proxmox

Traefik, Reverse Proxies and Lxc Containers (Day 4)

Vince

2 min read
Traefik, Reverse Proxies and Lxc Containers (Day 4)
Photo by Paul Hanaoka / Unsplash

After running Proxmox for about 2 months, I realized I hadn’t tried out LXC containers yet. What better way to start than setting up a reverse proxy?

What’s a Reverse Proxy?

Think of a reverse proxy like a bartender - you ask for a drink, and they handle getting it from the right place. More technically, it’s a server that sits between clients and your web services, forwarding requests.

Getting Started with LXC

LXC containers are lightweight VMs that still give you a full Linux userspace, including systemd and other traditional VM behaviors.

Setting one up in Proxmox

First, grab an Ubuntu template:

pveam download local ubuntu-22.04-standard_22.04-1_amd64.tar.zst

Then create a container with 2GB RAM and 8GB disk:

pct create 1001 local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst \
  --hostname <your-container-name> \
  --cores 2 \
  --memory 2048 \
  --rootfs local-lvm:8 \
  --net0 name=eth0,bridge=vmbr0,ip=dhcp \
  --unprivileged 1 \
  --ssh-public-keys /root/.ssh/id_rsa.pub

Setting Up Traefik

While Traefik is popular in Docker and Kubernetes environments, it works great as a standalone binary too (you do loose the nice service auto discovery features though).

Here’s how I set it up:

  1. Create the config structure:
mkdir -p ~/traefik
  1. Basic Traefik config (traefik.yaml):
log:
  level: "DEBUG"
api:
  insecure: true # Temporarily enable dashboard for debugging
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
providers:
  file:
    directory: ./config # inside the traefik directory
    watch: true
  1. Set up service routing (~/traefik/config/services.yaml):
http:
  routers:
    opnsense:
      rule: "Host(`<your-domain>`)"
      entryPoints:
        - "websecure"
      service: opnsense
      tls: {}
    # HTTP to HTTPS redirect
    opnsense-redirect:
      rule: "Host(`<your-domain>`)"
      entryPoints:
        - "web"
      middlewares:
        - https-redirect
      service: opnsense
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
  services:
    opnsense:
      loadBalancer:
        servers:
          - url: "https://<opnsense-ip>"
        serversTransport: insecure-skip-verify
  serversTransports:
    insecure-skip-verify:
      insecureSkipVerify: true

If you’re dealing with self-signed certificates and see errors like "tls: failed to verify certificate: x509: cannot validate certificate for...", setting the insecureSkipVerify to true in the serversTransport should fix that.

Launch Traefik:

traefik --configfile=traefik.yaml

This can then be converted into a systemd service for automatic startup.

PS: I changed the numbering of the days on the posts to go at the end of the title, felt like adding the day number at the beginning got cluttered.