in he example.

Thanks for the update @douglasdtm I have put my config below as I'm not sure how to integrate it without stuffing up all the other stuff running.

Here is the Nginx Proxy Manager Labels:

   labels:
    #Reverse Proxy SSL
     - "traefik.enable=true"
     - "traefik.http.routers.nginx.rule=Host(`nginx.xx.xxxx.com`)"
     - "traefik.http.routers.nginx.entrypoints=websecure"
     - "traefik.http.routers.nginx.tls=true"
     - "traefik.http.routers.nginx.tls.certresolver=http"
     - "traefik.http.routers.nginx.service=nginxService"
     - "traefik.http.services.nginxService.loadBalancer.server.port=81"
    #Proxy Network
     - "traefik.docker.network=proxy"

    networks:
     - proxy

Here is my Traefik Docker Compose:

version: "3.4"

services:
   traefik:
    image: traefik:v2.6
    container_name: traefik
    command:
      - "--entrypoints.web.address=:80"
      - "--api"
      - "--api.dashboard=true"
      - "--certificatesresolvers.http.acme.email=admin@xxxx.com"
      - "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.http.acme.tlschallenge=true"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certResolver=http"
      - "--log.level=INFO"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--serverstransport.insecureskipverify=true"
    restart: always
    networks:
      proxy:
        ipv4_address: 172.25.0.250
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_certs:/letsencrypt
    ports:
      - "80:80"
      - "443:443"
    labels:
      - "traefik.enable=true"
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.xx.xxxx.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      #- "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=http"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.middlewares=authtraefik"
      - "traefik.http.middlewares.authtraefik.basicauth.users=user:xxxxxxxxxxxxxx" # user/password
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

volumes:
  traefik_certs: {}

networks:
  proxy:
    name: proxy
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.25.0.0/16
        - gateway: 172.25.0.1

Is it just the matter of adding these lines to the Nginx Labels?

- "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx.priority=1"

And then the API and Comand to my Traefik config?

- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
- "traefik.http.routers.api.service=api@internal"

command:
--entryPoints.web.forwardedHeaders.insecure

Thanks!

Hello again,

Yes, just replacing your nginx Host rule with the HostRegexp plus the priority should do the trick.

About the API I just added it to my example because it is nice to have the Traefik Dashboard available somewhere, but this is not a requirement at all!

Hi @douglasdtm I still can't get this working correctly. Here is the config I'm trying to use:

labels:
    #Reverse Proxy SSL
     - "traefik.enable=true"
     #- "traefik.http.routers.nginx.rule=Host(`nginx.xxx.xxxx.com`)"
     - "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
     - "traefik.http.routers.nginx.priority=1"
     - "traefik.http.routers.nginx.entrypoints=websecure"
     #- "traefik.http.routers.nginx.entrypoints=web"
     - "traefik.http.routers.nginx.middlewares=redirect-to-https"
     - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
     - "traefik.http.routers.nginx.tls=true"
     - "traefik.http.routers.nginx.tls.certresolver=http"
     - "traefik.http.routers.nginx.service=nginxService"
     - "traefik.http.services.nginxService.loadBalancer.server.port=81"
    #Proxy Network
     - "traefik.docker.network=proxy"

If I uncomment web and make websecure a comment I just get 404 and can't access my Nginx Proxy Dasboard, even with the https redirects.

Port 81 is my Dashboard port, would this be causing a conflict? My ports are mapped 444 - 443 and 80 - 88 via docker compose.

I still need Traefik to manage the nginx.xxx.xxxx.com host and ssl and redirect to my dashboard as well as doing the catch all on everything else.

Maybe I have the naming wrong, I have been trying to work my way through DOCs to get this going, but just not getting anywhere close

Thanks!

I think I'm almost there... The request are now reaching Nginx Proxy Manager, here is my latest config, hopefully it helps someone in the future.

#Reverse Proxy SSL for Nginx Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.xx.xxxx.com`)"
      - "traefik.http.routers.nginx.entrypoints=websecure"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.certresolver=http"
      - "traefik.http.routers.nginx.service=nginxService"
      - "traefik.http.services.nginxService.loadBalancer.server.port=81"
      #Catch all traffic on Port 80 for Nginx Proxy Manager
      - "traefik.http.routers.nginx1.rule=HostRegexp(`{domain:.+}`)"
      - "traefik.http.routers.nginx1.priority=1"
      - "traefik.http.routers.nginx1.entrypoints=web"
      - "traefik.http.routers.nginx1.service=nginxService1"
      - "traefik.http.services.nginxService1.loadBalancer.server.port=80"
      #Catch all traffic on Port 443 for Nginx Proxy Manager
      - "traefik.http.routers.nginx2.rule=HostRegexp(`{domain:.+}`)"
      - "traefik.http.routers.nginx2.priority=2"
      - "traefik.http.routers.nginx2.entrypoints=websecure"
      - "traefik.http.routers.nginx2.service=nginxService2"
      - "traefik.http.services.nginxService2.loadBalancer.server.port=443"
      #Proxy Network
      - "traefik.docker.network=proxy"

The problem I'm having is the SSL certs are not working via Nginx Proxy Manager since Traefik assigns it's own default cert. So Nginx just returns:

400 Bad Request
The plain HTTP request was sent to HTTPS port

When I check the cert it's the TRAEFIK DEFAULT CERT how can I stop Traefik from assigning the default cert, so Nginx Let's Encrypt Cert get's used instead.

Thanks