My use case, I’ve been testing boringproxy to expose k3d services by pointing at traefik’s ingress IP. Currently, I have it working by running the client in a pod alongside traefik in a k3d cluster. I’m trying to get the solution fully automated and have successfully used ansible to talk with boringproxy’s API to set up tunnels. I have 2 main questions that maybe someone can help me with.
In regards to TLS certs I know there are 3 options for termination, currently it only works if I choose passthrough and I get my self-signed traefik cert as I haven’t set up letsencrypt with traefik. I could go the route of setting up traefik’s cert or is there a better option to somehow use the cert boringproxy sets up?
Currently I have to setup separate tunnels for each url/service even though I’m still pointing at the one IP traefik has. Is there a way to utilize a wildcard domain through boringproxy? (I tested this and it lets me create the tunnel but it doesn’t work)
Example Tunnel:
*.cluster1.mydomain.com → 172.20.0.3 (traefik)
Example Services: argocd.cluster1.mydomain.com webapp.cluster1.mydomain.com
Can you provide any additional clues as to why Server and Client TLS termination aren’t working? Maybe some Traefic logs. Some users have reported similar issues with nginx and I suspect there may be some important header or something missing.
Unfortunately wildcards aren’t currently implemented. It’s a bit tricky because the only way to request wildcard certs with Let’s Encrypt currently is using the ACME dns-01 challenge. The only other way I know to handle this would be to request new certs for specific subdomains when the first request is made. Problem is that opens you up to DoS attacks, because someone can just request infinite random subdomains and fill up the boringproxy server storage or more likely trigger Let’s Encrypt limits. Maybe I could implement it with a fix limit on the number of subdomains that can be dynamically created per wildcard? How many would you need for your use case?
I will try to grab some logs to figure out why Client and Server TLS termination isn’t working with traefik.
So from my understanding traefik does use the ACME dns-01 challenge to handle it’s wild card certs. My main issue with going this route of setting Boringproxy to passthrough and letting traefik setup the certs is it requires an edit key setup with cloudflare. Maybe there’s a different provider out there that can do it with a read-only token but I haven’t had time to research.
Would you be able to set up wildcard domains on Boringproxy with the requirement that TLS is set to passthrough? Then you wouldn’t need to do the ACME dns-01 challenge?
Wildcard support is a feature that’s been requested before. It may be possible to implement without too much difficulty, but I’ll need to attempt it to be sure.