Home Β» Posts

[Traefik/OCI] Exposing Internal Non-Containerized Services with Traefik on OCI: A Step-by-Step Guide

July 22, 2023 Β· 4 min Β·  Oscar Zhou
traefik reverse proxy to non-containerized service

Related Reading:

Table of Contents

Traefik is a popular reverse proxy that can be used to expose internal containerized services to the public in a simple and intuitive way. However, if you want to expose internal services that are installed and configured directly on the host system instead of containerized, you may encounter some difficulties, particularly when using Oracle Cloud Infrastructure (OCI). This technical post will provide a step-by-step guide on how to expose internal non-containerized services to the public using Traefik on OCI.

1. Ensure the Internal Service is Accessible from Localhost

To begin, it is essential to have a service running on the internal host and ensure that it is accessible from the localhost. For example, if you have a service running on port 8300, you can access it from the localhost using the following command:

curl http://localhost:8300

However, to use Traefik as a reverse proxy to access the service, it is necessary to make sure that the service is accessible using the localhost IP address. For instance, if the IP address of the host is 192.168.1.25, you should be able to access the service using the following command:

curl http://192.168.1.25:8300

2. Configure Domain Name and DNS Record

Go to your domain name provider and add a new DNS record to point to the IP address of the host. For example, if the IP address of the host is 185.73.91.225, and you own the domain name example.com. you can add a new DNS record to point *.example.com to 185.73.91.225.

Next, navigate to your domain name provider and add a new DNS record to point to the IP address of the host. For example, if the IP address of the host is 185.73.91.225, and you own the domain name example.com, you can add a new DNS record to point *.example.com to 185.73.91.225.

3. Create Traefik Container and Configuration File

Now, let’s add a compose file to create the Traefik container. Alternatively, you can use docker run to create the container if you prefer. In the example, the compose file will only expose port 80 to the public, and we’ll use the HTTP protocol to access the service.

 1version: "3"
 2
 3services:
 4  reverse-proxy:
 5    image: traefik:v2.5
 6    container_name: traefik
 7    restart: always
 8    command:
 9      - "--providers.docker=true"
10      - "--providers.file=true"
11      - "--providers.file.filename=/etc/traefik/config.yaml"
12      - "--providers.file.watch=true"
13      - "--entryPoints.web.address=:80"
14      - "--log.level=DEBUG" # optional
15    volumes:
16      - "/var/run/docker.sock:/var/run/docker.sock"
17      - "/home/ubuntu/traefik/config.yaml:/etc/traefik/config.yaml"
18    ports:
19      - "80:80"

Some explanations for the above compose file:

  • Line 11: specify a configuration file for Traefik to route the request to the internal service, and the file is mounted on Line 17.
  • Line 14: --log.level=DEBUG is not necessary for the production but can be useful for troubleshooting.

Next, create the configuration file /home/ubuntu/traefik/config.yaml

 1http:
 2  routers:
 3    my-router:
 4      rule: "Host(`myservice.example.com`)"
 5      service: "myservice"
 6  services:
 7    myservice:
 8      loadBalancer:
 9        servers:
10        - url: "http://192.168.1.25:8300"
11        passHostHeader: false
  • Line 4: This is where you specify the domain name to use to access the service.
  • Line 10: This is where you specify the IP address of the host and the port number of the service. Note that if you use localhost or 127.0.0.1 here, you may see the following error. So you should use the private IP address of the host instead.
Bad Gateway
  • Line 11: passHostHeader: false is used to prevent the below error that might occur when accessing the service from the public.
The host header sent by the client is not allowed

With these steps completed, you can open a browser and type in the domain name, you should be able to see the service. πŸŽ‰πŸŽ‰πŸŽ‰

4. Troubleshooting for OCI Environment

If you are using OCI, you may still encounter a Bad Gateway error when trying to run docker compose up. 😒
The reason is that OCI block all internal port forwarding by default due to network security considerations. To resolve this, adding the following line to the /etc/iptables/rules.v4 file.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 8300 -j ACCEPT

Then save the changes and enable the new rule by running this command:

sudo iptables-restore < /etc/iptables/rules.v4

Verify if the rule is successfully added by running this command:

sudo iptables -L INPUT

You should see a rule resembling the following:

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:8300

Now, run docker compose up again, and you should be able to see the service from the public. πŸŽ‰πŸŽ‰πŸŽ‰

If you could not run up Docker container, you may find solution here Error: iptables failed: iptables --wait -t filter -A DOCKER

If this post helped you to solve a problem or provided you with new insights, please upvote it and share your experience in the comments below. Your comments can help others who may be facing similar challenges. Thank you!
Buy Me A Coffee

Related Reading:

Product Image

Learn More