Traefik, Reverse Proxies and Lxc Containers (Day 4)

󰃭 2025-01-13

After running Proxmox for about 2 months, I realized I hadn’t tried out LXC containers yet. What better way to start than setting up a reverse proxy?

What’s a Reverse Proxy?

Think of a reverse proxy like a bartender - you ask for a drink, and they handle getting it from the right place. More technically, it’s a server that sits between clients and your web services, forwarding requests.

Getting Started with LXC

LXC containers are lightweight VMs that still give you a full Linux userspace, including systemd and other traditional VM behaviors.

Setting one up in Proxmox

First, grab an Ubuntu template:

pveam download local ubuntu-22.04-standard_22.04-1_amd64.tar.zst

Then create a container with 2GB RAM and 8GB disk:

pct create 1001 local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst \
  --hostname <your-container-name> \
  --cores 2 \
  --memory 2048 \
  --rootfs local-lvm:8 \
  --net0 name=eth0,bridge=vmbr0,ip=dhcp \
  --unprivileged 1 \
  --ssh-public-keys /root/.ssh/id_rsa.pub

Setting Up Traefik

While Traefik is popular in Docker and Kubernetes environments, it works great as a standalone binary too (you do loose the nice service auto discovery features though).

Here’s how I set it up:

  1. Create the config structure:
mkdir -p ~/traefik
  1. Basic Traefik config (traefik.yaml):
log:
  level: "DEBUG"
api:
  insecure: true # Temporarily enable dashboard for debugging
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
providers:
  file:
    directory: ./config # inside the traefik directory created a config directory
    watch: true
  1. Set up service routing (~/traefik/config/services.yaml):
http:
  routers:
    opnsense:
      rule: "Host(`<your-domain>`)"
      entryPoints:
        - "websecure"
      service: opnsense
      tls: {}
    # HTTP to HTTPS redirect
    opnsense-redirect:
      rule: "Host(`<your-domain>`)"
      entryPoints:
        - "web"
      middlewares:
        - https-redirect
      service: opnsense
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
  services:
    opnsense:
      loadBalancer:
        servers:
          - url: "https://<opnsense-ip>"
        serversTransport: insecure-skip-verify
  serversTransports:
    insecure-skip-verify:
      insecureSkipVerify: true

If you’re dealing with self-signed certificates and see errors like "tls: failed to verify certificate: x509: cannot validate certificate for...", setting the insecureSkipVerify to true in the serversTransport should fix that.

Launch Traefik:

traefik --configfile=traefik.yaml

This can then be converted into a systemd service for automatic startup.

PS: I changed the numbering of the days on the posts to go at the end of the title, felt like adding the day number at the beginning felt cluttered.

Tags: #100daysofhomelab #buildlog #devops #homelab #proxmox

More posts like this

Systemd and Proxmox (Day 3)

󰃭 2025-01-12 | #100daysofhomelab #homelab #proxmox

It turns out that Proxmox’s quorum requirements are not as “simple” as I thought.

The initial solution of setting quorum expectations to 1 worked… sort of. Here’s what happened:

When a node booted up (remember it can’t initially “see” the other node), OPNsense would start (great!), provide DHCP and network connectivity (also great!), but then things got interesting. Once the network was up and the Proxmox nodes could talk to each other, the other VMs would fail to start with cryptic errors like:

Continue reading 