infra/reverse-proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Dynamically routing traffic to instances of services. https://www.uwekrau.se
16 commits 1 branch 0 tags 38 KiB
Find a file
Exact
Uwe Krause 579e5bf760 Set acme.email from environment variable file
2025-12-18 21:55:14 +00:00
.env.example Set acme.email from environment variable file 2025-12-18 21:55:14 +00:00
.gitignore Set acme.email from environment variable file 2025-12-18 21:55:14 +00:00
compose.yaml Set acme.email from environment variable file 2025-12-18 21:55:14 +00:00
README.md Set acme.email from environment variable file 2025-12-18 21:55:14 +00:00
traefik.env.example Set acme.email from environment variable file 2025-12-18 21:55:14 +00:00

README.md

reverse-proxy

Adapted initial config from https://doc.traefik.io/traefik/getting-started/quick-start/.

create Docker network

For the reverse proxy to reach the services, the proxy and the services have to be in the same (docker) network. It can have any name, as long as the name is consistent used within the compose files of the proxy and the services behind the proxy.

This network has to be created once:

docker network create "reverse"

Error message if forgotten:

network reverse declared as external, but could not be found

Environment variabels

Some aspects are dynamically. For this to work, create this files by copying from .example files and adapt accordingly:

  • .env
    Dynamic compose.yaml while creating the compose project.

  • traefic.env
    Dynamic content inside the container

DNS provider for SSL/TLS/HTTPS

Challenge instances are accessed with their instance ID as dynamic part of the URL, for example https://challengename-abcde16charsxxxx.challs.example.org/.

Traefik can take care of every aspect of SSL/TLS/HTTPS, including certificate generation and renewal, for example via Let's Encrypt.

Although it would be possible and a little bit easier to let Traefik create the needed certificates for every service on demand, this would take some time for every new service deployment and also, more importantly, the supposedly private instance identifier would leak. Therefore it is strongly advised to use a wildcard certificate. For the necessary DNS challenge Traefik needs access to your DNS provider via API.

There are many compatible DNS providers. For a complete list, refer to Traefik documentation for DNS challenge.

Beware that different providers might need different environment variables.

As example, currently this is configured to use Hetzner DNS.

TODO: Remove hard coded Hetzner reference in the compose files, make this more dynamic and customizable.

launch on server

cd to folder containing traefik

docker compose up --build

Web UI

Port of the "insecure" web UI is exposed only to localhost, making it secure. Traefik exposes this on its own port 8080 and (in the "insecure" configuration) does not allow to change it. If one decides to take security in their own hands, for example by not exposing this to the world, one can use docker to change the exposed port and limit it to localhost.

One way to access it from remote securely would be a ssh tunnel:

ssh -L 8888:localhost:8888 user@sshhost     # replace user@sshhost with your actual ssh connection

Then on your pc/laptop access http://localhost:8888