Which Traefik config to replace Ngrok?

Question

I have a server with a public IP and Traefik V2 running on it (dockerized).

I have localhost.example.com pointing to the server's public IP.

I can make a SSH reverse tunnel between my laptop and the server by running the command: ssh -N -R '9191:localhost:9090' example.com

I have two questions:

1. Is it possible to have Traefik route HTTP traffic through the SSH reverse tunnel, so that anyone can access a service running on my laptop, by using localhost.example.com?
2. If it is possible, what the config should look like?

Here is the config I wrote so far:

v2.traefik.yml:

http:
  routers:
    localhostRouter:
      entryPoints:
        - "websecure"
      rule: "Host(`localhost.example.com`)"
      service: "localhostService"
      tls:
        certresolver: myresolver
  services:
    localhostService:
      loadBalancer:
        servers:
          - url: "127.0.0.1:9191"

docker-compose.yml:

version: '3'

services:
  traefik:
    image: traefik:2.4
    container_name: traefik
    restart: always
    command:
      - "--api=true"
      - "--providers.docker=true"
      - "--providers.file.filename=/traefik.yml"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
    networks:
      - web
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./acme.json:/acme.json
      - ./v2.traefik.yml:/traefik.yml

networks:
  web:
    external: true

Thanks a lot for your help!!!

Answer 1

Ok, so here is the proper config:

1- Make sure to update to Traefik 2.4.5 (to avoid this tls/acme challenge bug)

2- Here is the final docker-compose.yml file

version: '3'

services:
  traefik:
    image: traefik:2.4.5
    container_name: traefik
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api=true"
      - "--providers.docker=true"
      - "--providers.file.directory=/etc/traefik/config"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=email@me.com"
      - "--certificatesresolvers.myresolver.acme.storage=/acme.json"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      - web
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./acme.json:/acme.json
      - ./config:/etc/traefik/config

networks:
  web:
    external: true

3- Here is the final v2.traefik.yml dynamic config file:

http:
  routers:
    LocalhostRouter:
      entryPoints:
        - "websecure"
      rule: "Host(`localhost.example.com`)"
      service: "LocalhostService"
      tls:
        certResolver: "myresolver"
  services:
    LocalhostService:
      loadBalancer:
        servers:
          - url: http://172.18.0.1:9191

4- Note that 172.18.0.1 is the Docker gateway address (as Traefik is running in docker). You can find the IP by doing docker inspect <a3ec>

5- on the local machine, run ssh -N -R 9191:127.0.0.1:9191 user@example.com

You should be good! Now you can use a domain name to access a webserver running on your local machine (similar to Ngrok, localtunnel, expose) but either free or more reliable ;)