Day 30 of #100DaysOfHomelab was spent migrating services from the HAProxy instance I have currently on my PfSense router, to an instance of Traefik running on a Raspberry PI 4. This is in preperation to cut my network over to using the Unifi Dream Machine Pro I purchased recently which doesn't have a reverse proxy built into the software.
This was an interesting challege because I have multiple other reverse proxies that I had to configure Traefik to talk to. I want the RPI Traefik instance to do SSL termination and SSL renewal via LetsEncrypt so that I only have that in one place on the network. Thankfully Traefik makes this easy.
The setup looks like this:
Internet -> Firewall -> Port Forward (80 + 443) -> RPI Traefik (SSL Termination) -> Docker Host Traefik -> Container
This isn't actually a huge problem in the end, so long as you propertly configure the trusted headers for each along the way so they can pass along the host.
I also used the whitelist middleware to restrict anything coming from the outside internet from accessing internal resources like my hypervisors, NAS, etc. Traefik makes this easy again with the following yaml config:
middlewares: local-ips: ipWhiteList: sourceRange: - 10.0.0.0/8 # I'll further restrict this later after the new network config is in place
Now that all the services are cutover and are working the same as they did under PfSense, I can do the router cutover sometime tomorrow.