Traefik dispatcher infront of other traefik instances

Can someone help me please with a scenario like shown in the picture below? I have different Docker environments where traefik does the ingress and tls encryption via Let's encrypt. But I only have one public IP to use so I have to somehow use a dispatcher which is sending traffic depending on the subdomain used to one of the backend Docker environments. Any idea how that could work? I didn't find any helping hints in the doc. Maybe I used the wrong search terms ... thanks in advance for your help.

Hello @JamborJan

This is doable and it can be done by installing Traefik instance that is acting in the first layer (outside) with no TLS termination and passing all incoming requests to the dedicated Traefik instances in the second layer (inside).

I would start with the following initial setup with Traefik running in the first layer (inside).

  • the example of static configuration
entryPoints:
  web:
    address: ":80"
  websecure:  
    address: ":443"

providers:
  file:
    directory: /etc/traefik/conf
  • the example of dynamic configuration
tcp:
  routers:
    my-default-rule:
      rule: "HostSNI(`*`)"
      service: traefik-inside-svc
      tls:
        passthrough: true

  services:
    traefik-inside-svc:
      loadbalancer:
        servers:
          - address: "traefik-inside:443"

As you can see there is only a TCP router that matches all incoming requests and passes them to inside Service where one of the Traefik instances is running. The outside has TLS passthrough enabled so all incoming requests are passed to the another Traefik instance where actually routers are created and TLS is terminated.

You can add more Traefik Inside services and adopt accordingly the matching rules in the router. That configuration should address your requirements.

Please let me know.
Jakub,

ps. For your further references, you can read more about Traefik Provider where such a scenario is already implemented. It is only available in Traefik Enterprise so I've just only mentioned that.

Hi @jakubhajek,

Thanks for your answer. So the root cause in my case is: I don't have traefik enterprise.

I'll have to look for other options to solve that. I have also asked for a quote for trafik enterprise but I guess that will be out of reach in my case.

Hi @JamborJan

You can build your environment using the example I prepared. it works on Traefik Proxy - the open-source version and no need to have Enterprise.

Using my example you can have one Traefik that is acting as Dispatcher (outside) and mutiple Traefik Proxies working inside your infrastructure. The TLS termination is managed on inside instances thanks to enabling tls.passthrough feature.

I strongly encourage you to test the initial example that I shared in the previous post and let us know what are the results of your findings.

Thanks,
Jakub

Thanks for the clearification @jakubhajek . I implemented the test in a slightly different way due to available instances and speed of testing. I used an existing traefik instance and added the dynamic configuration for the TCP route. Graphically speaking like this:

My config looks like that:

tcp:
  routers:
    tst-traefik:
      rule: "HostSNI(`*.sub2.domain.com`)"
      service: tst-traefik
      tls:
        passthrough: true

  services:
    tst-traefik:
      loadbalancer:
        servers:
          - address: "192.168.100.9:443"

The configuration seems to be valid and shows up on the traefik dashboard of the first instance. But there seems to be still an issue as it is not working yet. I have to enable debug mode and dig a bit deeper. Neither the logs of the first nor the second instance give any helpful output in info-logging-mode.

Hello @JamborJan,

The HostSNI does not accept regular expression, seems that the reason why you are facing issues with the configuration. I suggest adding FQDN and try the configuration. Here you can find more information concerning HostSNI Routers - Traefik

Thanks a lot @jakubhajek that was the clue. It's working now.

Final question: are there any plans of allowing wildcards or regex for HostSNI? Or is that something which is on purpose reserved for the traefik provider in the enterprise setup?

In that case my test setup will be also my final setup with the bigger instance being layer one and the smaller instance being layer two. That way round I have less manual work in maintaining the actual list of FQDNs in the dynamic configuration.

tcp:
  routers:
    tst-traefik:
      rule: "HostSNI(`app1.sub2.domain.com`,`app2.sub2.domain.com`)"
      service: tst-traefik
      tls:
        passthrough: true

  services:
    tst-traefik:
      loadbalancer:
        servers:
          - address: "192.168.100.9:443"

Glad to hear that it is working. Regarding the HostSNI Regexp support this is already added as a proposal:

and should be added in the future releases but there is no ETA added yet for that feature.

Best, Jakub

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.