Simple architecture: Two traefiks - One front, one back, each mapped to different services

Hi all!

I have a simple (?) architecture question I’d like to get your advice on, before moving forward: for a simple home setup, I have two machines, each having a dedicated Docker (and traefik) running. Each with its own separated services deployed in docker.

I’d like for all these services to be accessible via internet using traefik reverse proxy, with one subdomain per service. I had previously done this with only one machine. Simple enough. But what would be a correct architecture to do the same thing with two machines?

My initial (albeit probably naive) idea was to have a cascading approach: with one machine (X) in the front, with ports 80 and 443 available through the internet, and one (Y) in the back. Every request comes through X, traefik on X looks if it has a service deployed and matching the requested subdomain. If not, then there would be a rule on X forwarding the request to Y, where the second traefik on Y would continue the resolve. In this scenario, each machine would be responsible for its own TLS decrypts and lets encrypt challenges and so on.

My question is, does this work? Supposing I have the correct forwarding rule set in X. Or will this be a reverse-proxy mess… Should I look into this or follow a totally different path?

Thanks for your help!

Hi @chatelp

Thank you for your interest in Traefik!

This is a quite typical scenario where there is more than one Traefk instance inside the environment. Traefik also supports multi-layer Traefik installation when a request can be forwarded to another Traefik Proxies. The feature is available as Traefik Provider so you can have a look at how it is designed.

Regarding the example you have described, I would just try to implement it and then share the results with a diagram that explains your infrastructure in detail.
However, please note if Traefik will not find a matching rule for the incoming requests it will throw 404, so maybe you should have a look on HostRegexp and try to find any pattern.

Let us know what is the progress with that implementation.