Reverse proxy to traefik

Fri Jul 8 17:58:14 UTC 2022

On Thu, Jul 07, 2022 at 11:17:03AM -0300, Daniel A. Rodriguez wrote:

Hi there,

> Nginx is actually working as RP for several subdomains for which is also SSL
> termination. The traefik box is out of my scope, but it has the ability to
> negotiate TLS certificates for its own. That's why I need to forward just
> specific subdomain TCP traffic to it.

I think you are indicating that you currently have a http section with
something like

===
    server {
        listen nginx-ip:443 ssl;
        server_name one.example.com;
        location / {
            proxy_pass http://internal-one;
            # or maybe "https://internal-one;"
        }
    }

    server {
        listen nginx-ip:443 ssl;
        server_name two.example.com;
        location / {
            proxy_pass http://internal-two;
            # or maybe "https://internal-two;"
        }
    }
===

If you need your traefik server to see the original data stream from the
client (such as: if your traefik server is using client certificates for
authentication; I can't immediately think of any other https reason),
then I suspect that in nginx terms you will need a second IP address,
and have a separate nginx "stream" block that will listen on that-ip:443.

If you are not using client certificates, you can still use a second IP
to let traefik see the original data stream. But maybe you can "get away"
with a normal http proxy_pass?

I guess it depends on your use case, and I'm afraid that I do not know
what your specific use case is.

The short answer is: on a single IP:port, nginx either listens for stream,
or for http, but not both.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org