Welcome! Log In Create A New Profile

Advanced

nginx to traefik through proxmox - please help

Posted by Ethamin 
nginx to traefik through proxmox - please help
July 14, 2024 08:06AM
Hello, this is a bottle in the sea,
I'm using proxmox 8.2, which runs several vm.
On one of the vm, (192.168.1.102) I have a traefik which is in charge of routing docker services and managing ssl/tls.

Here's the docker compose config and config.yml for this traefik

```
version: "3.3"
services:
traefik:
image: "traefik:v3.0.4"
container_name: "traefik"
restart: unless-stopped
command:
- "--log.level=debug"
- "--api.insecure=false"
- "--api.dashboard=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.email=serveur@maildomain.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--providers.file.filename=/etc/traefik/config.yaml" # Using file for reading the config
- "--providers.file.watch=true"

networks:
- traefik-net
ports:
- "80:80"
- "443:443"
volumes:
- "./data/letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./data/config.yml:/etc/traefik/config.yaml:ro"
networks:
traefik-net:
name: traefik-net
```

```
http:
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true

routers:
# Vault routers
router-vault-http:
entryPoints:
- "web"
service: vault
rule: "Host(`coffre.example1.com`)"
middlewares:
- redirect-to-https
router-vault:
entryPoints:
- "websecure"
service: vault
rule: "Host(`coffre.example1.com`)"
tls:
certResolver: "myresolver"

# main website routers
router-website-http:
entryPoints:
- "web"
service: website
rule: "Host(`example1.com`)"
middlewares:
- redirect-to-https
router-website:
entryPoints:
- "websecure"
service: website
rule: "Host(`example1.com`)"
tls:
certResolver: "myresolver"

# Wiki routers
router-wiki-http:
entryPoints:
- "web"
service: wiki
rule: "Host(`wiki.example1.com`)"
middlewares:
- redirect-to-https
router-wiki:
entryPoints:
- "websecure"
service: wiki
rule: "Host(`wiki.example1.com`)"
tls:
certResolver: "myresolver"

services:
vault:
loadBalancer:
servers:
- url: "http://vaultwarden:80"
website:
loadBalancer:
servers:
- url: "http://silicondays:3000"
wiki:
loadBalancer:
servers:
- url: "http://xwiki:8080"
```

The problem is as follows: the dns zone sends everything to the server's public ip, i.e. to the proxmox hypervisor. I have to route the domains to the right vm and then have traefik take over.

For example, for *.example1.com to be routed to vm1
and *.example2.com should be routed to vm2

for that, I installed nginx on the hypervisor with this config

```
upstream proxmox {
server "proxmox.example1.com";
}
server {
listen 80 default_server;
server_name proxmox.example1.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name proxmox.example1.com;
ssl_certificate /etc/pve/local/pveproxy-ssl.pem;
ssl_certificate_key /etc/pve/local/pveproxy-ssl.key;
#proxy_redirect off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://localhost:8006;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
}


server {
listen 80;
server_name *.example2.fr example2.fr;
location / {
proxy_pass http://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example2.fr example2.fr;
location / {
proxy_pass https://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

server {
listen 80;
server_name *.example1.com example1.com;
location / {
proxy_pass http://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example1.com example1.com;
location / {
proxy_pass https://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```

With this configuration as is, when I go to a site such as coffre.example1.com, I get an SSL_ERROR_BAD_CERT_DOMAIN error.
And indeed, it's the proxmox.example1.com certificate that's given, not the hypervisor's. I don't understand why....

And if I remove the whole proxmox part of the nginx config, to do like this :

```
server {
listen 80;
server_name *.example2.fr example2.fr;
location / {
proxy_pass http://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example2.fr example2.fr;
location / {
proxy_pass https://192.168.1.103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

server {
listen 80;
server_name *.example1.com example1.com;
location / {
proxy_pass http://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443;
server_name *.example1.com example1.com;
location / {
proxy_pass https://192.168.1.102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```

Well, this causes an SSL_ERROR_RX_RECORD_TOO_LONG error to appear.

i really need a hand please
thank you very much
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready