Is the Traefik app the *recommended* option for app ingress, or the *only* option?

[Darren David]

I'm new to TrueNAS Scale after many years running TrueNAS Core happily behind pfSense and NGINX (via NGINX Proxy Manager), where all of my jails had unique IPs. Now on TrueNAS Scale, I'm looking to set up a split horizon DNS with pfSense, where:

• internal-only TrueNAS Scale VMs and container-based apps are available at https://<appname>.internal.lan instead of http://<truenas_ip>:<port>
• externally-available apps are available at <appname.mydomain.tld>.

Revery proxy via NGINX and LetsEncrypt for public stuff/internal self-signed certs work fine for VMs that have their own IP and for the TrueNAS server itself (truenas.internal.lan). However, containers running on Scale all end up using the self-signed cert for the server (truenas.internal.lan) instead of the unique cert for the service (<servicename>.internal.lan) which is assigned in NGINX, so I get a cert error when accessing https://<servicename>.internal.lan.

Official TrueNAS guides and countless posts all refer to Traefik as the recommended way to handle ingress for apps, and I'll run it if I must, but I'm hoping to not complicate my setup if I don't need to. Will Traefik solve my issues here, specifically, will running Traefik on TrueNAS Scale (behind NGINX) to handle ingress only for Scale apps solve my cert issues? Is that the secret magic (maegik?) Traefik provides - properly handling Kubernetes routing? FWIW, I've tried HAproxy on my pfSense machine and hit the same issues I'm hitting with NGINX.

I should mention that I don't want to use Traefik to replace NGINX Proxy Manager unless I can host it outside of the TrueNAS Scale machine, because for <reasons> the TrueNAS Scale machine will not always be running 24/7, and I have other hosts on the LAN that require reverse proxy.