Traefik v2 as a reverse proxy without docker - reverse-proxy

I have read the documentation but I can not figure out how to configure Traefik v2 to replace Nginx as a reverse proxy for web sites (virtual hosts) without involving Docker. Ideally there would be let'sencrypt https as well.
I have a service running at http://127.0.0.1:4000 which I would like to reverse proxy to from http://myhost.com:80
This is the configuration i've come up with so far:
[Global]
checkNewVersion = true
[log]
level = "DEBUG"
filePath = "log-file.log"
[accessLog]
filePath = "log-access.log"
bufferingSize = 100
[entrypoints]
[entrypoints.http]
address = ":80"
[http]
[http.routers]
[http.routers.my-router]
rule = "Host(`www.myhost.com`)"
service = "http"
entrypoint=["http"]
[http.services]
[http.services.http.loadbalancer]
[[http.services.http.loadbalancer.servers]]
url = "http://127.0.0.1:4000"

I figured it out,
the first part to note is that in traefik v2 there are two types of configuration, static and dynamic. So I created two files, traefik.toml and traefik-dynamic.toml.
contents of traefik.toml:
[log]
level = "DEBUG"
filePath = "log-file.log"
[accessLog]
filePath = "log-access.log"
bufferingSize = 100
[providers]
[providers.file]
filename = "traefik-dynamic.toml"
[api]
dashboard = true
debug = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
[entryPoints.dashboard]
address = ":8080"
[certificatesResolvers.sample.acme]
email = "myemail#example.com"
storage = "acme.json"
[certificatesResolvers.sample.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
traefik-dynamic.toml:
[http]
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
[http.routers]
[http.routers.my-router]
rule = "Host(`www.example.com`)"
service = "phx"
entryPoints = ["web-secure"]
[http.routers.my-router.tls]
certResolver = "sample"
[http.services]
[http.services.phx.loadbalancer]
[[http.services.phx.loadbalancer.servers]]
url = "http://127.0.0.1:4000"

You can also use Traefik v2 to reverse proxy to a service running on the localhost without using Nginx as explained here using File (and not Docker provider) for Traefik.
First, route calls to myhost.com through localhost by updating /etc/hosts like:
127.0.0.1 myhost.com
Create a minimal docker-compose.yml like:
version: "3.7"
services:
proxy:
image: traefik:2.0
command:
- "--providers.file.filename=/etc/traefik/proxy-config.toml"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
volumes:
- ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
This Compose file creates a read-only volume containing the dynamic configuration for the Traefik reverse proxy standing in for Nginx as requested. It uses the File provider for Traefik and not Docker and a blank HTTP address mapped to port 80 for the entrypoint. This is a complete Compose file in itself. Beyond that all that's needed is the reverse proxy configuration for Traefik.
Configure the Traefik reverse proxy proxy-config.toml in the same directory:
[http.routers.test-streamrouter]
rule = "Host(`myhost.com`)"
service = "test-loadbalancer"
entryPoints = ["web"]
[[http.services.test-loadbalancer.loadBalancer.servers]]
url = "http://host.docker.internal:4000"
This is a sample reverse proxy in its entirety. It can be enhanced with middlewares to perform URL rewriting, update domain names or even redirect users if that's your aim. A single load balancer is used as shown in this answer. And host.docker.internal is used to return the host's internal networking address.
Note: At time of writing "host.docker.internal" only works with Docker for Mac and will fail on Linux. However, you may be able to use the Compose service name instead (i.e. "proxy").
Once you get this working you can set up the Let's Encrypt stuff or swap between development and production configurations using the TRAEFIK_PROVIDERS_FILE_FILENAME environment variable.

You can
use container names within the same bridged network instead of localhost
link middlewares and services without #file suffix
Please mind, that in the yaml and toml file, you need to pay attention to lower-uppercase of the properties. Whereas in docker it is loadbalancer, you need to write loadBalencer in the config file.
http:
middlewares:
docs:
stripPrefix:
prefixes:
- "/docs"
restapi:
stripPrefix:
prefixes:
- "/api/v1"
routers:
restapi:
rule: "PathPrefix(`/api/v1`)"
middlewares:
- "restapi"
service: "restapi"
entryPoints:
- http
docs:
rule: "PathPrefix(`/docs`)"
middlewares:
- "docs"
service: "docs"
entryPoints:
- http
client:
rule: "PathPrefix(`/`)"
service: "client"
entryPoints:
- http
help:
rule: "PathPrefix(`/server/sicon/help`)"
services:
restapi:
loadBalancer:
servers:
- url: "http://sicon_backend:1881"
docs:
loadBalancer:
servers:
- url: "http://sicon_backend:1882"
client:
loadBalancer:
servers:
- url: "http://sicon_client"

Related

I want to configure the Prometheus using kube-prom-stack to federate metrics from https server

I have kube-prom-stack runnning on a node and i have configure it using federate endpoint to scrape metrics from a remote server as below in my values.yaml file:
additionalScrapeConfigs:
- job_name: 'sp-federation'
scrape_interval: 20s
scrape_timeout: 20s
scheme: http
metrics_path: /federate
honor_labels: true
metric_relabel_configs:
- source_labels: [id]
regex: '^static-agent$'
action: drop
params:
match[]:
- '{__name__=~"kube_.*"}'
static_configs:
- targets: ['X.X.X.X:9090']
But the remote server only accepts connection on https.
I want to configure it in such a way that it pull the metrics from https by skipping the certificate validation part as i don't have the remote server certificate now.
Please help, as i am a beginner in the networking and prometheus.
I used below configuration to deploy the kube-prom-stack, but not sure what to do next to skip the server certificate validation.
serviceMonitor:
## Scrape interval. If not set, the Prometheus default scrape interval is used.
##
interval: ""
selfMonitor: true
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
scheme: ""
## enableHttp2: Whether to enable HTTP2.
## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
enableHttp2: true
## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
## Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
tlsConfig: {}
bearerTokenFile:

Connection refused when using load balancing with Traefik 2

I have yml configuration file with a router and a service. Every time I get a 404 error. I know the URL works and I can access the server from Traefik server. What am I missing? Also, for some reason the request reroutes to https. Perhaps a conflicting rule?
Also note, Traefik runs in docker, but the connecting server does not. The goal here is to add multiple nodes to the load balancer.
http:
routers:
demo_1-rtr:
rule: "Host(`http://demo.lab.local`)"
service: demo_1
entryPoints:
- http
services:
demo_1:
loadBalancer:
servers:
- url: "http://172.16.9.90:16000"
Traefik Config:
global:
checkNewVersion: true
sendAnonymousUsage: true
api:
insecure: true
providers:
docker:
endpoint: "unix://var/run/docker.sock"
exposedByDefault: false
file:
directory: /rules
watch: true
log:
level: DEBUG
accessLog: {}
entryPoints:
http:
address: ":80"
I suspect it would be this
--api.insecure=true global argument and it should work.
So in your case add the following in traefik.toml
[api]
insecure = true
Otherwise I would need more information to debug more.

traefik reverse proxy set Host instead of X-Forwarded-Host

I want to configure traefik to forward a request to another host, but instead of setting X-Forwarded-Host to host.name I want it to set the header filed Host to host.name but still opening the connection to my.ip
This is the part of my current traefik toml.
[frontends]
[frontends.mypath]
backend = "backendhost"
passHostHeader = true
[frontends.mypath.routes.test]
rule = "Host:host.name;Path:/my/path/"
[backends]
[backends.backendhost]
[backends.backendhost.servers.myip]
url = "http://my.ip:80"
basically I want traefik to behave in the way as I can do it with curl:
curl -L -H "Host: host.name" http://my.ip/my/path
so the requested server thinks it is requested as http://host.name/my/path.
The answer needs to be applicable directly to the traefik configuration. It should not include using further services/containers/reverse proxies.
The in addition to X-Forwarded-Host will look like this:
[frontends]
[frontends.mypath]
backend = "backendhost"
[frontends.mypath.headers.customrequestheaders]
Host = "host.name"
[frontends.mypath.routes.test]
rule = "Host:host.name;Path:/my/path/"
[backends]
[backends.backendhost]
[backends.backendhost.servers.myip]
url = "http://my.ip:80"

Traefik 2 set passHostHeader globally and not per service?

I'm using traefik internally as a gateway and thus want to always have passtHostHeader: false for default as to not always have it repeatedly set on each service.
I looked through the
ENVs
cli arguments &
dynamic configuration reference
but to no avail.
Is there a way to achieve this?
my dynamic-file.yml
routers:
ext-service-router:
rule: "PathPrefix(`/ext-service`)
service: ext-service-service
services:
ext-service-service:
loadBalancer:
passHostHeader: false # I want this to be the default and not need to set it
servers:
- URL: "https://my-ext-service.example.com"

how to do auth forwarding to backend entry in Traefik 1.7

Traefik 1.7
Docker
Spring Boot
I need to use the auth forwarding capabilities of Traefik.
My auth endpoint is exposed by a spring boot component behind the Traefik and exposed as "backend-authentication" with URI "http://123.1.23.5:8081" in Traefik Dashboard.
In my configuration, traefik routes everything from "http://api-dev.mycompany.com" to backends API using "PathPrefix" rules.
Therefore my authentication component is available as "http://api-dev.mycompany.com/authentication"
When I do auth forwarding like this:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://api-dev.mycompany.com/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
Traefik goes through endless forwarding loop.
When I use the following configuration it is working as wanted:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://123.1.23.5:8081/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
I would like to use a service name related to the backend-authentication as seen in Traefik dashboard but when I try that configuration:
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.auth.forward]
address = "http://backend-authentication/commerce/authentication/v1/ldap/auth"
trustForwardHeader = true
authResponseHeaders = ["Authorization"]
I ran into error 500.
I do need the capability to use logic name and not IP as there are subject to change.
I cannot run the component on another port or another network... Any idea would be apreciated.
Maybe you could upgrade to v2, it's a bit more clear there:
In Traefik v2 according to the docs you have to use forwardAuth as a middleware. You have to create a router like this:
## Dynamic configuration
[http.routers]
[http.routers.my-router] <-- name it auth-router or whatever
rule = "Path(`/foo`)"
# declared in next code block
middlewares = ["test-auth"]
service = "youre-service-docker-or-file" <-- probably your "backend-authentication"
Where your middleware is:
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://authserver.com/auth" <--- Your auth server here
Optionally, looking at the v1.7 docs, can you set
authResponseHeaders = ["X-Auth-User", "X-Secret"]
below the entrypoints, and maybe try add some trusted ips:
[entryPoints]
[entryPoints.http]
address = ":80"
# Enable Forwarded Headers
[entryPoints.http.forwardedHeaders]
# List of trusted IPs
#
# Required
# Default: []
#
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]