Multiple Traefik Instances on Different Domains/Hosts and One External IP

In this post, I will show you how to run multiple traefik instances with different domains, on different docker hosts, and with only one external public IP address.

If you have been following my website, I am a big proponent of Traefik. I have been using Traefik since 2019, and the process is well documented in my Traefik reverse proxy guide.

Starting from a humble smart home setup, my Docker-Traefik ecosystem has evolved over the years. You may follow my setup on GitHub.

About a year back, I started running two instances of Traefik. One on my Synology NAS and one on my home server. [Read: Ultimate Synology NAS Docker Compose Media Server [2022]]

Initially, I only had one domain pointing to my home lab. Eventually, I added another domain: one for Synology Docker Apps and the other for my home server. So how do I run two Traefik instances living on different hosts, with different domain names, but have only one external IP provided by my ISP?

This was the big question. In this Traefik multi-instance guide, I will explain how I run two instances of Traefik on different hosts but with a single external WAN IP.

Traefik Multiple Instances

Traefik has been a perfect companion for my Docker media server. In fact, as shown below, the majority of my readers pick Traefik over other reverse proxy options.

Which reverse proxy do you use or plan to use for your Docker stack?

View Results

Loading ... Loading ...

Unlike Nginx Proxy Manager, Traefik can allow for such advanced setups as the one that is being discussed in this guide.

The Problem with Multiple Domains and Multiple Traefik Instances

So, what exactly is the problem with running multiple instances of Traefik on different hosts but having only one external IP?

Here is a schematic to explain the concept.

Traefik Multiple Instances On Single Gateway Router
Traefik Multiple Hosts On Single Gateway Router

The limitation comes from port forwarding. Traefik needs port 80 and 443 opened to the internet. Typically, an internet gateway/router can port forward to only one host.

So, in my case, I have to pick either my home server or Synology. I picked my homeserver, which was OK until I had only one domain name.

Making Traefik Work with One Domain on Multiple Hosts

This was my old setup and it was pretty straightforward.

I only needed Traefik on the main server that was associated with the single domain I was using. The router port forwarded 80 and 443 to my home server.

The Docker stack on Synology did not need a reverse proxy such as Traefik. I could use Traefik file providers to put any web app in my network behind Traefik and a fully qualified domain name with proper SSL certs.

As explained in my Traefik guide, for example, I could put PiHole running on a Raspberry Pi, using the following file provider:

http:
  routers:
    pihole-rpi-rtr:
      rule: "Host(`pihole.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
      entryPoints:
        - https
      middlewares:
        - chain-basic-auth
        - pihole-rpi-add-admin
      service: pihole-rpi-svc
      tls:
        certResolver: dns-cloudflare
  middlewares:
    pihole-rpi-add-admin:
      addPrefix:
        prefix: "/admin"
  services:
    pihole-rpi-svc:
      loadBalancer:
        servers:
          - url: "http://192.168.1.126"  # or whatever your external host's IP:port is

I could do the same for any app, including AdGuard Home, Home Assistant, or even Synology DSM. [Read: Pi-Hole vs AdGuard Home for Ad Blocking – 12 Key Differences]

When I put my Synology NAS on a different domain name than my home server, I needed a way for the Traefik instance on my Synology to be reached on ports 80 and 443 for SSL certs to be obtained and the apps to be available via Traefik on Synology. [Read: Free Ports 80 and 443 on Synology NAS: The Definitive Guide]

Solution to Multiple Traefik, Multiple Domains, Multiple Hosts, and Single External IP

The answer is TCP routers.

Traefik Tcp Router Passthrough
Traefik Tcp Router Passthrough

With Traefik TCP router, I can passthrough all requests that come for the second domain (example2.com) to my Synology NAS. Traefik on my home server (example1.com) will continue to serve as the main one (gate keeper) and the internet gateway (router) is set to port forward ports 80 and 443 to my home server.

Now, when I am outside my network, both appX.example1.com and appY.example2.com resolve and work properly to reach the right application on the right host.

How to Enable Traefik TCP Router?

So now the question is how do enable passthrough using TCP routers. It is easy.

All we need to do is leverage Traefik file provider and create a YML file in the rules folder with the TCP router definition. I am calling it app-second-domain.yml and it has the following contents in it:

This guide has been updated to the new Traefik v3 syntax. To understand more about how has changed from Traefik v2, check my Traefik v3 guide.
tcp:
  routers:
    synology-traefik-rtr:
      entryPoints:
        - "https"
      rule: "HostSNIRegexp(`example2.com`) || HostSNIRegexp(`{subdomain:[a-z]+}.example2.com`)"
      service: synology-traefik-svc
      tls:
        passthrough: true
  services:
    synology-traefik-svc:
      loadBalancer:
        servers:
          - address: "192.168.1.254:443"

Basically, what the above TCP router does is, if there are requests that are addressed to example2.com or its subdomains, then the request is passed through to the second Traefik instance that is listening at 192.168.1.254:443 on my Synology NAS.

Concluding Remarks on Running Multiple Traefik Containers

Having multiple Traefik instances with different domains on the same network is probably not going to be that common, at least in a typical homelab environment. I could even get by just one domain.

For some testing purposes I had to put my Synology on a separate domain. Now, even if I am messing with one Traefik instance (secondary instance) for testing purposes, I (and others in my home) will still have access to key services on the main Traefik instance.

But there is one caveat. If the primary Traefik instance is down, then TCP passthrough won't work obviously. Therefore, the second Traefik instance will be down as well. So, the primary Traefik instance you pick must be the one that will be messed with the least.

Otherwise, I hope this guide gets you going with running multiple Traefik instances, as you want them.

Be the 1 in 200,000. Help us sustain what we do.
115 / 150 by Dec 31, 2024
Join Us (starting from just $1.67/month)

Anand

Anand is a self-learned computer enthusiast, hopeless tinkerer (if it ain't broke, fix it), a part-time blogger, and a Scientist during the day. He has been blogging since 2010 on Linux, Ubuntu, Home/Media/File Servers, Smart Home Automation, and related HOW-TOs.

Try Deployarr