I think my post might be closely related to Traefik Setup w/ 1 Service and multiple Domains (different TLDs) + SSL / TLS - #5 by clovisd and is also posted on the cloudflare community board at https://community.cloudflare.com/t/multiple-domains-to-same-public-ipv4-managed-by-traefik/647650.
I have a traefik setup behind my public IPv4 that redirects to a number of services. This works perfectly fine for one domain, whether i redirect to a service on the same host or to another service within my LAN. The DNS setup has one proxied A record
with the name domain1_com pointing to my public IPv4 and then a number of subdomains as CNAME records
pointing to domain1_com.
The problem arises when I add a second domain to my traefik stack. This domain2_com also has a proxied A record
pointing to my public IPv4 and currently un-proxied CNAME records
for the subdomains pointing to domain2_com. SSL certs are valid and automatically generated by traefik, even the CNAMEs
are added automatically and work fine. I want to also enable the proxy on the CNAME records
, but as soon as I do this, I get redirected to domain1_com instead of my specific subdomain. As soon as I enable the proxy on the CNAME records
, nothing ends up in my traefik logs (probably due to caching of the original domain1_com?).
Pardon my weird formatting, much of the stuff in this text was considered a link… This is my traefik docker-compose service definition:
traefik:
<<: *common-keys-core # this just adds a restart policy and secure_opt no-new-privileges:true
image: traefik:v2.11
container_name: traefik
command:
- --log.level=DEBUG
- --global.sendAnonymousUsage=false
- --api.dashboard=true
- --api=true
- --api.insecure=false
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=websrv
- --serversTransport.insecureSkipVerify=true
- --entrypoints.websecure.address=:80
- --entrypoints.websecure.address=:443
# attempts to route pihole dns
# - --entrypoints.dns.address=:53/tcp
# - --entrypoints.dns-udp.address=:53/udp
- --entrypoints.https.http.tls.options=tls-opts@file
# Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
- --accessLog=true
- --accessLog.filePath=/logs/access.log
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
- --providers.file.directory=/rules
- --providers.file.watch=true
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --certificatesresolvers.dns-cloudflare.acme.dnschallenge=true
- --certificatesresolvers.dns-cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.dns-cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesresolvers.dns-cloudflare.acme.dnschallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
- --certificatesresolvers.dns-cloudflare.acme.email=$ACME_EMAIL
- --certificatesresolvers.dns-cloudflare.acme.storage=/letsencrypt/acme.json
ports:
- "1423:80"
- "8443:443"
- "8080:8080"
# attempts to route pihole dns
# - 53:53/udp
# - 53:53/tcp
dns:
- $CLOUDFLAREDNS
- $PRIMARYDNS
- $SECONDARYDNS
volumes:
- $DATADIR/letsencrypt:/letsencrypt
- $DATADIR/traefik_rules:/rules
- $DATADIR/traefik_certs:/certs:ro
- $LOGDIR:/logs
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TZ=$TZ
- CF_API_EMAIL=$CLOUDFLARE_EMAIL
- CF_API_KEY=$CLOUDFLARE_API_KEY
- DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules.
networks:
websrv:
ipv4_address: 10.10.10.254
isolated:
ipv4_address: 10.20.30.254
proxies:
ipv4_address: 99.99.99.254
depends_on:
- cf-ddns
# - cloudflare-ddns
- cf-companion
labels:
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{any:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAIN1_COM`)"
- "traefik.http.routers.traefik-rtr.entrypoints=websecure"
- "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
- "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Services - API
- "traefik.http.services.traefik-rtr.loadbalancer.server.port=8080"
## Middlewares
- "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file,middlewares-rate-limit@file,middlewares-https-redirectscheme@file,middlewares-secure-headers@file,middlewares-compress@file"
# catchall
- "traefik.http.routers.http-catchall.entrypoints=websecure"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=middlewares-https-redirectscheme@file"