Herold
Solutions
Blog
Preview for Traefik Proxy for Multiple Hosts

Traefik Proxy for Multiple Hosts

Efficiently Route and Secure Traffic Across Multiple Docker Environments Using a Single Public IP

September 23, 20246 min read

Let's say you want to host something at home. You set up a dynamic DNS to map your local IP address to a domain. But let's say you have several computers at home that you want to reach externally, but your modem only allows port forwarding to one device. This is precisely what I was dealing with, so I needed to find a solution.

What do I want to achieve?

I've already set up a reverse proxy on one of my home servers, so I know how it works. Now I've got a second server that I want to reach. I could just map each app on the second server to a different port and set up the current reverse proxy to access the app that way. I mainly use Docker for my apps and Traefik with its label feature to resolve and reverse proxy the domains. I'd like to set up a way to forward every domain that belongs to the second home server completely and resolve the domain to the app on that server, so I don't have to manually configure Traefik on the first server every time I want to spin up a new app.

The main goal is to get everything from the first server sorted and then forward anything that doesn't belong there to the second server. To give you a better idea of what that looks like, here's a graphic that you can use for reference:

Example of traffic flow

As you can see from the example, app1 is running on server 1 and app2 is running on server 2. If a request comes in for app2, the first Traefik should forward it to the second setup.

Setup forward configuration

Since Traefik supports a few different configuration types, I'll focus on the YAML configuration for the forward settings. To get the forward configuration up and running, just add these lines to your dynamic configuration.

tcp:
    routers:
        server2-rtr:
            rule: HostSNI(`*`)
            service: server2-svc
            tls:
                passthrough: true
    services:
        server2-svc:
            loadBalancer:
                servers:
                    - address: "10.1.1.1:443"

There are a few key differences to a normal HTTP app proxy configuration. The first thing to note is that we're using TCP middleware instead of HTTP. The next thing to note is that in the router rule, we don't use Host, but instead use HostSNI as the matcher. We also need to add the passthrough option to the second Traefik instance so we can resolve and create our SSL certificates there. Finally, you just need to configure the service to point to the local address of your second server and the port of your second Traefik instance.

Once that's done, anything not related to the first server is forwarded to the second server. We could be more specific about the ruleset and only forward certain domains. Currently, it's acting like a fallback, forwarding everything that's not resolved by any HTTP middleware on the first Traefik.

Conclusion

As you can see, it's really straightforward to combine several Traefik instances in a row so you can access several servers with just one public IP address. This might not be a common situation, but it's good to be aware of it in case it does happen.

Selfie of Felix Herold

The article was helpful, or are you feeling a bit unsure about anything?