Multiple domains to same public IPv4 managed by traefik

I have a traefik setup behind my public IPv4 that redirects to a number of services. This works perfectly fine for one domain, whether i redirect to a service on the same host or to another service within my LAN. The DNS setup has one proxied A record with the name domain1_com pointing to my public IPv4 and then a number of subdomains as CNAME records pointing to domain1_com.

The problem arises when I add a second domain to my traefik stack. This domain2_com also has a proxied A record pointing to my public IPv4 and currently un-proxied CNAME records for the subdomains pointing to domain2_com. SSL certs are valid and automatically generated by traefik, even the CNAMEs are added automatically and work fine. I want to also enable the proxy on the CNAME records, but as soon as I do this, I get redirected to domain1_com instead of my specific subdomain. As soon as I enable the proxy on the CNAME records, nothing ends up in my traefik logs (probably due to caching of the original domain1_com?).

Pardon my weird formatting, much of the stuff in this text was considered a link… This is my traefik docker-compose service definition:

  traefik:
    <<: *common-keys-core  # this just adds a restart policy and secure_opt no-new-privileges:true
    image: traefik:v2.11
    container_name: traefik
    command:
      - --log.level=DEBUG
      - --global.sendAnonymousUsage=false
      - --api.dashboard=true
      - --api=true
      - --api.insecure=false
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=websrv
      - --serversTransport.insecureSkipVerify=true
      - --entrypoints.websecure.address=:80
      - --entrypoints.websecure.address=:443
      # attempts to route pihole dns
      # - --entrypoints.dns.address=:53/tcp
      # - --entrypoints.dns-udp.address=:53/udp
      - --entrypoints.https.http.tls.options=tls-opts@file
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.file.directory=/rules
      - --providers.file.watch=true
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory 
      - --certificatesresolvers.dns-cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.dns-cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.dns-cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.dns-cloudflare.acme.dnschallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
      - --certificatesresolvers.dns-cloudflare.acme.email=$ACME_EMAIL
      - --certificatesresolvers.dns-cloudflare.acme.storage=/letsencrypt/acme.json
    ports:
      - "1423:80"
      - "8443:443"
      - "8080:8080"
      # attempts to route pihole dns
      # - 53:53/udp
      # - 53:53/tcp
    dns:
      - $CLOUDFLAREDNS
      - $PRIMARYDNS
      - $SECONDARYDNS
    volumes:
      - $DATADIR/letsencrypt:/letsencrypt
      - $DATADIR/traefik_rules:/rules
      - $DATADIR/traefik_certs:/certs:ro
      - $LOGDIR:/logs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - TZ=$TZ
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
      - DOMAINNAME_CLOUD_SERVER # Passing the domain name to the traefik container to be able to use the variable in rules. 
    networks:
      websrv:
        ipv4_address: 10.10.10.254
      isolated:
        ipv4_address: 10.20.30.254
      proxies:
        ipv4_address: 99.99.99.254
    depends_on:
      - cf-ddns
      # - cloudflare-ddns
      - cf-companion
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAIN1_COM`)"
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"
      - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Services - API
      - "traefik.http.services.traefik-rtr.loadbalancer.server.port=8080"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file,middlewares-rate-limit@file,middlewares-https-redirectscheme@file,middlewares-secure-headers@file,middlewares-compress@file"
      # catchall
      - "traefik.http.routers.http-catchall.entrypoints=websecure"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=middlewares-https-redirectscheme@file"

Hello,

Sorry you are having issues with your CNAME records not going to the appropriate subdomain.

So your CNAME subdomain records are all currently pointed at the root zone for the traffic correct? So test.example.com is CNAMED to example.com correct? At this point your setup should recognize the request being issued over to the origin. However, you state that when the CNAME records are proxied they do not hit your origin at all? So you are not seeing any requests to the main zone example.com when the subdomain records are proxied? If you can proxy one of the subdomain and screenshot the developer tools network tab. We can see where the requests are going. Please make sure to redact any origin IP info that may be exposed if it is. Since it is proxied it should not be exposed in the network tools output.

That will help us see where the request is going to further assist.

This is guidance how to collect from the network tab. You do not need to export it just want to see if any redirects are occurring.

Hi eportillo,

thank you for your response!

CNAME subdomain records point to the root zone for the traffic: yes.

test.example.com:

  • an A recordexample.com” pointing to my public IPv4 (proxied)
  • a CNAME record “test” pointing to example.com (proxied)

test.example2.com (not working):

  • an A recordexample2.com” pointing to my public IPv4 (proxied)
  • a CNAME record “test” pointing to example2.com (proxied)

both CNAMEs are resolved in traefik to point to reverse proxies pointing further to a nginx server running in docker with the default configuration. When I visit test_example2.com I get redirected to example.com. My public IPv4 does not seem to be exposed in the har logs.

As i cannot upload the .har files, I attached a screenshot of the not working domain instead.

PS: the max 4 links, max 1 image, no har file restrictions make this really difficult.

Best,
Matthias

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.