mrea
August 29, 2022, 1:33am
1
I'm looking for a way to run Traefik and Nginx side by side. I know I can't have both listening on the same ports 80/443. Is it possible to forward any request on 80/443 that is not configured in Traefik to be sent to 88/444 where Nginx Proxy Manager will be listening for them.
For example my use case is I have all my docker-compose containers using Traefik and SSL and on my other server I have Nginx accessing backend web services over a VPN and providing SSL etc. I want to move everything on the same server and just hit this road block.
The main reason I use Nginx Proxy Manger is I can easily use the GUI to dynamically setup new connections to any new VPN connections etc without having to access the server etc
Is there a GUI or anything coming for traefik, I know there's the dashboard but can't make any new routes/services etc or edit anything.
1 Like
Hello @mrea , it's possible to declare a catch-all rule with low priority that would work as a fallback to antyhing that doesnt match any other router in Traefik, this is how it would look like with a File provider just for reference:
http:
routers:
to-nginx:
rule: "HostRegexp(`{domain:.+}`)"
#you must declare this service to point out to the actual address of nginx
service: nginx
priority: 1
And you're right as the Traefik Proxy Dashboard does not provide writable elements at the moment, you can do so using the HTTP provider , but it means you'll have to script / automate it yourself.
mrea
September 2, 2022, 8:08pm
3
Hi @douglasdtm , I'm pretty new to Traefik and have read through the docs but still not very clear. Would you have an example how this would be done in a Traefik docker compose file?
Does it matter what ports Nginx Proxy Manager is listening on?
Thanks
Here is an example docker-compose with OSS nginx
version: '3'
networks:
traefik:
services:
nginx:
image: nginx
environment:
- NGINX_HOST=nginx.docker.localhost
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.nginx.entrypoints=web"
- "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx.priority=1"
- "traefik.http.routers.nginx.service=nginx"
- "traefik.http.services.nginx.loadbalancer.server.port=80"
networks:
- traefik
traefik:
image: "traefik:v2.8"
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
- "traefik.http.routers.api.service=api@internal"
command:
- --providers.docker
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- --entryPoints.web.forwardedHeaders.insecure
- --api.dashboard=true
- --log.level=DEBUG
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "80:80"
- "443:443"
networks:
- traefik
It really doesn't matter what port nginx is listening on but you need to inform Traefik through the service label as seen in he example.
mrea
September 12, 2022, 9:13pm
5
Thanks for the update @douglasdtm I have put my config below as I'm not sure how to integrate it without stuffing up all the other stuff running.
Here is the Nginx Proxy Manager Labels:
labels:
#Reverse Proxy SSL
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`nginx.xx.xxxx.com`)"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.tls.certresolver=http"
- "traefik.http.routers.nginx.service=nginxService"
- "traefik.http.services.nginxService.loadBalancer.server.port=81"
#Proxy Network
- "traefik.docker.network=proxy"
networks:
- proxy
Here is my Traefik Docker Compose:
version: "3.4"
services:
traefik:
image: traefik:v2.6
container_name: traefik
command:
- "--entrypoints.web.address=:80"
- "--api"
- "--api.dashboard=true"
- "--certificatesresolvers.http.acme.email=admin@xxxx.com"
- "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.http.acme.tlschallenge=true"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certResolver=http"
- "--log.level=INFO"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--serverstransport.insecureskipverify=true"
restart: always
networks:
proxy:
ipv4_address: 172.25.0.250
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_certs:/letsencrypt
ports:
- "80:80"
- "443:443"
labels:
- "traefik.enable=true"
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.xx.xxxx.com`)"
- "traefik.http.routers.traefik.service=api@internal"
#- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=http"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=authtraefik"
- "traefik.http.middlewares.authtraefik.basicauth.users=user:xxxxxxxxxxxxxx" # user/password
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
volumes:
traefik_certs: {}
networks:
proxy:
name: proxy
driver: bridge
ipam:
driver: default
config:
- subnet: 172.25.0.0/16
- gateway: 172.25.0.1
Is it just the matter of adding these lines to the Nginx Labels?
- "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx.priority=1"
And then the API and Comand to my Traefik config?
- "traefik.http.routers.api.entrypoints=web"
- "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
- "traefik.http.routers.api.service=api@internal"
command:
--entryPoints.web.forwardedHeaders.insecure
Thanks!
Hello again,
Yes, just replacing your nginx Host rule with the HostRegexp plus the priority should do the trick.
About the API I just added it to my example because it is nice to have the Traefik Dashboard available somewhere, but this is not a requirement at all!
mrea
September 20, 2022, 3:21am
7
Hi @douglasdtm I still can't get this working correctly. Here is the config I'm trying to use:
labels:
#Reverse Proxy SSL
- "traefik.enable=true"
#- "traefik.http.routers.nginx.rule=Host(`nginx.xxx.xxxx.com`)"
- "traefik.http.routers.nginx.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx.priority=1"
- "traefik.http.routers.nginx.entrypoints=websecure"
#- "traefik.http.routers.nginx.entrypoints=web"
- "traefik.http.routers.nginx.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.tls.certresolver=http"
- "traefik.http.routers.nginx.service=nginxService"
- "traefik.http.services.nginxService.loadBalancer.server.port=81"
#Proxy Network
- "traefik.docker.network=proxy"
If I uncomment web and make websecure a comment I just get 404 and can't access my Nginx Proxy Dasboard, even with the https redirects.
Port 81 is my Dashboard port, would this be causing a conflict? My ports are mapped 444 - 443 and 80 - 88 via docker compose.
I still need Traefik to manage the nginx.xxx.xxxx.com host and ssl and redirect to my dashboard as well as doing the catch all on everything else.
Maybe I have the naming wrong, I have been trying to work my way through DOCs to get this going, but just not getting anywhere close
Thanks!
mrea
September 20, 2022, 11:02am
8
I think I'm almost there... The request are now reaching Nginx Proxy Manager, here is my latest config, hopefully it helps someone in the future.
#Reverse Proxy SSL for Nginx Dashboard
- "traefik.enable=true"
- "traefik.http.routers.nginx.rule=Host(`nginx.xx.xxxx.com`)"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.tls=true"
- "traefik.http.routers.nginx.tls.certresolver=http"
- "traefik.http.routers.nginx.service=nginxService"
- "traefik.http.services.nginxService.loadBalancer.server.port=81"
#Catch all traffic on Port 80 for Nginx Proxy Manager
- "traefik.http.routers.nginx1.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx1.priority=1"
- "traefik.http.routers.nginx1.entrypoints=web"
- "traefik.http.routers.nginx1.service=nginxService1"
- "traefik.http.services.nginxService1.loadBalancer.server.port=80"
#Catch all traffic on Port 443 for Nginx Proxy Manager
- "traefik.http.routers.nginx2.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx2.priority=2"
- "traefik.http.routers.nginx2.entrypoints=websecure"
- "traefik.http.routers.nginx2.service=nginxService2"
- "traefik.http.services.nginxService2.loadBalancer.server.port=443"
#Proxy Network
- "traefik.docker.network=proxy"
The problem I'm having is the SSL certs are not working via Nginx Proxy Manager since Traefik assigns it's own default cert. So Nginx just returns:
400 Bad Request
When I check the cert it's the TRAEFIK DEFAULT CERT how can I stop Traefik from assigning the default cert, so Nginx Let's Encrypt Cert get's used instead.
Thanks
yhegazy
February 25, 2023, 5:41pm
9
Hello! I had this exact issue with Traefik and Nginx Proxy Manager. I am not sure how you resolved your issue (if you have), the way I resolved it was to get Nginx Proxy Manager working first, then Traefik. In my case, I am running a website with appwrite as the backend. I hope this helps.
Hello again,
The last question around TLS is clearly a technical decision that should be based on your requirements and use case specifics, it is where do you want to terminate your TLS connections.
Traefik is serving its default certificate because its configured to terminate the TLS connection on incoming https requests by default. If Traefik is not the one responsible for that and will not hold the certificates you should setup a TLS passthrough on the router configuration.
That means Traefik will just forward everything to the backend which should be responsible for establishing the TLS connections (handle the handshake, present the certificate etc)
On the other hand if you prefer to leave that to Traefik since it would be the public facing proxy you should then either add the necessary TLS certificates to it or set up its ACME integration to generate certificates automatically for you.
There is a third option as well, which is to terminate TLS on Traefik and then establish another TLS connection to Nginx if its only listening on HTTPS, in this case the configuration is more complex but the idea is the same. Traefik need to have all public certificates to terminate connections based on your routers matching rules, then it also need to trust Nginx HTTPS certificate if that one is self generated and this part would be configured under the servers transport options .
I hope this is helpful and does not cause more confusion
AnK
July 12, 2023, 1:05pm
11
Hi,
did you managed to get this entire thing with SSL working?
Thx
sudoshi
December 5, 2023, 12:11pm
12
Did this work out for you? I am in a similar situation right now. Any guidance would be appreciated!
Either you chain Traefik and Nginx Proxy Manager and/or let one create TLS/SSL certs and share them with the other. What do you want to achieve?
sudoshi
December 5, 2023, 5:45pm
14
I would like to have Traefik manage the SSL, and am trying to understand how to share that with nginx. This is related to the project I have underway, described in this post:Running Traefik and Nginx Proxy Manager on the same Server - #13 by bluepuma77
Ultimately, I would like to learn how one traefik instance can RP for multiple stacks. One of which already has an nginx RP instance.
So Traefik should be the first point of contact and create the TLS certs.
Do you want Traefik to Nginx also use TLS?
Can Nginx create a custom TLS cert by itself? Then you can use insecureSkipVerify.
Alternatively you need to export the LE cert from Traefik and use it with Nginx (tool )
Do you want Traefik to do Configuration Discovery?
Use providers.docker and place labels on Nginx
If not, do manual config with providers.file and a dynamic config file
sudoshi
December 6, 2023, 9:57pm
16
I don't need tls between traefik and nginx.
Here is the stack with nginx as the RP (I tried to implement the labels as you suggested?):
version: '3.9'
services:
web:
image: perseushub/web:latest
build: ./nginx
container_name: web
expose:
- "80"
labels:
labels:
- "traefik.enable=true"
#Catch all traffic on Port 80 for Nginx Proxy Manager
- "traefik.http.routers.nginx1.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx1.priority=1"
- "traefik.http.routers.nginx1.entrypoints=web"
- "traefik.http.routers.nginx1.service=nginxService1"
- "traefik.http.services.nginxService1.loadBalancer.server.port=80"
#Catch all traffic on Port 443 for Nginx Proxy Manager
- "traefik.http.routers.nginx2.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx2.priority=2"
- "traefik.http.routers.nginx2.entrypoints=websecure"
- "traefik.http.routers.nginx2.service=nginxService2"
- "traefik.http.services.nginxService2.loadBalancer.server.port=443"
- "traefik.docker.network=perseus_default"
shareddb:
image: perseushub/shareddb:latest
build: ./shared-db
container_name: shareddb
volumes:
- shareddb:/data/postgres
expose:
- "5432"
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
files-manager:
image: perseushub/files-manager:latest
build: ./files-manager
container_name: files-manager
expose:
- "10500"
environment:
- SPRING_PROFILES_ACTIVE=docker
depends_on:
- shareddb
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
user:
image: perseushub/user:latest
build: ./user
container_name: user
environment:
USER_ENV: Docker
env_file:
- user/user-envs.txt
expose:
- "5001"
depends_on:
- shareddb
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
backend:
image: perseushub/backend:latest
build: ./perseus-api
container_name: backend
environment:
PERSEUS_ENV: Docker
expose:
- "5004"
depends_on:
- shareddb
- files-manager
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
frontend:
image: perseushub/frontend:latest
build:
context: ./UI
args:
env: prod
container_name:
frontend
expose:
- "4200"
labels:
- "traefik.enable=true"
- "traefik.http.routers.web.rule=Host(`perseus.acumenus.net`)"
- "traefik.http.routers.web.entrypoints=websecure"
- "traefik.http.routers.web.tls.certresolver=myresolver"
- "traefik.http.services.web.loadbalancer.server.port=4200"
#Proxy Network
- "traefik.docker.network=perseus_default"
white-rabbit:
image: perseushub/white-rabbit:latest
build: ../WhiteRabbit
container_name:
white-rabbit
expose:
- "8000"
environment:
- SPRING_PROFILES_ACTIVE=docker
depends_on:
- shareddb
- files-manager
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
vocabularydb:
image: perseushub/vocabularydb:latest
build: ./vocabulary-db
container_name: vocabularydb
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "vocabulary", "-U", "admin" ]
timeout: 60s
interval: 30s
retries: 10
volumes:
- vocabularydb:/data/postgres
ports:
- "5431:5432"
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
cdm-builder:
image: perseushub/cdm-builder:latest
build: ../ETL-CDMBuilder
container_name:
cdm-builder
expose:
- "9000"
environment:
- ASPNETCORE_ENVIRONMENT=Docker
depends_on:
- shareddb
- files-manager
- vocabularydb
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
solr:
image: perseushub/solr:latest
build: ./solr
container_name: solr
expose:
- "8983"
volumes:
- solr:/var/solr
depends_on:
- vocabularydb
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
athena:
image: perseushub/athena:latest
build: ./athena-api
container_name: athena
environment:
- ATHENA_ENV=Docker
expose:
- "5002"
depends_on:
- solr
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
usagi:
image: perseushub/usagi:latest
build: ./usagi-api
command: python /app/main.py
container_name: usagi
environment:
USAGI_ENV: Docker
expose:
- "5003"
depends_on:
- shareddb
- solr
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
r-serve:
image: perseushub/r-serve:latest
build:
context: ../DataQualityDashboard/R
args:
prop: docker
container_name:
r-serve
expose:
- "6311"
depends_on:
- shareddb
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
data-quality-dashboard:
image: perseushub/data-quality-dashboard:latest
build:
context: ../DataQualityDashboard
container_name:
data-quality-dashboard
expose:
- "8001"
environment:
- SPRING_PROFILES_ACTIVE=docker
depends_on:
- shareddb
- files-manager
- r-serve
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
swagger:
image: perseushub/swagger:latest
build: ./swagger-ui
container_name: swagger
expose:
- "8080"
labels:
- "traefik.enable=true"
#Proxy Network
- "traefik.docker.network=perseus_default"
networks:
traefik_proxy:
perseus_default:
volumes:
shareddb:
vocabularydb:
solr:
Yes, Traefik is the first point of contact (dev.acumenus.net ) and it should send traffic to (perseus.acumenus.net ), which is above.
Here is the traefik stack that I intend to be the main RP controller for all the various other stacks:
version: '3.8'
services:
traefik:
image: "docker.io/library/traefik:v2.10.5"
container_name: "traefik2"
restart: "always"
command:
- "--api.insecure=false"
- "--providers.docker=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.email=sudoshi@mac.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- "/letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/portainer/Files/AppData/Config/traefik/config.yml:/etc/traefik/config.yml:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.acumenus.net`)"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
- "traefik.http.routers.traefik-dashboard.middlewares=dashboard-auth"
- "traefik.http.middlewares.dashboard-auth.basicauth.users=acumenus:$$apr1$$dNpOAWgT$$.1LJts2Nk6fdwFqJXIgWi0"
networks:
- traefik-proxy
heimdall:
image: "linuxserver/heimdall:latest"
container_name: "heimdall"
restart: "always"
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York # Replace with your timezone
- APP_NAME=Parthenon
volumes:
- "/portainer/Files/AppData/Config/Heimdall:/config"
- "/portainer/Files/AppData/Config/Heimdall/favicons/favicon-16x16.png:/var/www/localhost/heimdall/public/favicon-16x16.png"
- "/portainer/Files/AppData/Config/Heimdall/favicons/favicon-32x32.png:/var/www/localhost/heimdall/public/favicon-32x32.png"
- "/portainer/Files/AppData/Config/Heimdall/favicons/favicon.ico:/var/www/localhost/heimdall/public/favicon.ico"
labels:
- "traefik.enable=true"
- "traefik.http.routers.heimdall.rule=Host(`dev.acumenus.net`)"
- "traefik.http.routers.heimdall.entrypoints=websecure"
- "traefik.http.routers.heimdall.tls.certresolver=myresolver"
- "traefik.http.routers.heimdall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
- "traefik.http.services.heimdall.loadbalancer.server.port=80"
networks:
- traefik-proxy
networks:
traefik-proxy:
external: true
driver: overlay
attachable: true
At this point I'm getting a "Gateway Timed Out" error.
sudoshi
December 6, 2023, 10:22pm
17
Forgot to add config.yml:
tls:
stores:
default:
defaultCertificate:
certFile: etc/certs/cert1.pem
keyFile: etc/certs/privkey1.pem
serversTransport:
insecureSkipVerify: true
Traefik and Nginx need to share the same Docker network for this to work.
- "traefik.docker.network=perseus_default"
And this should probably be changed to port 80 from 443. Incoming requests on Traefik websecure port 443 should be forwarded to Nginx port 80.
- "traefik.http.routers.nginx2.rule=HostRegexp(`{domain:.+}`)"
- "traefik.http.routers.nginx2.priority=2"
- "traefik.http.routers.nginx2.entrypoints=websecure"
- "traefik.http.routers.nginx2.service=nginxService2"
- "traefik.http.services.nginxService2.loadBalancer.server.port=443"
1 Like
sudoshi
December 7, 2023, 3:17am
19
Tried everything you suggested, no joy. At this point I think it is a waste of time to get nginx to play ball. It isn't doing anything complicated in the perseus stack. I think it is better to replace it with traefik entirely?
Here is the nginx default.conf:
server {
listen 80;
listen [::]:80;
server_name _;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:4200;
# proxy_pass http://host.docker.internal:4200;
}
location /backend {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:5004;
}
location /user {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:5001;
}
location /user/api/is_token_valid_internal {
if ($request_uri ~ .*\/api\/info$) {
return 200;
}
if ($request_method = 'OPTIONS') {
return 200;
}
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_pass http://172.17.0.1:5001;
proxy_cache token_responses;
proxy_cache_key $http_Authorization;
proxy_cache_lock on;
proxy_cache_valid 200 300s;
proxy_cache_use_stale error timeout;
}
location /white-rabbit {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:8000;
}
location /cdm-builder {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:9000;
}
location /data-quality-dashboard/api {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:8001;
}
location /data-quality-dashboard {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:8001;
}
location /athena {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:5002;
}
location /solr {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:8983;
#include /etc/nginx/whitelist.conf;
}
location /usagi {
auth_request /user/api/is_token_valid_internal;
auth_request_set $username $upstream_http_Username;
proxy_set_header Username $username;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:5003;
}
location /swagger {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://172.17.0.1:8080;
}
}
Is there a way we can replace the mess above with a traefik config.yml that looks like this and replaces nginx entirely?:
# Traefik v2
http:
routers:
web:
rule: "Host(`perseus.acumenus.net`)"
service: frontend
entryPoints:
- websecure
tls:
certResolver: le
frontend:
service: frontend
user:
service: user
backend:
service: backend
files-manager:
service: files-manager
white-rabbit:
service: white-rabbit
swagger:
service: swagger
#...remaining services
services:
frontend:
loadBalancer:
servers:
- url: http://frontend:4200
user:
loadBalancer:
servers:
- url: http://user:5001
backend:
loadBalancer:
servers:
- url: http://backend:5004
files-manager:
loadBalancer:
servers:
- url: http://files-manager:10500
white-rabbit:
loadBalancer:
servers:
- url: http://white-rabbit:8000
swagger:
loadBalancer:
servers:
- url: http://swagger:8080
# ... remaining services
middlewares:
https-redirect:
redirectScheme:
scheme: https
permanent: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
The most basic request proxying with Traefik works with a router and a service. Every router should have a rule to be able to match a request and a target service assigned.
If you leave out entrypoints, the router will listen to all available. But you can do a global redirect on entrypoints from http to https, then it doesn’t really matter. You can also assign TLS only once globally on entrypoint.
It’s all in the simple Traefik example .
Minimum Traefik dynamic config file:
http:
routers:
web:
rule: "Host(`perseus.acumenus.net`)"
service: frontend
services:
frontend:
loadBalancer:
servers:
- url: http://frontend:4200
The usual forward headers are set automatically by Traefik.
1 Like
