Guide

Traefik external Services

In this article we are featuring a guide how to connect external services (on other hosts) with Traefik hosted on Docker. This can be a raspberry pi running pi-hole, a synology NAS with DSM or another Docker host.

Vibeshibe

2 min read
Traefik external Services
Photo by Alex Cheung / Unsplash

If you're a fellow self-hoster like me, you've probably had multiple iterations of your homelab which ranged from rag-tag hardware to investing further into professional or consumer grade hardware. You follow guides online and set up stuff like traefik (v2) as a reverse proxy, portainer and maybe even that spare raspberry pi you had laying around gets used to run an instance of pi-hole.

This guide is directed at people like you who set up Traefik, not knowing what brick wall worth of documentation would hit you when you were trying to figure out how you can connect further network devices and hosts up to your funky little reverse proxy.

I'll cut it short, you'll of course want to have a running traefik instance, in my case I am using the .toml file format for my dynamic file configuration.

So most ideally you'd also create a traefik-provider.toml and mount it inside your docker-compose.ymlas a volume.

Here's an example file:

# traefik-provider.toml
[http]
  [http.services]
    [http.services.<service name>.loadBalancer]
      passHostHeader = true
      [[http.services.<service name.loadBalancer.servers]]
        url = "http://<ip>:<port>"

  [http.routers]
    [http.routers.<router name>]
      entryPoints = ["<your https entrypoint>"]
      rule = "Host(`sub.example.eu`)"
      service = "<service name>"
      [http.routers.<router name>.tls]
      certResolver = "<certificate resolver name>"

# Everything below you can leave unchanged.

[tls.options]
  [tls.options.default]
    sniStrict = true
    minVersion = "VersionTLS12"
    curvePreferences = [
      "secp521r1",
      "secp384r1"
    ]
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    ]
    [tls.options.mintls13]
      minVersion = "VersionTLS13"

Thing to replace for you are the <service name>, <ip>:<port> combo, the <router name>, <your https entrypoint>, the host rule - so adapt it to your hostname, and your <certificate resolver name>. After that you can restart traefik and check the dashboard if the file is accepted as a provider successfully.

If that's the case, then all you need to do now is make sure that the application / service on the other host is listening on the specified port. Then you should hopefully be able to access your NAS or pi-hole or other docker host without issue.