Hi! I just started with Traefik and I’m currently facing a configuration challenge involving secure external and internal communication. My setup is as follows:
Traefik is deployed within Portainer. I equipped Traefik with 4 entrypoints 2 for http and 2 for https, respectively ports 80, 81, 443 and 444. Ports 80 and 443 are for internal services and the other 2 ports 81 and 444 are for external services.
As I’ve another reverse proxy (Apache) active on ports 80 and 443 on the internet side of the modem, hence these ports are occupied (until Traefik takes over). Therefor I assigned ports 81 and 444 on the internet facing side of my modem => 81:81 + 444:444 (In the future to be changed to 80:81 and 443:444, as suggested by Jim.
For investigation and comparion I configured outside port 445 to inside port 443.
I’ve 3 applications to test with - Pihole, Portainer and Traefik. These work fine when using the internal 443 port as well as the outside port 445(:443).
So far my setup.
Now when I change the label name from https (443 internal) to https-external (444:444) Traefik no longer ends up to its dashboards, but the application ends up to the application to runs on the outside modem port 443.
I understand that the Traefic dashboard should not be exposed to the internet, but I would like to understand what is happening and what is needed to make Traefik accessible over port (outside) port 444.
The debug log does not show anything when accessing Traefik via port 444.
Labels used in composed file:
# Regular access
traefik.http.routers.traefik.entrypoints: "http"
traefik.http.routers.traefik.rule: "Host(`traefik.${CF_TRAEFIK_DOMAIN}`)"
traefik.http.routers.traefik.middlewares: "traefik-https-redirect"
traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: "https"
traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: "https"
# Secured access
traefik.http.routers.traefik-secure.entrypoints: "https"
traefik.http.routers.traefik-secure.rule: "Host(`traefik.xxxxxx.tld`)"
traefik.http.routers.traefik-secure.tls: "true"
traefik.http.routers.traefik-secure.tls.certresolver: "cloudflare"
traefik.http.routers.traefik-secure.tls.domains[0].main: "${CF_TRAEFIK_DOMAIN}"
traefik.http.routers.traefik-secure.tls.domains[0].sans: "*.${CF_TRAEFIK_DOMAIN}"
traefik.http.routers.traefik-secure.middlewares: "traefik-auth"
traefik.http.middlewares.traefik-auth.basicauth.users: "${TRAEFIK_DASHBOARD_CREDENTIALS}"
traefik.yml:
api:
dashboard: true
debug: true
log:
# TRACE, DEBUG, INFO, WARN, ERROR, FATAL, PANIC. Default: ERROR
level: "DEBUG"
filePath: traefik.log
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http-external:
# Source: https://youtu.be/IBlZgrwc1T8?si=nO4p6ptBOA3CT36M&t=464
address: ":81"
http:
redirections:
entryPoint:
to: https-external
scheme: https
https-external:
address: ":444"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
When changing this label:
- traefik.http.routers.traefik-secure.entrypoints: "https"
to
- traefik.http.routers.traefik-secure.entrypoints: "https-external"
and navigating to traefik.domain.tld:444 (forwarded to internal port 443), Traefik is not addressed but the default app served by my Apache reverse proxy is presented.
But when accessing traefik.domain.tld:445 (forwarded to internal port 443) it just works.
Anything missing in the 'https-external' situation? Is there anything that can be done to make this work?