Docker behind pfsense: haproxy, traefik, or ... ?
-
As discussed in other threads here I am happily using HAproxy on pfsense to proxy https to various servers in my LANs. So far they are mostly VMs in a VMware Vsphere environment, they get static DHCP-leases from pfsense and things work out fine.
Now I added docker ... and this introduces additional networking. I set up traefik as proxy container within docker ... and now I start to wonder how to do the "ideal setup": traefik could pull LE-certs via ACME by itself, but this would only work or make sense for the containers. Should I introduce a subdomain like "docker.my.tld" for this tree of containers ...
I would like to learn how others handle a mixed environment like this and avoid any pitfalls.
-
Noone? ok ... I just add some thoughts here, maybe someone chimes in ...
Did my first tests here and as far as I get it, it will be better to decide for one spot to do the SSL-termination.
So far I couldn't get things working with both ACME on pfsense (managing the certs for pfsense itself and some already existing VMs) and additional traefik trying to pull certs for the docker containers.I assume it should be possible though ;-)
If HAproxy on pfsense filters out all traffic going to ".docker.my.tld" and forwards that to the traefix-proxy things should work, I assume.
Another option would be to run traefik for http only ... but then I lose much of the magic features it brings.
-
I ended up getting stuck in the same situation. Ended up just getting rid of HAProxy and letting Traefik handle all proxying requirements.
If I tried to use both, HAProxy would not recognise anything in Traefik and report with a 503.
IMO Traefik is easier to config and use.
-
Wheredo you run traefik?
Did you installed traefik on the pfSense machine? -
@poppahorse any chance you can give a tutorial or a short write up of how you accomplished this? ive exhausted my google-fu trying to figure out how to get PfSense to play right with traefik (running traefik on a trueNAS scale box)
-
@menethoran this is a really old thread. But I run a few dockers, and have had a few of them exposed to the public internet through haproxy.
I am not sure what the OP was doing, but in my docker setup the things I run are attached to the "bridge" network on the docker host. So anything you run could be accessed just via the docker host IP and the port your docker is exposing.
It is also possible to run your dockers on the host network, and they could get another IP in the same network as your docker host. You can setup how docker does networking in a few different ways.
https://docs.docker.com/network/
Understanding how you have it setup, and or if you need to change this to accomplish your goal is direction I would suggest vs trying to fire up some other sort of proxy.. While should be pretty easy if you were running the reverse proxy actually on the host you running your dockers, running a reverse proxy on your network to send traffic to yet another host on your network etc can get convoluted very quickly.
-
@johnpoz yeah, i actually created my own post thinking i didnt want to hijack his.
Please see here (I explain what im running):
https://forum.netgate.com/topic/169703/pfsense-and-traefik-on-truenas-scale
