Traefik on OPNSense forwarding to internal hosts

[bobpaul]

Current Setup, without Traefik plug
My current setup is pretty standard. I have 80 and 443 forwarded to an internal host. On that host I run traefik and some docker containers.

• 80 -> internalhost1:80
• 443 -> internalhost1:443

But I'd like to a second internal host, also running some services. And I'd like to do this without running either on non-standard ports.

Desired setup, with os-traefik-maxit
I've installed traefik from mimugmail's repo. I was planning something like this:

• http://(.*) -> https://(.*)
• https://newservice.example.com -> https://internalhost2/
• https://oldservice1.example.com -> https://internalhost1/
• https://oldservice2.example.com -> https://internalhost1/
• https://oldservice3.example.com -> https://internalhost1/

I wonder if anyone has set up something similar. I'm running into some roadblocks right out of the gate and I wonder if anyone has solved them or has suggests.

1. Traefik entry points look like

Code: [Select]

address = ":443", but that will conflict with the local opnsense webui. IS there some way to dynamically use the WAN ip address as the bind address in a configuration file like this? I don't think traefik allows selecting a bind adapter. I won't need traefik on OPNSense listening on any local IPs.

I guess one solution might be that I could have traefik listen on non-standard ports like 127.0.0.1:8443 and then use a port forwarding rule in the OPNSense firewall config.

2. One reason I like Traefik is because of how easy it is to manage TLS certificates. I use DNS challenge with Digital Ocean, but that requires an environment variable

Code: [Select]

DO_AUTH_TOKEN is set. I don't think traefik lets me put this in the traefik.toml file. Is there a way to set environment global variables on OPNsense so that a service like traefik will inherit that in its launch shell?

[Monviech (Cedrik)]

Why not use Caddy instead, it also has DigitalOcean Provider build right into the GUI.

https://docs.opnsense.org/manual/how-tos/caddy.html

[bobpaul]

Thanks, I'll try that. Traefik seemed nice since I'm already using it on other systems. I guess I searched for "traefik on opnsense" and I should have just searched for reverse proxy options...

I see that HAProxy is also an option and uses the os-acme-client, which I already use.

[Monviech (Cedrik)]

Yeah there are a lot of options. os-opnwaf (opnsense business edition), os-nginx, os-haprox, and the latest is os-caddy.

os-caddy and os-opnwaf do the certificate management automatically without the ACME Client plugin.

[bimbar]

The only reverse proxies able to bind to specific IPs are nginx and haproxy. Why the other's aren't able to, I do not know. Seems like a basic requirement to me.

[Monviech (Cedrik)]

It can, just not merged to docs yet.

https://github.com/opnsense/docs/blob/1d2f7ab0be0d900b4ae8928d7f5c74ae7b23bf85/source/manual/how-tos/caddy.rst#advanced-bind-caddy-to-specific-interface

[bimbar]

Ok, but a GUI option would be nice.

[Monviech (Cedrik)]

I thought about it. But doing it in the GUI would not create a high enough barrier to prevent users who don't /really/ need it to configure it for no reason.

Anybody who really needs that should be able to connect via SSH and use the file imports.

[bimbar]

I don't understand the perceived need to create a barrier to configure this.

[Monviech (Cedrik)]

I have asked Franco before implementing it and there are too many things that can go wrong and result in support time.

So I opted to avoid it and offer it in the docs as advanced configuration example.

[bimbar]

I have worked with many firewalls, and I do not know of any other device with this limitation.

I implemented this in the GUI for nginx and I did have to argue quite a bit to get it merged.

[Monviech (Cedrik)]

If you want it you can try to PR it into caddy. In the docs it says what it needs. Maybe you can get it merged too.

It would be nice if it would be an advanced option in the general settings, and if it would be a hostname field, since caddy supports hostnames or ip addresses with the bind directive.