Reverse proxy

A reverse proxy can be used to forward requests to the appropriate backend service like shown in this diagram:

The same could’ve been achieved by using two different ports, but we want the services to be easily accessible without specifying a port.

Docker

Traefik is an easy to use reverse-proxy with an docker image that is also supported by arm devices (e.g. raspberry pi).

Setup

Create a network

docker network create server

Create an empty acme.json file and set permissions

touch acme.json
chmod 600 acme.json

Create configuration file traefik.toml`

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

    [entryPoints.websecure.http.tls]
      certResolver = "lets-encrypt"

[api]
  dashboard = true

[certificatesResolvers.lets-encrypt.acme]
  email = "your@email.com"
  storage = "acme.json"
  [certificatesResolvers.lets-encrypt.acme.tlsChallenge]

[providers.docker]
  watch = true
  network = "web"
  exposedByDefault = false

[providers.file]
  filename = "traefik_dynamic.toml"

Create configuration file traefik_dynamic.toml (replacing redacted htpasswd)

[http.middlewares]
  #[http.middlewares.simpleAuth.basicAuth]
  #  users = [
  #    "admin:<redacted>"
  #  ]
  [http.middlewares.authelia.forwardAuth]
    address = "https://authelia:9091/api/authz/forward-auth"
    trustForwardHeader = true
    authResponseHeaders = [
      'Remote-User',
      'Remote-Groups',
      'Remote-Email',
      'Remote-Name'
    ]

[http.routers.api]
  rule = "Host(`eschle.ddnss.eu`)"
  entrypoints = ["web","websecure"]
  #middlewares = ["simpleAuth"]
  middlewares = ["authelia@docker"]
  service = "api@internal"
  [http.routers.api.tls]
    certResolver = "lets-encrypt"

Create docker-compose.yml file:

services:
  traefik:
    image: 'traefik:3.6.5'
    container_name: 'traefik'
    restart: 'unless-stopped'
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - './traefik.toml:/traefik.toml'
      - './traefik_dynamic.toml:/traefik_dynamic.toml'
      - './acme.json:/acme.json'
    networks:
      - server

networks:
  server:
    external: true

Configure docker-compose webservice

Each webservice that wants to use the reverse proxy must use the same network (here “server”) and set these labels:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
services:
    webservice1:
        ...
        labels:
         - "traefik.enable=true"
         - "traefik.http.routers.webservice1.rule=Host(`webservice1.domain.org`)"

networks:
    server:
        external: true

Reverse proxy

reverse proxy diagram

Docker

Setup

Configure docker-compose webservice