Traefik on OPNSense forwarding to internal hosts

Started by bobpaul, May 10, 2024, 11:20:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2024, 11:20:49 PM
Current Setup, without Traefik plug
My current setup is pretty standard. I have 80 and 443 forwarded to an internal host. On that host I run traefik and some docker containers.


  • 80 -> internalhost1:80
  • 443 -> internalhost1:443

But I'd like to a second internal host, also running some services. And I'd like to do this without running either on non-standard ports.

Desired setup, with os-traefik-maxit
I've installed traefik from mimugmail's repo. I was planning something like this:


I wonder if anyone has set up something similar. I'm running into some roadblocks right out of the gate and I wonder if anyone has solved them or has suggests.

1. Traefik entry points look like
Code Select
address = ":443", but that will conflict with the local opnsense webui. IS there some way to dynamically use the WAN ip address as the bind address in a configuration file like this? I don't think traefik allows selecting a bind adapter. I won't need traefik on OPNSense listening on any local IPs.

I guess one solution might be that I could have traefik listen on non-standard ports like 127.0.0.1:8443 and then use a port forwarding rule in the OPNSense firewall config.

2. One reason I like Traefik is because of how easy it is to manage TLS certificates. I use DNS challenge with Digital Ocean, but that requires an environment variable
Code Select
DO_AUTH_TOKEN is set. I don't think traefik lets me put this in the traefik.toml file. Is there a way to set environment global variables on OPNsense so that a service like traefik will inherit that in its launch shell?
May 11, 2024, 07:42:00 AM #1
Why not use Caddy instead, it also has DigitalOcean Provider build right into the GUI.

https://docs.opnsense.org/manual/how-tos/caddy.html
Hardware:
DEC740
May 17, 2024, 03:46:15 PM #2
Thanks, I'll try that. Traefik seemed nice since I'm already using it on other systems. I guess I searched for "traefik on opnsense" and I should have just searched for reverse proxy options...

I see that HAProxy is also an option and uses the os-acme-client, which I already use.
May 18, 2024, 09:51:16 AM #3
Yeah there are a lot of options. os-opnwaf (opnsense business edition), os-nginx, os-haprox, and the latest is os-caddy.

os-caddy and os-opnwaf do the certificate management automatically without the ACME Client plugin.
Hardware:
DEC740
June 11, 2024, 06:17:55 PM #4
The only reverse proxies able to bind to specific IPs are nginx and haproxy. Why the other's aren't able to, I do not know. Seems like a basic requirement to me.
June 11, 2024, 06:43:44 PM #5
Hardware:
DEC740
June 11, 2024, 06:46:12 PM #6
Ok, but a GUI option would be nice.
June 11, 2024, 06:51:58 PM #7
I thought about it. But doing it in the GUI would not create a high enough barrier to prevent users who don't /really/ need it to configure it for no reason.

Anybody who really needs that should be able to connect via SSH and use the file imports.
Hardware:
DEC740
June 11, 2024, 07:02:25 PM #8
I don't understand the perceived need to create a barrier to configure this.
June 11, 2024, 07:15:23 PM #9
I have asked Franco before implementing it and there are too many things that can go wrong and result in support time.

So I opted to avoid it and offer it in the docs as advanced configuration example.
Hardware:
DEC740
June 11, 2024, 07:28:02 PM #10
I have worked with many firewalls, and I do not know of any other device with this limitation.

I implemented this in the GUI for nginx and I did have to argue quite a bit to get it merged.
June 11, 2024, 07:36:08 PM #11
If you want it you can try to PR it into caddy. In the docs it says what it needs. Maybe you can get it merged too.

It would be nice if it would be an advanced option in the general settings, and if it would be a hostname field, since caddy supports hostnames or ip addresses with the bind directive.
Hardware:
DEC740
Print
Go Up Pages1
User actions