Each subdomain with its webserver on a node ?

[rXp]

Hello,

I am looking at how I can redirects each of my LXC to a subdomain <sub>.domain.com so their webserver can run all on port 80. I have only one public IP address.
For now all of them have a different local IP and their Hostname set but I cannot reach them.
So what I would like is something like that (but other services) :
cloud.domain.com -> cloud server
game.domain.com -> game console
blog.domain.com -> blog website

Since I am new to Proxmox I am not sure how to manage that. Is there a way for proxmox to redirect a packet from the hostname given ?

Best regards,

rXp</sub>

 

[LnxBil]

Is there a way for proxmox to redirect a packet from the hostname given ?

Proxmox is a IaaS, so it only provides infrastructure. If you want to have different webservers provding service, you need a PaaS setup with an ingress router, e.g. traefik, that runs on your public IP and redirects all incoming requests to their desired destination. In PVE itself, there is not support for this, so you need to setup it by yourself.

In general, every reverse proxy (nginx, apache, lighttpd) will work, but traefik is upcoming star of all reverse proxies due to its cloud-readiness, vast support for cloud platforms, integrated let's encrypt and much more:

 

[rXp]

Proxmox is a IaaS, so it only provides infrastructure. If you want to have different webservers provding service, you need a PaaS setup with an ingress router, e.g. traefik, that runs on your public IP and redirects all incoming requests to their desired destination. In PVE itself, there is not support for this, so you need to setup it by yourself.

In general, every reverse proxy (nginx, apache, lighttpd) will work, but traefik is upcoming star of all reverse proxies due to its cloud-readiness, vast support for cloud platforms, integrated let's encrypt and much more:

Wow, thanks yeah that seems like what I am looking for. So this is the only service I would install on the node itself and not an LXC I'm guessing

 

[LnxBil]

Wow, thanks yeah that seems like what I am looking for. So this is the only service I would install on the node itself and not an LXC I'm guessing

You can install wherever you want, I'd go with an LX(c) container, which is totally fine.

Can you elaborate on what your current internet connection is on your system? I suppose you have one public IP and that is bind to your PVE host, is that right? You then only need to port-forward Port 80 and 443 to your traefik router container and it can take care of the rest.

iptables -t nat -A PREROUTING -d <public-ip> -p tcp --dport 80    -j DNAT --to <lxc-with-traefik>:80
iptables -t nat -A PREROUTING -d <public-ip> -p tcp --dport 443   -j DNAT --to <lxc-with-traefik>:443

 

[rXp]

You can install wherever you want, I'd go with an LX(c) container, which is totally fine.

Can you elaborate on what your current internet connection is on your system? I suppose you have one public IP and that is bind to your PVE host, is that right? You then only need to port-forward Port 80 and 443 to your traefik router container and it can take care of the rest.

iptables -t nat -A PREROUTING -d <public-ip> -p tcp --dport 80    -j DNAT --to <lxc-with-traefik>:80
iptables -t nat -A PREROUTING -d <public-ip> -p tcp --dport 443   -j DNAT --to <lxc-with-traefik>:443

Yeah I got one static public ip. My router forwards 80,443 to my proxmox server.
Im trying to cfg traefik to not work with docker and redirect it all but fir now I get error 404.

 

[udo]

Hi,
I don't know traefik, but haproxy work well for such an scenario too.

Udo

 

[LnxBil]

Yeah I got one static public ip. My router forwards 80,443 to my proxmox server.
Im trying to cfg traefik to not work with docker and redirect it all but fir now I get error 404.

Traefik can be a bit tricky, so here is a simple configuration for proxing PVE

[backends]
  [backends.proxmox]
    [backends.proxmox.servers.server1]
       url = "https://192.168.253.1:8006"


[frontends]
  [frontends.proxmox]
      entryPoints = ["https","http"]
      backend = "proxmox"
      passHostHeader = true
      [frontends.proxmox.routes.frontend]
          rule = "Host:proxmox.test.de"

 

[rXp]

Traefik can be a bit tricky, so here is a simple configuration for proxing PVE

[backends]
  [backends.proxmox]
    [backends.proxmox.servers.server1]
       url = "https://192.168.253.1:8006"


[frontends]
  [frontends.proxmox]
      entryPoints = ["https","http"]
      backend = "proxmox"
      passHostHeader = true
      [frontends.proxmox.routes.frontend]
          rule = "Host:proxmox.test.de"

Yeah that's what I went for. Traefik seemed pretty easy on first sight but my config just redirects to a 404 page. I don't know if I need a special config on the webserver side of things.
This is my config :

debug = true

logLevel = "DEBUG"

[api]

defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/pve/local/pveproxy-ssl.pem"
      keyFile = "/etc/pve/local/pveproxy-ssl.key"
         
[file]

[frontends]
  [frontends.frontendCloud]
  backend = "backendCloud"
    [frontends.frontendCloud.routes.test_1]
    rule = "Host:cloud.mydomain.com"
  [frontends.frontendGame]
  backend = "backendGame"
    [frontends.frontendGame.routes.test_1]
    rule = "Host:game.mydomain.com"
  [frontends.frontendConsole]
  backend = "backendConsole"
  passHostHeader = true
    [frontends.frontendConsole.routes.test_1]
    rule = "Host:console.mydomain.com"

[backends]
  [backends.backendCloud]
    [backends.backendCloud.servers.server1]
    url = "https://192.168.1.206:443/nextcloud"
    weight = 1
  [backends.backendConsole]
    [backends.backendConsole.servers.server1]
    url = "https://192.168.1.200:8006"
    weight = 1
  [backends.backendGame]
    [backends.backendGame.servers.server1]
    url = "https://192.168.1.207:443"
    weight = 1

[ping]

 

[LnxBil]

I don't know if I need a special config on the webserver side of things.

No, just HTTP (or HTTPs) and then you're good to go. Does it output any information concerning your configuration? Does the routes show up on the web interface. I think, you should swap the api and entry points in order.

 

[rXp]

No, just HTTP (or HTTPs) and then you're good to go. Does it output any information concerning your configuration? Does the routes show up on the web interface. I think, you should swap the api and entry points in order.

Thanks about swaping the API part of the document that changes things a bit.
Before the rout would be setup but and traefik would listen but wouldn't react much to any request.
Now I can get a clear error which is something :

Spoiler: Console error

DEBU[2019-02-05T18:25:54+01:00] Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel.
DEBU[2019-02-05T18:25:54+01:00] '500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.1.206 because it doesn't contain any IP SANs
DEBU[2019-02-05T18:25:54+01:00] vulcand/oxy/forward/http: Round trip: https://192.168.1.206:443/nextcloud, code: 500, Length: 21, duration: 4.558365ms tls:version: 303, tls:resume:false, tls:csuite:c02f, tls:server:cloud.mydomain.com

My certificate are valid on the traefik server and the cloud one.
Should I copy my already working certificate from the traefik server to my cloud ?
My traefik LXC has certificates for the domain and all the subdomains separately (not *). The cloud server has only the cloud subdomain one.

[EDIT] Nevermind ! I set the option for traefik to not look at the backend certificates. Yes this is a risk but since all servers are physically on the same machines if someone manage a man-in-the-middle attack it means I got way bigger problems.