Traefik

Traefik is a MIT licensed open source proxy. It can do a lot of things but what we are interested in is the ability to act as a reverse proxy. That means it can take an incoming HTTP request, kick it over to HTTPS with a valid SSL cert and pipe that traffic internally to your BAS server. The BAS server needs only to serve standard HTTP.

reverse-proxy-02-1

Requirements;

  1. You must own a domain name that points to this web servers IP. The part that points to your site can be an A record. A regular domain name can run under $20 a year and you can use the same name for many sites by using an A record for each site, for example; yourcustomer.yourcompanydomain.com
  2. In general you want it to be a static public IP, I haven’t tested it with dynamic and DDNS but that sounds like a point of failure.
  3. Ports 80 and 443 TCP must be open to this proxy for Let’s Encrypt challenges.
  4. You need a computer to run Traefik, there are releases for most operating systems. I focused on windows here but the config files posted should work for everyone with minimal changes. This can be the same computer your BAS runs on in most cases.

First; Test Traefik with self signed certificates

Get Traefik; https://github.com/containous/traefik/releases

Start by configuring your firewall to port forward 80 and 443 TCP external to the IP of where your Traefik server will be running.

If the application you are trying to upgrade to HTTPS is on the same computer you want to run Traefik on it needs to move to another port. TCP 8080 is very common for this. It should be serving standard HTTP, not HTTPS.

On windows I suggest folder; C:\Program Files\Traefik. Create that directory and place traefik.exe there.

In the same folder create text file traefik.toml with these contents;

defaultEntryPoints = ["http","https"]
     [entryPoints.web]
         address = ":80"
     [entryPoints.web-secure]
          address = ":443"
     [providers.file]
          filename = "./rules.toml"
     [log]
          level = "INFO"
          filePath = "C:\\Program Files\\Traefik\\traefik.log"

In the same folder create text file rules.toml with these initial contents. Replace demo.example.com with your DNS name that points to this sites external IP address. That last line that has the URL needs to point to where your BAS web service is.

[http.routers]
     [http.routers.router0]
          entryPoints = ["web"]
          service = "bas-service"
          rule = "Host(`demo.example.com`)"
               middlewares = ["redirect"]
     [http.routers.router1]
          entryPoints = ["web-secure"]
          service = "bas-service"
          rule = "Host(`bas-server`)"
               [http.routers.router1.tls]
[http.middlewares]
     [http.middlewares.redirect.redirectScheme]
     scheme = "https"
[http.services]
     [http.services.bas-service.loadBalancer]
          [[http.services.bas-service.loadBalancer.servers]]
               url = "http://127.0.0.1:8080/"

In a Administrator level DOS prompt run traefik.exe. You should get useful debug info in the DOS box and the newly created traefik.log file. At this stage you should be able to hit your external IP address. You will get a self signed SSL certificate you need to accept. After that you should get your BAS server web page. Proceed only after this is working as expected.

Second; Add Let’s Encrypt test using staging servers;

Add this to the end of your traefik.toml file. Replace the email with a VALID email. This email is pretty important, if anything fails this person gets the notification email that something is wrong.

[certificatesResolvers.letsencrypt.acme]
     email = "your-email@your-domain.org"
     caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
     storage = "acme.json"
     [certificatesResolvers.letsencrypt.acme.httpChallenge]
     # used during the challenge
     entryPoint = "web"

Add this to your rules.toml file, after line [http.routers.router1.tls]

certResolver = "letsencrypt"

In a Administrator level DOS prompt restart traefik.exe. You should get useful debug info in the DOS box and traefik.log file. Wait a little bit, sometimes the Let’s Encrypt challenge process takes a couple minutes. You should see log entries indicating it happened. After that at this stage you should be able to hit your external IP address. You will get a SSL certificate you need to accept. The SSL certificate should be signed by something similar to Fake LE Root X1. After that you should get your BAS server web page. Proceed only after this is working as expected.

Third; get Traefik running with genuine Let’s Encrypt SSL certificates

In you traefik.toml file remark out the line specifying the staging caServer by putting a pound sign in front of it;

[certificatesResolvers.letsencrypt.acme]
     email = "your-email@your-domain.org"
     #caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
     storage = "acme.json"
     [certificatesResolvers.letsencrypt.acme.httpChallenge]
     # used during the challenge
     entryPoint = "web"

In an Administrator level DOS prompt restart traefik.exe. You should get useful debug info in the DOS box and traefik.log file. Wait a little bit, sometimes the Let’s Encrypt challenge process takes a couple minutes. You should see log entries indicating it happened. After that at this stage you should be able to hit your external IP address and pass straight through to your BAS server via HTTPS. You should not have to accept a SSL certificate, the browser should accept the certificate and site as genuine.

Finally; Preparing to run Traefik long term

Under windows there are two ways you can go from here to make the traefik executable run all the time;

  1. Turn the executable file into a system service using NSSM. The NSSM service wrapper carries a public domain license and is very common and reliable. Get NSSM from nssm.cc Once you set it up it will be listed with the rest of your system services.
  2. Use windows task scheduler. You’ll need trigger “at startup” and run whether user is logged in or not. Action is start a program.

Both methods have a variety of checks and restart methods you should look into to keep traefik running if it stops for some reason.