Mailu: Any documentation for us using traefik as proxy

Created on 9 Aug 2018 · 14Comments · Source: Mailu/Mailu

we have lots of apps, all behind traefik proxy.. we use traefik because of sockets, we really like Mailu but we don't find any guide getting Mailu work as other containers behind traefik.

Any one brave enough to point us please help..
Thank you so much.

typquestion

Source

pepya2

Most helpful comment

Just a notice for the future: Træfik will support TCP with version 2.0.
https://github.com/containous/traefik/pull/4587

timoschwarzer on 17 May 2019

🎉3

All 14 comments

Does Traefik support L4 routing? Cause web traffic is normally L7 and for email, databases, anything TCP, but not HTTP related uses L4 routing. Nginx-ingress-controller uses the TCP services to do that, but I'm unsure how to configure L4 under Traefik

christhomas on 26 Aug 2018

The only issue with traefik is indeed it only supports HTTP. You could use traefik to proxify your domain name to the front container and remove ports 80 and 443 from the configuration.

kaiyou on 16 Sep 2018

Looks like it's on their radar from the beginning (issue 10!) but hasn't received much work.

containous/traefik#10

benyanke on 17 Sep 2018

While not for reverse-proxying anything but HTTP, I started working on documentation, with more to come:
https://github.com/Mailu/Mailu/pull/724

Please let me know what you think about including traefik support in the way described in the PR.

Thanks a bunch for this great project ^_^
-Dario

Nebukadneza on 5 Dec 2018

still confused as to weather we can implement traefik in front of mailu or not... i feel im wasting a vm just for mail when i can deploy other web applications inside docker containers also but mail_front siezes control

ghost on 6 Dec 2018

Documentation is merged in #724. Closing...

muhlemmer on 31 Dec 2018

Just a notice for the future: Træfik will support TCP with version 2.0.
https://github.com/containous/traefik/pull/4587

timoschwarzer on 17 May 2019

🎉3

Traefik now supports TCP routing. I'm currently trying to get mailu 1.7 and traefik 2.0.2 to play nice. Perhaps we could reopen this issue and I'll post my findings.

NX211 on 15 Oct 2019

@NX211 if you post your working results I'd be glad do rewrite the Traefik documentation for Mailu. :)

timoschwarzer on 15 Oct 2019

With #1158, mailu does not have any special requirements for the http(s) ingress. Just one ingress route, everything special is handled by the internal nginx.
For the other services, you _can_ use traefik as tcp ingress although it does not give any benefits. You could use it for SSL termination for the SSL-only ports but not for the plain/TLS ports since TLS must be handled at protocol level. So you will still have to pass the certs to nginx and bind these ports directly (e.g. via hostPort).

micw on 15 Oct 2019

... and bind these ports directly (e.g. via hostPort).

Not really. You can set Treafik to treat nginx as a back-end. They only need to be member of the same internal (Docker) network.

This is the mode how I'm running the demo server:

.env:
TLS_FLAVOR=mail

docker-compose.yml:

````
front:
image: ${DOCKER_ORG:-mailu}/nginx:${MAILU_VERSION:-master}
restart: always
env_file: .env
logging:
driver: $LOG_DRIVER
ports:

- "$BIND_ADDRESS4:80:80"

- "$BIND_ADDRESS4:443:443"

  - "$BIND_ADDRESS4:110:110"
  - "$BIND_ADDRESS4:143:143"
  - "$BIND_ADDRESS4:993:993"
  - "$BIND_ADDRESS4:995:995"
  - "$BIND_ADDRESS4:25:25"
  - "$BIND_ADDRESS4:465:465"
  - "$BIND_ADDRESS4:587:587"

- "$BIND_ADDRESS6:80:80"

- "$BIND_ADDRESS6:443:443"

  - "$BIND_ADDRESS6:110:110"
  - "$BIND_ADDRESS6:143:143"
  - "$BIND_ADDRESS6:993:993"
  - "$BIND_ADDRESS6:995:995"
  - "$BIND_ADDRESS6:25:25"
  - "$BIND_ADDRESS6:465:465"
  - "$BIND_ADDRESS6:587:587"
volumes:
  - "$ROOT/certs:/certs"
  - "$ROOT/overrides/nginx:/overrides"
labels:
  - "traefik.enable=true"
  - "traefik.port=80"
  - "traefik.frontend.rule=Host:test.mailu.io"
  - "traefik.docker.network=web"
networks:
  - web
  - default

````
As it comes to the Demo server, Traefik is almost zero-conf. There are some redirect settings for the docs tho. People can review the https://github.com/Mailu/infra if they need more info.

Edit: note that the docker-compose.yml file is based on the Mailu legacy version and manually modified to restrain resources of the Demo server. It is not meant for direct copying/usage.

muhlemmer on 15 Oct 2019

... and bind these ports directly (e.g. via hostPort).

Not really.

Indeed yes ;-)to expose the ports but the rest is

What you describe here is exactly what I wrote. You can use traefik for http/s with no special setup but you have no benefits for other protocols, so you can make them available directly.

In you example, you're just using an external net instead of hostport binding.

micw on 15 Oct 2019

Hi all,

I'm also using traefik (pre2.0) as proxy and using TLS_FLAVOR=mail along with the certdump docker image in my docker-compose.

My issue is nginx does indeed pickup the certificate but not the smtp service: checking with openssl returns different certificates when connecting to webmail.$DOMAINNAME and connecting to $HOSTNAMES (only one hostname here).
The certificate shown connecting to webmail.$DOMAINNAME is the correct one from /certs
The certificate shown connecting to $HOSTNAMES is an old and expired one from when I was using a different TLS_FLAVOR(=letsencrypt-mail)...

How is the smtp service supposed to pickup the certificate pairs from the /certs folder ?

Thanks