I don’t know if this helps anyone, but I got Traefik to work on an RB1100 (which is actually ARM32) using this image: https://hub.docker.com/_/traefik
Was able to get it setup to act a CORS proxy for RouterOS (& similar to anNGNIX I’ve have, just Traefik seems “more modern”, and flexible)
While Traefik comes up easily… the UI is only for status, not configuration… so to make it do anything… it needs some “static configuration” (in their Traefik’s terms) loaded.
That can be provided in traefix.yaml file in /container/mount, or the “cmd”, or via env vars. But do anything useful it be dozen of env vars or “un-viewable-ly long line” as the cmd= in the /container config. The env var approach be useful if you want to control it’s configuration inside RouterOS, without PC or needing a mount at all (see https://doc.traefik.io/traefik/reference/static-configuration/env/). You could also create a new image with traefik as base, just with traefik.yaml included in new image. I explain the “mount approach” below.
To create the container for the config (adjust as needed):
:global rootdisk "raid1-part1"
/interface/veth/add name=veth-traefik address=172.18.18.18/24 gateway=172.18.18.1
/ip/address/add interface=veth-traefik address=172.18.18.1/24
/container add interface=veth-traefik logging=yes mounts=TRAEFIK_ETC root-dir="$rootdisk/traefik-etc"
/container add root-dir="$rootdisk/traefik-root" remote-image=library/traefik:v2.10 logging=yes interface=veth-traefik mounts=TRAEFIK_ETC
/container start
Now to use it, it needs a configuration. Your config vary depending on needs, but my example wants to forward everything it gets to the Mikrotik’s web servers, adding ACME Let’s Encrypt & CORS headers to read & redirecting to HTTP to HTTPS.
This part is more up to reader, since firewall rules vary a lot. But the follow config forwards all incoming 80/443 requests to Traefik’s web server which then proxies to Mikrotik’s webfig, REST, etc.
/ip firewall nat add comment="LAN port 80 to traefik web proxy" action=dst-nat chain=dstnat dst-port=8080 protocol=tcp src-address-list=LAN to-addresses=172.18.18.18 to-ports=8080
/ip firewall nat add comment="all (except traefik) port 80 to traefik web proxy" action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=172.18.18.18 from-address=!172.18.18.0/24 to-ports=443
/ip firewall nat add comment="all (except traefik) port 443 to traefik web proxy" action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=172.18.18.18 from-address=!172.18.18.0/24 to-ports=80
Since NAT rules are picked up first it’s easy to direct the web traffic to Traefik. You may need add or remove /ip/firewall/filter things too as needed/desired — above just an example…
Finally, you need to load a configuration after editing from your desktop/laptop. You might be able to use my traefik.yaml below as a base. The critical part is it needs to be named “traefik.yaml” (and be valid config) and copied to the TRAEFIK_ETC mount directory. You can enable ROSE/SMB to mount or use FTP/SCP/etc to copy it, but it some valid config named “traefik.yaml” need to end up the mount that goes to /etc/traefik.
Here was my working config that proxy to RouterOS 80/443 using the container’s gateway address (with /ip/services/http listening on 80/443 too):
log:
level: debug
providers:
file:
directory: /etc/traefik
watch: true
api:
insecure: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
lets-encrypt:
acme:
email: REPLACE_WITH_VALID_EMAIL=me@example.com
storage: acme.json
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
serversTransport:
insecureSkipVerify: true
http:
routers:
bigdude-redirect-http:
rule: "Host(`REPLACE_ME_WITH_IP_CLOUD_NAME_OR_YOUR_OWN=snXXXXXXX.mynetname.net`)"
service: routeros-web
entryPoints:
- web
middlewares:
- redirect-https
bigdude-https:
rule: "Host(`REPLACE_ME_WITH_SAME_AS_ABOVE`)"
service: routeros-web
entryPoints:
- websecure
middlewares:
- cors-routeros
tls:
certResolver: "lets-encrypt"
services:
routeros-web:
loadBalancer:
passHostHeader: false
servers:
- url: "http://172.18.18.1"
middlewares:
redirect-https:
redirectScheme:
scheme: https
permanent: true
cors-routeros:
headers:
accessControlAllowCredentials: true
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
- POST
- PATCH
- DELETE
accessControlAllowHeaders: "*"
accessControlAllowOriginList:
- https://localhost:3000
- https://REPLACE_ME_WITH_SAME_AS_ABOVE=snXXXXXX.mynetname.net
accessControlMaxAge: 100
addVaryHeader: true
Please note the REPLACE things. The Traefik docs have more examples — above uses the “File (YAML)” configuration — as it’s refer to in their docs here: https://doc.traefik.io/traefik/getting-started/concepts/
Also, the LE certs only get checked/created at startup, so need to stop/start it after loading a config. All other change to the mounted traefik.yaml will happen live base on “file provider”'s watch being true.
Anyway, I liked Traefik configuration more than NGINX. I cannot vouch for its performance/stability/etc — mainly an experiment right now. HAProxy still seem like a better choice for anything real, but this seem better suited to a Mikrotik-sized container.