Project mikrotik proxy manager

Hi, I like to experiment with containers in mikrotik

I needed a simple way to manage the reverse proxy server, already tried to check:

• nginx
• nginx proxy manager
• caddy
• trafik

I liked traefik the most, a more convenient dynamic configuration, and decided to try to expand its capabilities so as not to write configs and add hosts via winbox

To do this, I used resources from: IP → Web proxy → Access

It is there that all the necessary fields are in the table, and it is not particularly used in everyday life.

Adding hosts in the winbox interface automatically creates a dynamic configuration for traefik

Github project: https://github.com/akmalovaa/mikrotik-proxy-manager

At the current time, it works very simply, parse only:

• HOST
• DST-IP
• DST-PORT

It seemed to me an interesting solution, I wanted to share it.

I tried them all but NgnixProxyManager.

I too like Traefik. The “dynamic” vs “static” config is a bit tricky & most of the Traefik’s automatic discovery isn’t helpful for /container (since it does not support OCI labels). But it admin dashboard really can visual things well. And, once understood, Traefik’s config scheme works well with RouterOS. It’s actually the only RouterOS container I’ve played with that’s in semi-production use (to enable CORS to REST API).

So for the “static configuration”, I use /container/env to provide traefik its “startup” stuff. See https://doc.traefik.io/traefik/reference/static-configuration/env/

Since /container/env work with scripting, scripting can just set/get the /container/env to change things (vs manually editing files) - which importantly is the DNS name and listen port used, so being able to customize those to match /ip/firewall stuff from within Winbox is handy since the Traefik’s ports need to match RouterOS firewall mappings.

For example,

/container envs
add key=TRAEFIK_LOG_LEVEL name=traefik-proxy value=DEBUG
add key=TRAEFIK_PROVIDERS_FILE_DIRECTORY name=traefik-proxy value=/etc/traefik
add key=TRAEFIK_PROVIDERS_FILE_WATCH name=traefik-proxy value=true
add key=TRAEFIK_API_INSECURE name=traefik-proxy value=true
add key=TRAEFIK_ENTRYPOINTS_WEB_ADDRESS name=traefik-proxy value=:80
add key=TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS name=traefik-proxy value=:443
add key=TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL name=traefik-proxy value=null@example.com
add key=TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE name=traefik-proxy value=acme.json
add key=TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT name=traefik-proxy value=web
add key=PROXY_TO_URL name=traefik-proxy value=http://localhost:80/
add key=TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME name=traefik-proxy value=true
add key=TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO name=traefik-proxy value=websecure
add key=TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY name=traefik-proxy value=true
add key=TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS name=traefik-proxy value=true
add key=TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER name=traefik-proxy value=letsencrypt
add key=TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_DOMAINS_1_MAIN name=traefik-proxy value="$[/ip/cloud/get dns-name]"
add key=TRAEFIK_LOG_NOCOLOR name=traefik-proxy value=false

And how I enable CORS in Traefik might provide further examples: Container "Traefik" (on RB5009) - #10 by own3r1138
(in that example, it uses one file with both “static” and “dynamic” traefik configuration - but I’ve since split it to use /container/env above for the “static” part)

@Amm0 thank you for providing configuration.

Now I am runing traefik and cloudflared on my arm Mikrotik router.
With cloudflare tunnel I don`t need even to open any port on my router.

Aknowledgment: https://gero.dev/blog/cloudflared-traefik-docker

That’s a great approach - traefik is really solid but it’s config while flexible is exacting. And Cloudflare both “hides” you [public] IP and does way more DoS/security things than possible on RouterOS. I would have probably written an article on using Traefik on RouterOS – but the firewall config is hard to generalize - so Cloudflare makes sense in a lot of cases.

The traefik admin dashboard (8080 by default) is kinda handy too, not a lot of data, but does show the flows pretty well - which is way more than you get with vanilla ngnix.