Traefik letsencrypt dnschallenge workaround with haproxy

nando · July 15, 2020, 3:39pm

Hello everybody,

I am trying to use haproxy to redirect traffic based on the url to different traefic instances in docker containers.

The goal is to overcome shortcomings of traefic in handling multiple dns challenge configurations within one instance.

My problem:

Redirect to ATraefik and BTraefik works, as well as the letsencryptsetup in both and the services running behind ATraefik and BTraefik.
But the running services have the Port in the URLs e.g.
- https://Service1.ADomain.com:444
- https://Service1.BDomain.com:445

The goal:

I would like to have the services behind ATraefik and BTraefik respond without the Ports in the URL, that is:
- https://Service1.ADomain.com
- https://Service1.BDomain.com

Thank you very much for any help with this!

Configurations and Setup:

The setup looks like this:

                             +----------+
                             |          |
+----------------------+     | ATraefik |
|                      |     |          |
|          ADomain.com +<--->+----------+
|haproxy               |
|          BDomain.com +<--->+----------+
|                      |     |          |
+----------------------+     | BTraefik |
                             |          |
                             +----------+

haproxy

frontend https_in
    bind *:443

    acl host_a hdr(host) -i ADomain.com
    acl host_b hdr(host) -i BDomain.com   

    use_backend a_websecure if host_a
    use_backend b_websecure if host_b

backend a_websecure
    server a_traeifk a_traefik:444

backend b_websecure
    server b_traeifk b_traefik:445

docker-compose:

    ...
    command:
      - --log.level=DEBUG
      - --api
      - --entryPoints.web.address=:81
      - --entryPoints.websecure.address=:444
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
    ...

zespri · July 16, 2020, 1:43am

It does not sound to me that you can solve this problem in traedfik level. If you use two traefik instances on the same box they cannot be exposed via the same 443 port. So my suggestions:

Find out if it's possible to configure on haProxy side, and if yes, follow their advise on how to do it
Or; Configure that box network to have multiple ip address and assign each container to it's own ip address. This way you will be able to use 443 for both traefik instances. I have never done this, but cursory googling indicates that this might be possible.

Good luck!
PS. For future readers, the issue with DNS challenges, that OP is referring to is this one: https://github.com/containous/traefik/issues/5472

nando · July 16, 2020, 5:40am

Thank you very much for your quick reply. I will try to solve the issue on the haproxy side. If I find a solution I will report back here, as the dnschallenge setup seems to be a topic of interest for mor people.

nando · July 16, 2020, 11:40am

Thank you very much for your quick reply. I will try to follow your advice.

boywiz · March 14, 2022, 11:03am

@nando did you get this working? when i try i get 522 errors

Topic		Replies	Views
Run traefik behind traefik reverse proxy Traefik v2 docker , letsencrypt-acme , tcp	4	7833	October 17, 2023
Secondary domain(s) with redirect to primary domain Traefik v2 docker , letsencrypt-acme	9	1432	February 28, 2020
Haproxy in front of Traefik and Docker with Letsencrypt Traefik v2 docker , letsencrypt-acme	5	4014	February 21, 2023
Configuring any HTTP port with Let'sencrypt certificates Traefik v2 letsencrypt-acme	3	332	April 13, 2023
Problem with Lets Encrypt. ACME Fails Traefik v2 docker , letsencrypt-acme	3	3289	March 11, 2022

Traefik letsencrypt dnschallenge workaround with haproxy

Related topics