Using traefik and docker to securely expose some containers publicly

Question

I have a 16 core, 128GB server that handles all kinds of stuff at home. On a VM I run a Windows Domain controller and all my Windows PC's are joined to that domain.

On the server, I also run multiple services in Docker containers. Initially, I accessed them by remembering the ports I was running them on, but when I found Traefik I set that up and added DNS records to my Domain DNS to point all the services to the IP of the server.

I also setup my own internal Certificate Authority on my pfsense box and created a wildcard certificate for all my Traefik routed services.

I'm using the "official" Docker image of Traefik and my configruration looks like this.

docker-compose.yml

services:
  traefik:
    image: traefik:1.5.4
    restart: always
    ports:
      - 8088:8080
      - 80:80
      - 443:443
    networks:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /docker/containers/traefik/traefik.toml:/traefik.toml
      - /docker/containers/traefik/acme.json:/acme.json
    container_name: traefik

networks:
  web:
    external: true

To traefik.toml I added

# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]

################################################################
# Entrypoints configuration
################################################################

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
        certFile = "/certs/wildcard.internal.my.domain.com.crt"
        keyFile = "/certs/wildcard.internal.my.domain.com.key"

Then to a given Docker container, I set Labels like traefik.basic.frontend.rule to make all the needed settings to make the routing work for that container.

This works great and all traffic to my services can be done using easy to remember URL's and are all encrypted via SSL using the wild card certificate without me having to create new certificates for every server or change configurations.

Now, the "issue" is that I now want to host some public websites on the server. For argument sake, I want everything under internal.my.domain.com to only be accessible within my network and for instance something like foo.my.domain.com and bar.my.domain.com to be accessible from outside. I understand I will have to create public records for those domains pointing them to my server here at home.

But my questions are

• Can I set up the Docker containers so that some are only accessible inside the network and some outside?
• Can I setup traefik to handle routing of the traffic to the correct containers and also handle that some are "external" and som are internal only?
• Can I setup traefik's Let's encrypt integration to handle encryption of all "external" ardresses and keep my own CA's self signed wildcard certificate for my internal services?

Also, having a four-port NIC on my pfsense box and several external IP addresses I'm also thinking about having one external IP address that I use for the public stuff and one that handles my "normal" traffic. To control that the IP I use for all personal traffic isn't as easily know as pinging one of my external hostnames and then DOS'ing me when I play a game :).

• How would I simplest set this up?
• Is using a virtual interface on my server (running Ubuntu) or using another dedicated ethernet port (it has two) the best way?
• How would I setup traefik to handle traffic on multiple interfaces?

Answer 1

Can I set up the Docker containers so that some are only accessible inside the network and some outside?

Don't add the domains to your DNS. For your intranet containers use a domain such as myservice.myintranet.local, which won't be resolvable from the outside.

If you want extra security, you can create another entrypoint with an IP whitelist. Or you can use labels (read the last 2 rows of that table) if you prefer.

Can I setup traefik to handle routing of the traffic to the correct containers and also handle that some are "external" and som are internal only?

Traefik serves your container based on the Host header, so you only have to set up IP filtering (and not creating public DNS records) to protect intranet containers/domains from the outside while still allowing traffic to your public containers/domains.

Can I setup traefik's Let's encrypt integration to handle encryption of all "external" ardresses and keep my own CA's self signed wildcard certificate for my internal services?

I never tested this, but you could create another entrypoint and use that in your configuration of acme. Ex:

[entryPoints]
  ...
  [entryPoints.httpsle]
  address = ":443"
    [entryPoints.httpsle.tls]

[acme]
...
entryPoint = "httpsle"

And use that entrypoint with labels for your public sub-domains, to be signed automatically with Let's Encrypt.

How would I simplest set this up? Is using a virtual interface on my server (running Ubuntu) or using another dedicated ethernet port (it has two) the best way?

I think the better approach would be to assign your server 2 IPs in your LAN, one for each ethernet port.

How would I setup traefik to handle traffic on multiple interfaces?

You don't have to setup anything. Giving your server 2 IPs (one for public hosting and one for personal traffic/intranet), it will receive request to both of them. Traefik will then route the requests to the correct container, based on the Host header.