I'm trying to setup traefik v2 on a development server we have.
The setup:
Docker serving dozens of nginx containers acting as a frontend for different projects. Every nginx container has a unique domain linked to it. Nginx is running on port 80. Every project has a separate docker-compose (traefik also has a separate docker-compose).
What I'm trying to accomplish:
Proxy all of the containers to traefik and add new ones on the go (new services are stopped/started all the time). Make traefik automatically redirect to HTTPS and contact the appropriate nginx container based on the hostname in order to serve the website.
Question: Is this even possible to do? I've been trying to figure it out for the past day or so but I can't get everything to work. Either the redirect doesn't work or if it does it returns 404.
Managed to find a guide that covers this:
https://chriswiegman.com/2019/10/serving-your-docker-apps-with-https-and-traefik-2/
To extend what the guide pointed to, the magic sauce is in LABELS. It can be broken down to this:
# Setup HTTP
# tells traefik that cany HTTP connection needs to be re-directed to HTTPS
- "traefik.http.middlewares.mysite-https.redirectscheme.scheme=https"
# 'web' (or any name) can be defined my traefik entrypoints. Web is port 80.
- "traefik.http.routers.mysite-http.entrypoints=web"
# tells to route incoming connections to 'mysitesdomain.com' to this service
- "traefik.http.routers.mysite-http.rule=Host(`mysitesdomain.com`)"
# Maps the above 'middleware' called 'mysite-https'
- "traefik.http.routers.mysite-http.middlewares=mysite-https#docker"
# Setup HTTPS
- "traefik.http.routers.mysite.entrypoints=web-secure"
- "traefik.http.routers.mysite.rule=Host(`mysitesdomain.com`)"
- "traefik.http.routers.mysite.tls=true"
- "traefik.http.routers.mysite.tls.certresolver=default"
What seems to be missing the loadbalancer definition.
- "traefik.http.services.replica_service.loadbalancer.server.port=80" # "80" is the container's incoming port.
Related
Currently we have a C# web api running on 2 IIS servers, We are using Netscalar to load balance between IIS1 and IIS2 servers.
We have containerized our API and deployed it to OpenShift, as part of our testing initially we would like to point OpenShift as third node.
Means Netscalar should forward the request to OpenShift route also.
How can this be achieved in Netscalar.
My OpenShift route name is different so we tried specifying URL transformation rule to redirect IIS incoming request to OpenShift exposed route, but we are facing 503 service unavailable error.
What is the right way of configuring Netscalar to my API request are handled between IIS1, IIS2 and OpenShift ?
I don't think in most cases URL transformation is necessary. In a Route you can specify any host that you would like, so you can use your old DNS name. When a request with that HTTP Host header arrives at the OpenShift cluster (specifically at any Router Pod) it will be forwarded to your application.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: my-route
...
spec:
host: www.example.com
...
Your Netscaler load balancer needs to forward the traffic to the OpenShift Load Balancer (which is typically a separate IP), which in turn will forward it to the Router Pods.
I setup haproxy as reverse proxy in our organization . we want when the client request for some web site like lenovo or oracle or etc. …the request must be passed through our reverse proxy server .(because our client set our dns server and i defined reverse proxy’s ip as those such domain in our dns server). i using SSL passthrough .but i have some problem in this case.
1- some time haproxy doesnt work fine and have problem to load right certificate.for example when i want to see www.amazon.com haproxy load wrong certificate(SSL_ERROR_BAD_CERT_DOMAIN) so firefox prevent to load website. in this case i have www.intel.com in haproxy config so haproxy getting confused and load www.amazon.com with intel certificate website.
2-I want all sub domain of website like *.oracle.com or *.lenovo.com passed through our reverse proxy so we don’t need to register sub domains of website one by one in haproxy server .
i try with -reg or matching pattern method but all of them need to final destination.
3- some time redirection cant work properly and we facing http to https redirection error .(some time client enter lenovo.com or intel.com (means http requesting).to over come this problem i defined http frontend and redirect all request to https except one hypothetical request by acl . but my issue some time appear.
This is simple done by req_ssl_sni and writing simple acl to forward request but attention to just write single forntend and backend ,because multi frontend and backend cause a confusing in haproxy.
I'm running in AWS a Ubuntu with a docker server (managed by Portainer) with this two running containers:
1 - NodeRed (Serving my APIs)
2 - Apache (Hosts the site that consumes the APIs from NodeRed above)
I've configured a domain to this server and setted apache to work with SSL. The apache is running ok with my site through HTTPS, but the problem is that the NodeRed (that runs in port 1080) is not configured to run in SSL. This causes a malfunction in my website since that my API endpoints are being running under HTTP and being blocked by the browser due security reasons.
The question is: is there a way to create some kind of "mapping" in apache that receives the request from HTTPS and redirect to the NodeRed in HTTP (the two are running in same server)?
My idea is to create a subdomain like https://api.mysite.com that sends the request for apache and then apache redirects it to my NodeRed. Is that possible?
There is no need to expose the API to the outside world if you don't want to. Since your apache is running correctly and both containers are running on the same host, just use proxy to forward API requests to the API container.
You can achive this by add two lines to your apache config i.e.
ProxyPass /api/ http://127.0.0.1:1080/
ProxyPassReverse /api/ http://127.0.0.1:1080/
I'm trying to host mailcatcher in docker swarm and serve it with Traefik. I'm running mailcatcher as a service which unfortunately hosts itself on the / root context path like localhost:10980/. I have a frontend rule /mailcatcher with PathPrefixStrip so the initial load works but then the app tries to reach host.com/assets which obviously doesn't exists. Does traefik has any solution like the sub_filter option in nginx to route these requests or do I have to add these as a frontend rule to be able to host it?
Thanks in advance
The closest tutorial I can find in getting an SSL terminating Ingress and an nginx based controller running on bare metal (Digital Ocean, for example) is this:
https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
but it leaves so many assumptions unexplained.
My ingress requirements are simply:
default backend at port 80 for all hosts that:
file access to location ^~ /.well-known/acme-challenge/ which allows my LetsEncrypt cert renewals to work
404 on location /.well-known/acme-challenge/
301 on location /
subdomain based routing to different backend services on port 443
each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
What I think need is this:
full documentation on writing Ingress rules
can I configure SSL certs (on port 443) for each backend individually?
is / the "path" that's a catchall for a host?
updating Ingress rules in place
what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?
is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
how do you store SSL keys and certs as secrets?
boo my answers apply to https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
default backend at port 80 for all hosts that:
404 on location /.well-known/acme-challenge/
this is not possible using Ingress rules
301 on location /
This is already supported. If the server contains a SSL certificate it will redirect to httpsautomatically
subdomain based routing to different backend services on port 443
each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
You need to create multiple Ingress rules, one per subdomain. Each rule can use a different secret name (this will create multiple servers, one per subdomain)
What I think need is this:
full documentation on writing Ingress rules
http://kubernetes.io/docs/user-guide/ingress/
(I don't know id there's additional information besides the go code)
can I configure SSL certs (on port 443) for each backend individually?
is / the "path" that's a catchall for a host?
yes
updating Ingress rules in place
what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?
This depends on what you need, if you want to build you custom Ingress controller you can use nginx-alpha as reference. If nginx-ingress is not clear in the examples please open an issue and mention what could be improved in the examples or it's missing
is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
No. The reason for this is that the template is tied to the go code that populates the template. That said, you can build a custom image changing the template but this requires you deploy the image to tests the changes
how do you store SSL keys and certs as secrets?
yes, as secrets like this http://kubernetes.io/docs/user-guide/ingress/#tls
For the letsencrypt support please check this comment https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009
Here is a complete example https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 added to examples in #766