Hi all!
I have a simple (?) architecture question I’d like to get your advice on, before moving forward: for a simple home setup, I have two machines, each having a dedicated Docker (and traefik) running. Each with its own separated services deployed in docker.
I’d like for all these services to be accessible via internet using traefik reverse proxy, with one subdomain per service. I had previously done this with only one machine. Simple enough. But what would be a correct architecture to do the same thing with two machines?
My initial (albeit probably naive) idea was to have a cascading approach: with one machine (X) in the front, with ports 80 and 443 available through the internet, and one (Y) in the back. Every request comes through X, traefik on X looks if it has a service deployed and matching the requested subdomain. If not, then there would be a rule on X forwarding the request to Y, where the second traefik on Y would continue the resolve. In this scenario, each machine would be responsible for its own TLS decrypts and lets encrypt challenges and so on.
My question is, does this work? Supposing I have the correct forwarding rule set in X. Or will this be a reverse-proxy mess… Should I look into this or follow a totally different path?
Thanks for your help!
Hi @chatelp
Thank you for your interest in Traefik!
This is a quite typical scenario where there is more than one Traefk instance inside the environment. Traefik also supports multi-layer Traefik installation when a request can be forwarded to another Traefik Proxies. The feature is available as Traefik Provider so you can have a look at how it is designed.
Regarding the example you have described, I would just try to implement it and then share the results with a diagram that explains your infrastructure in detail.
However, please note if Traefik will not find a matching rule for the incoming requests it will throw 404, so maybe you should have a look on HostRegexp and try to find any pattern.
Let us know what is the progress with that implementation.
Thanks,
I'm checking the Traefik Provider link you supplied and I'm having a difficult time understanding what API key to use when linking both traefik instances to each other.
Is this system generated somehow or operator supplied by creating my own api/hash key?
Additionally, this looks to be locked behind TraefikHub Enterprise.
Is there a way to do this locally at all?
The traffic flow I'm look to present is very similar to the graphic on the supplied page:
Internet --> TraefikInstance1 (External DMZ) --> TraefikInstance2 (Internal LAN) --> Target Service/Application.
I previously had two separate Traefik's working independently, pointing to a target service on a third device, but I've recently moved my internal Traefik instance to the same device that is hosting said service and proxying traffic between them is now broken. I suspect this is due to the current topology I've migrated towards.
Please don’t hijack many year old posts but create a new one.
The main challenge is usually TLS, can you use a wildcard and use non-encrypted connections internally?
I felt my post still relevant to the parent topic.
Is API locked behind Enterprise or can I create my own API key and secret?
Both instances have wildcard certs with non-encrypted allowed:
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
permanent: true
to: websecure
scheme: https
priority: 1000
websecure:
address: :443
proxyProtocol:
insecure: true
http:
tls:
options: default
certResolver: letsEncrypt
domains:
- main: "mydomain.net"
sans:
- "*.mydomain.net"
Officially connecting 2 Traefik instances seems to be possible with an enterprise subscription.
Of course you can set one Traefik instance to proxy/forward all requests to another.