I have a few services set up as docker containers in my home network with traefik acting as a reverse proxy and Let's encrypt for certificates. Once I list any service in traefik, it becomes accessible from the internet. However, I have a few services which I do not want to access from internet (internal network only) but still provide the reverse proxy service, so I can access them with a domain name rather than IP:port.
How can I set this up in traefik ? Thanks.
Related
I want to migrate existing web infrastructure containing multiple websites and services into docker containers. Those websites are reachable from many different public domains. I'm using Traefik 2.9 as a reverse proxy solution to route into services/containers but it's not that clear to configure the TLS certificate individually for each service. I have certificates stored in CER/KEY files for each public domain. Global tls.certificates section is a flat list and in EntryPoint's TLS section there is no place for certificates to be assigned. Do you have any idea how to get it done right or maybe Traefik isn't the right solution?
We are going multi-region for our project and there is a need for us to use an Azure traffic manager to route traffic to each region. Our setup looks like below where our app gateway is exposed via a public IP which I used to configure on the Azure Traffic Manager.
My issue is when I hit the traffic manager URL it give me an SSL cert error, while if I hit the App gateway URL directly it works fine on HTTPS. Looking at the below error I know I need to configure the traffic manager certificate and my question is
Is this needs to be configured somewhere in the traffic manager? OR
DO we need to configure this in the application gateway and change the app gateway ingress in Kubernetes with and also use traffic manager certificate there?
• The traffic manager works at the DNS level, thus as the DNS records pointing to the traffic manager’s public URL aren’t setup correctly, you are getting this error when browsing the traffic manager’s URL. Also, when you are accessing the application gateway URLs independently, they are being accessed successfully as the URLs for the application gateways are hosted on the Azure DNS and independent public IPs are also allotted against their DNS records. Thus, appropriate DNS records to route the DNS access request for the traffic manager’s website need to be updated.
• Since you are using multi region setup in Azure with load balancing features, I am considering that your custom domain and its DNS records are setup in Azure itself. And the URLs for the application gateway are setup as separate endpoints in the form of subdomains in the custom DNS record setup itself. Thus, when you browse the application gateway URLs according to the custom domain URL setup, you can access the application page correctly. With respect to the traffic manager, you will need to create a CNAME record pointing from your custom domain to the ‘*.trafficmanager.net’ domain, while also creating a CNAME record pointing from your custom domain to your generic application gateway URLS.
• Once done, create A host records for each application gateway endpoint pointing to the public IP address assigned by Azure to them. After doing the above, your traffic manager URL should be able to route and redirect the application access requests correctly. For more information, please refer to the community discussion below which specifies the exact details relating to your problem: -
Azure Traffic Manager SSL Setup (not classic)
We use an HTTP proxy (tinyproxy) on a dedicated machine to be able to reach legacy services from our GKE cluster with a static IP address. I'm aware that this is not the best solution, but the requirements are set by the target environment on which we have no control, and this solution works great for HTTP and SSH requests.
We now have the requirement to connect to an existing LDAP server, and in this case again do so from a static IP address. Is there a way to do this by sending requests to the LDAP server through the HTTP proxy?
LDAP and HTTP are both application layer protocols and thus incompatible. I doubt tinyproxy supports LDAP proxying out of the box, but you could use a separate LDAP proxy.
A quick search reveals a few LDAP proxy products on the market. OpenLDAP, an open source LDAP server, also can be used as a proxy. Some examples of this can be found (1, 2).
Ant-Media-Server is running on an IPAdress without any domains. We just set up this server to be used for streaming in order to use it from different domains pointing to different servers.
Since all of our domains use ssl, we face the typical connection problem:
mixed Content: The page at 'https://SOMEDOMAIN.com/QUERY' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://1.2.3.4:56'. This request has been blocked; this endpoint must be available over WSS.
Ant-Media already offers tutorials on how to install a Let's Encrypt SSL Certificate but sadly it is not available for pure IP-Addresses.
Apart from the Ant-Media Service, the server doesn't has any NGINX, NodeJS, Apache or other http Servers installed - the plan was just to use it for streaming by calling the IP-Address.
Do you have any ideas on how to solve that problem?
Unfortunately, this is not possible.
The goal of having a SSL is ensure you are requesting the right domain name besides encrypting the content between your users and your server.
Here are some alternatives:
create an endpoint in your own app that proxies data to your server.
Instead of playing the IP address, you can play:
/your-proxy-url?stream=http://yourIp.com:port/....
Note that using a proxy will make all the traffic pass through your web app.
As a reference, if you are using PHP on your website, you can have some ideas from here: https://gist.github.com/iovar/9091078
Create a reverse-proxy in front of your web app that redirects the traffic to your IP address.
Both solutions does not change your Ant Media Server, just adds a new resource between your users and your streaming server - adding the SSL on it.
I have a wcf service which work locally and within the network when used with the server name, this service needs to work on the internet to others outside the network to consume. I am currently hosting it on IIS. what will I need to make it available on the internet ? Do I need a DNS and SSL ? I am not sure what is required. Could somebody please let me know.
If your web service is going to be open to the public, i.e. on the internet, then you will need a domain or at least have your IP mapped to a name in DNS accessible to the public, this would require that you are self hosting the sight on you own server and have a static IP address accessible outsite your network.
Typically you would run a DNS to map your web service's IP to a domain name. However if you are going through a hosting provider they will most likely do that part for you.
Anything public facing, I would recommend using SSL over HTTPS. If the service will only be accessible to certain people, then you could use several of the different types of authentication, certificates, username/password, or tokens. There are lots of things to consider like firewalls etc.
Here some maybe helpful links to get you started:
SSL in IIS
How do I host a wcf service on the internet?