Discussion - HOWTO: Configure traefik to handle multiple domain names | PlexGuide.com

Discussion HOWTO: Configure traefik to handle multiple domain names

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
Traefik is capable of handling the requests for different domain names.
There are also multiple ways to tell Traefik how to handle incoming requests.

In PG, everything relies on labels configured at the container level. Traefik relies on those labels to decide where the traffic needs to go.
In PG, the configuration is located in a single file /opt/appdata/traefik/traefik.toml

This is the original (PG) Traefik configuration file:
Code:
insecureskipverify = true

logLevel = "WARN"

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  #[entryPoints.http.redirect]
  #  entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    MinVersion = "VersionTLS12"
    CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
  [entryPoints.monitor]
  address = ":8081"

[retry]

[acme]
acmeLogging = true
email = "[email protected]"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
  [acme.dnsChallenge]
    provider = "cloudflare"
    delayBeforeCheck = 30

[[acme.domains]]
  main = "*.project.com"
  sans = ["project.com"]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "project.com"
watch = true
exposedbydefault = false
network = "plexguide"
As we can see, currently Traefik is configured to handle all requests for a single domain name: project.com.
Let's tell to Traefik to handle an additional domain:


[[acme.domains]]
main = "*.project.com"
sans = ["project.com"]


Becomes


[[acme.domains]]
main = "*.project.com"
sans = ["project.com"]
[[acme.domains]]
main = "*.harvest.com"
sans = ["harvest.com"]


Restarting traefik container will force it to request the additional keys for the new domain. You can check if everything went ok by opening the file /opt/appdata/traefik/acme/acme.json. You should see the keys for the 2 domains now.

In order to handle multiple domains, we need to use another technique (Front-end/Back-end). But before proceeding, we should separate the fix part of the configuration from the more dynamic one and though create an additional file where we will put the configuration of the different front-end and back-end.
In order to ease the management of the different Front-Ends and Back-Ends aside of the docker container configuration, it is advisable put everything in a separate file that Traefik will monitor for changes the same way it does for docker containers.

Let's create a additional file file servers.toml,
mkdir -p /opt/appdata/traefik/servers.toml

Let's insert in the main file a reference to the new servers.toml file. This to be sure, when a request arrives, Traefik will check both the container labels but also the servers.toml file.

[file]
watch = true
filename = "/opt/appdata/traefik/servers.toml"


The final main configuration file should look like this:

Code:
insecureskipverify = true

logLevel = "WARN"

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  #[entryPoints.http.redirect]
  #  entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    MinVersion = "VersionTLS12"
    CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
  [entryPoints.monitor]
  address = ":8081"

[retry]

[acme]
acmeLogging = true
email = "[email protected]"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
  [acme.dnsChallenge]
    provider = "cloudflare"
    delayBeforeCheck = 30
[[acme.domains]]
  main = "*.project.com"
  sans = ["project.com"]
[[acme.domains]]
  main = "*.harvest.com"
  sans = ["harvest.com"]

[file]
  watch = true
  filename = "/opt/appdata/traefik/servers.toml"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "project.com"
watch = true
exposedbydefault = false
network = "plexguide"

Now, we need to add the new Front-Ends and Back-Ends in the servers.toml file.
nano /opt/appdata/traefik/servers.toml

Let's paste the following code

Code:
loglevel = "ERROR"

[frontends]
    [frontends.xxx]
        backend = "xxx"
        [frontends.xxx.routes.domain]
            rule = "Host:xxx.project.com"
    [frontends.yyy]
        backend = "yyy"
        [frontends.yyy.routes.domain]
            rule = "Host:yyy.harvest.com"
    [frontends.yyy]
        backend = "zzz"
        [frontends.zzz.routes.domain]
            rule = "Host:zzz.harvest.com"

[backends]
    [backends.xxx]
        [backends.xxx.servers.xxx]
            url = "http://192.168.1.1:8100"
    [backends.yyy]
        [backends.yyy.servers.yyy]
            url = "http://192.168.1.9:4430"
        [backends.zzz.servers.zzz]
            url = "http://192.168.1.9:8000"
We see we have 2 Front-Ends, one with one URL and the other with 2 and we have 3 backend servers
For each Front-End "Server" we need a Back-End "Application/Service"
When a request comes in for zzz.harvest.com (Front-End server) the request is forwarded to backend "zzz" which URL is "http://192.168.1.9:8000"

And That's it.
 
Last edited:
  • Like
Reactions: 5 users

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
Hi, what are your expectations in term of elaboration.
 
T

TheShadow

Guest
You could just do this part:

[[acme.domains]]
main = "*.project.com"
sans = ["project.com"]

Becomes

[[acme.domains]]
main = "*.project.com"
sans = ["project.com"]
[[acme.domains]]
main = "*.harvest.com"
sans = ["harvest.com"]
Then add custom containers. For example you can copy an app yml, then just edit the app yml file:
Find:
{{domain.stdout}}

Replace
my2domain.com
 

Zeus

Citizen+
May 30, 2019
19
4
@TheShadow can you explain that a little bit more? I am trying to set this up with your method because it seems a bit easier than the first method in this thread but i am having issues.
 

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
Is it possible to set this up to use oauth?
To answer your question, yes it is.

Here is an extract reduced of my servers.toml

Code:
loglevel = "WARN"

[file]

[backends]
    [backends.kt]
        [backends.kt.servers.kt]
            url = "http://192.168.1.1"
    [backends.gate]
        [backends.gate.servers.server1]
            url = "http://192.168.1.2"
    [backends.door-lock]
        [backends.door-lock.servers.server1]
            url = "http://192.168.1.3:10359"
    [backends.door-video]
        [backends.door-video.servers.server1]
            url = "https://192.168.1.4"
    [backends.ipmi]
        [backends.ipmi.servers.server1]
            url = "https://192.168.1.5"
    [backends.knx]
        [backends.knx.servers.server1]
            url = "http://192.168.1.6:9093"
    [backends.piguacamole]
        [backends.piguacamole.servers.server1]
            url = "http://192.168.1.7:8080"

[frontends]
    [frontends.kt]
        backend = "kt"
        passHostHeader = true
        [frontends.kt.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.kt.routes.domain]
            rule = "Host:kt.microsoft.com"
    [frontends.gate]
        backend = "gate"
        [frontends.gate.routes.domain]
            rule = "Host:gate.microsoft.com"
    [frontends.fritz]
        backend = "gate"
        [frontends.fritz.routes.domain]
            rule = "Host:fritz.microsoft.com"
    [frontends.door-lock]
        backend = "door-lock"
        passHostHeader = true
        SSLRedirect=true
        [frontends.door-lock.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.door-lock.routes.domain]
            rule = "Host:door-lock.microsoft.com"
    [frontends.door-video]
        backend = "door-video"
        passHostHeader = true
        SSLRedirect=true
        [frontends.door-video.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.door-video.routes.domain]
            rule = "Host:door-video.microsoft.com"
    [frontends.ipmi]
        backend = "ipmi"
        passHostHeader = true
        SSLRedirect=true
        [frontends.ipmi.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.ipmi.routes.domain]
            rule = "Host:ipmi.microsoft.com"
    [frontends.knx]
        backend = "knx"
        passHostHeader = true
        SSLRedirect=true
        [frontends.knx.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.knx.routes.domain]
            rule = "Host:knx.microsoft, domo.microsoft.com, domotic.microsoft.com, automation.microsoft.com"
    [frontends.piguacamole]
        backend = "piguacamole"
        passHostHeader = true
        SSLRedirect=true
        [frontends.piguacamole.auth.forward]
        address = "http://oauth:4181"
        authResponseHeaders = ["X-Forwarded-User"]
        [frontends.piguacamole.routes.domain]
            rule = "Host:piguacamole.microsoft.com"
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending