Tag: linux

  • Traditional Reverse Proxy with Traefik

    So the other day I needed to setup a reverse proxy server for a client of mine who wanted some internal servers accessible from the internet. I tested this with nginx but had issues with LetsEncrypt as well as some pages timing out.

    I finally ended up with Traefik but boy did it take along time to get it configured as I was not familiar with Docker and most guides are Docker with other Docker Containers.

    Following the guide below will get you up and running in no time with

    • Integrated LetsEncrypt SSL certificates, which will auto generate and renew.
    • Standalone systemd service for ease of use/management
    • A hardened/restricted Traefik service for added security.

    This guide assumes the following has already been done:

    • Latest Debian/Ubuntu server has been installed/setup.
    • No other services are using ports 80/443
    • If server is behind NAT, ports 80 and 443 has been forwarded correctly.
    • DNS records have been correctly updated to point to Traefic Server.

    Let’s start with setting up the working directories and files required to run Traefik and grabbing the Traefik binary.

    mkdir /etc/traefik
    touch /etc/traefik/traefik.toml
    touch /etc/traefik/acme.json
    chmod 0600 /etc/traefik/acme.json
    wget https://github.com/containous/traefik/releases/download/v1.7.9/traefik
    chmod +x traefik
    mv traefik /usr/local/bin/

    Next, we need to edit traefik.toml which holds configuration for Traefik. In the following sample configuration, it is configured to

    • Listen on HTTP and HTTPS (80/443)
    • Redirect HTTP to HTTPS
    • Enabled LetsEncrypt integration
    • Created 2x backend services (Plex and ERPNext)
    • Mapped frontends (URL you would enter on a browser) to backends
    nano /etc/traefik/traefik.toml
    debug = false
    
    #Uncomment below if you selfsigned backends
    #insecureSkipVerify = true
    
    logLevel = "ERROR"
    defaultEntryPoints = ["https","http"]
    
    [entryPoints]
    	[entryPoints.http]
    	address = ":80"
    		[entryPoints.http.redirect]
    		entryPoint = "https"
    	[entryPoints.https]
    	address = ":443"
    	[entryPoints.https.tls]
    
    [retry]
    
    [api]
    
    [acme]
    	email = "[email protected]"
    	storage = "/etc/traefik/acme.json"
    	entryPoint = "https"
    	onHostRule = true
    
    [acme.httpChallenge]
    	entryPoint = "http"
    	
    [file]
    
    [backends]
    	[backends.plex]
    		[backends.plex.servers.server1]
    			url = "https://172.16.1.2"
    	[backends.erpnext]
    		[backends.erpnext.servers.server1]
    			url = "http://172.16.1.1"
    
    [frontends]
    		[frontends.plex]
    			backend = "plex"
    			passHostHeader = true
    		[frontends.plex.routes.test_1]
    			rule = "Host:media.domain.com"
    		[frontends.erpnext]
    			backend = "erpnext"
    			passHostHeader = true
    		[frontends.erpnext.routes.test_1]
    			rule = "Host:erp.domain.com"
    

    Next we need to setup the systemd service. The following will setup the restricted systemd file

    nano /etc/systemd/system/traefik.service
    [Unit]
    Description=Traefik
    Documentation=https://docs.traefik.io
    After=network-online.target
    AssertFileIsExecutable=/usr/local/bin/traefik
    AssertPathExists=/etc/traefik
    
    [Service]
    Type=notify
    ExecStart=/usr/local/bin/traefik -c /etc/traefik/traefik.toml
    Restart=always
    WatchdogSec=1s
    ProtectSystem=strict
    ReadWritePaths=/etc/traefik/acme.json
    ReadOnlyPaths=/etc/traefik/traefik.toml
    PrivateTmp=true
    ProtectHome=true
    PrivateDevices=true
    ProtectKernelTunables=true
    ProtectControlGroups=true
    LimitNPROC=1
    
    [Install]
    WantedBy=multi-user.target
    

    Finally, reload the systemd service, enable the traefik service to auto start and start the actual service.

    systemctl daemon-reload
    systemctl enable traefik.service
    systemctl start traefik.service

    Sources:

    https://blog.ssdnodes.com/blog/traefik-multiple-ssl-websites/
    https://blog.cubieserver.de/2018/locking-down-traefik-systemd-service/