Skip to main content

Traefik - Bare Metal, Reverse Proxy for Apache2

599 words·
Traefik Reverse Proxy Apache
Table of Contents

In this tutorial I use a bare metal installation of Traefik and configurate it as reverse proxy for an Apache2 webserver. As Linux distribution I use openSUSE Leap 15.5.

I used this setup to secure Apache2 on a very old - not public accessible - server where it was not possible to update the system and the tls version was no longer supported by the browser. Traefik uses the GO libaries for TSL therefore it worked great as a workaround.


Prerequisites
#

Certificates
#

I use Let’s Encrypt wildcard certificates that I have copied on the server.

# Change certificate permissions
sudo chmod -R 0400 /etc/traefik/certificates

# Check permissions
ls /etc/traefik/certificates

# Shell output:
-r-------- 1 root root 1773 Aug 25 17:10 cert1.pem
-r-------- 1 root root 3749 Aug 25 17:10 chain1.pem
-r-------- 1 root root 5522 Aug 25 17:10 fullchain1.pem
-r-------- 1 root root 1704 Aug 25 17:10 privkey1.pem

Apache2
# 

# Install Apache2
sudo zypper install apache2

# Open apache listen.conf
sudo vi /etc/apache2/listen.conf

# Change the Apache2 to listen to port 81
Listen 81

#<IfDefine SSL>
#       <IfDefine !NOSSL>
#       <IfModule mod_ssl.c>
#
#               Listen 443
#
#       </IfModule>
#       </IfDefine>
#</IfDefine>

# Restart Apache2
sudo systemctl restart apache2

Hosts File
# 

# Hosts file
C:\Windows\System32\drivers\etc\hosts

# Add entry to hosts file
192.168.30.224 traefik-proxy.jklug.work

Install Traefik
#

Find the latest release:
https://github.com/traefik/traefik/releases

# Download latest archive
wget https://github.com/traefik/traefik/releases/download/v2.10.4/traefik_v2.10.4_linux_amd64.tar.gz

# Unpack archive
tar -xvf traefik_v2.10.4_linux_amd64.tar.gz

# Move trafik into bin directory
sudo mv traefik /usr/local/bin/

# Make file executable
chmod +x /usr/local/bin/traefik

Traefik Configuration
# 

# Create directory for configuration files
sudo mkdir /etc/traefik

traefik.yaml
# 

# Main configuration
sudo vi /etc/traefik/traefik.yaml

# General settings
log:
  level: INFO

global:
  checkNewVersion: false
  sendAnonymousUsage: false

api:  # Disable in production
  insecure: false
  dashboard: false


# Ports
entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"


# Reverse proxy
providers:
  file:
    filename: "/etc/traefik/reverse-proxy.yml"

reverse-proxy.yml
# 

# Reverse proxy configuration
sudo vi /etc/traefik/reverse-proxy.yml

http: # Routing
  routers:
    apache-router: # HTTP routing
      rule: "Host(`traefik-proxy.jklug.work`)"
      service: apache-service
      entryPoints:
        - web
      middlewares: # Redirect http to https
        - http-to-https
    apache-router-secure: # HTTPS routing
      rule: "Host(`traefik-proxy.jklug.work`)"
      service: apache-service
      entryPoints:
        - websecure
      tls: true


# Redirect http to https
  middlewares:
    http-to-https:
      redirectScheme:
        scheme: https
        permanent: true


# Define Apache2 service
  services:
    apache-service:
      loadBalancer:
        servers:
          - url: "http://localhost:81"


# Define path to Let's Encrypt certificates
tls:
  certificates:
    - certFile: /etc/traefik/certificates/fullchain1.pem
      keyFile: /etc/traefik/certificates/privkey1.pem

Traefik Startup
#

init.d Version
# 

# Create configuration file
touch /etc/init.d/traefik

# Make configuration file executable
Make file executable: chmod +x /etc/init.d/traefik

# Edit configuration file
vi /etc/init.d/traefik

#!/bin/sh

TRAEFIK_BIN="/usr/local/bin/traefik"
TRAEFIK_CONFIG="/etc/traefik/traefik.yaml"

. /etc/rc.status

rc_reset

case "$1" in
    start)
        echo -n "Starting Traefik: "
        startproc $TRAEFIK_BIN --configFile $TRAEFIK_CONFIG
        rc_status -v
        ;;
    stop)
        echo -n "Stopping Traefik: "
        killproc -TERM $TRAEFIK_BIN
        rc_status -v
        ;;
    try-restart)
        $0 status >/dev/null && $0 restart
        rc_status
        ;;
    restart)
        $0 stop
        $0 start
        rc_status
        ;;
    force-reload)
        echo -n "Reload service Traefik"
        checkproc $TRAEFIK_BIN
        rc_status -v
        ;;
    reload)
        rc_status -v
        ;;
    status)
        echo -n "Checking for Traefik: "
        checkproc $TRAEFIK_BIN
        rc_status -v
        ;;
    probe)
        ;;
    *)
        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
        exit 1
        ;;
esac

rc_exit

Start Traefik
# 

# Start traefik
/etc/init.d/traefik start

# Stop traefik
/etc/init.d/traefik stop

# Restart traefik
/etc/init.d/traefik restart

systen.d Version
# 

# Create / edit configuration file
sudo vi /etc/systemd/system/traefik.service

[Unit]
Description=Traefik
Documentation=https://docs.traefik.io
After=network.target

[Service]
ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yaml
Restart=always
StandardOutput=journal
StandardError=journal
SyslogIdentifier=traefik

[Install]
WantedBy=multi-user.target

Start Traefik
# 

# Reload the systemd daemon to pick up the new service file
sudo systemctl daemon-reload

# Start traefik
sudo systemctl start traefik

# Start traefik
sudo systemctl stop traefik

# Enable startup
sudo systemctl enable traefik

# Check status
sudo systemctl status traefik