Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Traefik on OPNSense forwarding to internal hosts
« previous
next »
Print
Pages: [
1
]
Author
Topic: Traefik on OPNSense forwarding to internal hosts (Read 4083 times)
bobpaul
Newbie
Posts: 12
Karma: 4
Traefik on OPNSense forwarding to internal hosts
«
on:
May 10, 2024, 11:20:49 pm »
Current Setup, without Traefik plug
My current setup is pretty standard. I have 80 and 443 forwarded to an internal host. On that host I run traefik and some docker containers.
80 -> internalhost1:80
443 -> internalhost1:443
But I'd like to a second internal host, also running some services. And I'd like to do this without running either on non-standard ports.
Desired setup, with os-traefik-maxit
I've installed traefik from
mimugmail's repo
. I was planning something like this:
http://(.*) -> https://(.*)
https://newservice.example.com
->
https://internalhost2/
https://oldservice1.example.com
->
https://internalhost1/
https://oldservice2.example.com
->
https://internalhost1/
https://oldservice3.example.com
->
https://internalhost1/
I wonder if anyone has set up something similar. I'm running into some roadblocks right out of the gate and I wonder if anyone has solved them or has suggests.
1. Traefik entry points look like
Code:
[Select]
address = ":443"
, but that will conflict with the local opnsense webui. IS there some way to dynamically use the WAN ip address as the bind address in a configuration file like this? I don't think traefik allows selecting a bind adapter. I won't need traefik on OPNSense listening on any local IPs.
I guess one solution might be that I could have traefik listen on non-standard ports like 127.0.0.1:8443 and then use a port forwarding rule in the OPNSense firewall config.
2. One reason I like Traefik is because of how easy it is to manage TLS certificates. I use DNS challenge with Digital Ocean, but that requires an environment variable
Code:
[Select]
DO_AUTH_TOKEN
is set. I don't think traefik lets me put this in the traefik.toml file. Is there a way to set environment global variables on OPNsense so that a service like traefik will inherit that in its launch shell?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #1 on:
May 11, 2024, 07:42:00 am »
Why not use Caddy instead, it also has DigitalOcean Provider build right into the GUI.
https://docs.opnsense.org/manual/how-tos/caddy.html
Logged
Hardware:
DEC740
bobpaul
Newbie
Posts: 12
Karma: 4
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #2 on:
May 17, 2024, 03:46:15 pm »
Thanks, I'll try that. Traefik seemed nice since I'm already using it on other systems. I guess I searched for "traefik on opnsense" and I should have just searched for reverse proxy options...
I see that
HAProxy is also an option
and uses the
os-acme-client
, which I already use.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #3 on:
May 18, 2024, 09:51:16 am »
Yeah there are a lot of options. os-opnwaf (opnsense business edition), os-nginx, os-haprox, and the latest is os-caddy.
os-caddy and os-opnwaf do the certificate management automatically without the ACME Client plugin.
Logged
Hardware:
DEC740
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #4 on:
June 11, 2024, 06:17:55 pm »
The only reverse proxies able to bind to specific IPs are nginx and haproxy. Why the other's aren't able to, I do not know. Seems like a basic requirement to me.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #5 on:
June 11, 2024, 06:43:44 pm »
It can, just not merged to docs yet.
https://github.com/opnsense/docs/blob/1d2f7ab0be0d900b4ae8928d7f5c74ae7b23bf85/source/manual/how-tos/caddy.rst#advanced-bind-caddy-to-specific-interface
Logged
Hardware:
DEC740
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #6 on:
June 11, 2024, 06:46:12 pm »
Ok, but a GUI option would be nice.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #7 on:
June 11, 2024, 06:51:58 pm »
I thought about it. But doing it in the GUI would not create a high enough barrier to prevent users who don't /really/ need it to configure it for no reason.
Anybody who really needs that should be able to connect via SSH and use the file imports.
Logged
Hardware:
DEC740
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #8 on:
June 11, 2024, 07:02:25 pm »
I don't understand the perceived need to create a barrier to configure this.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #9 on:
June 11, 2024, 07:15:23 pm »
I have asked Franco before implementing it and there are too many things that can go wrong and result in support time.
So I opted to avoid it and offer it in the docs as advanced configuration example.
Logged
Hardware:
DEC740
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #10 on:
June 11, 2024, 07:28:02 pm »
I have worked with many firewalls, and I do not know of any other device with this limitation.
I implemented this in the GUI for nginx and I did have to argue quite a bit to get it merged.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: Traefik on OPNSense forwarding to internal hosts
«
Reply #11 on:
June 11, 2024, 07:36:08 pm »
If you want it you can try to PR it into caddy. In the docs it says what it needs. Maybe you can get it merged too.
It would be nice if it would be an advanced option in the general settings, and if it would be a hostname field, since caddy supports hostnames or ip addresses with the bind directive.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Traefik on OPNSense forwarding to internal hosts