Traefik v2.0 新人指南

老年组折腾 Treafik 真的是脑花都烧完了。
好久没写学习笔记了,都以为自己可能没脑子写了呢。[Sigh]

本文为学习记录,仅供参考。

Key:基于 Docker Compose,用 Traefik 实现本地自定义域名端口转发。

上图:


Traefik

先贴文件结构

.
├── config
│   ├── default.toml
│   ├── your.domain.toml
│   └── tsl.toml
├── ssl
│   ├── your.domain.conf
│   ├── your.domain.crt
│   └── your.domain.key
├── traefik.toml
└── traefik.yml

Docker Compose 配置文件:

version: '3.7'

services:

  traefik:
    container_name: traefik
    image: traefik:v2.1.3
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - traefik
    command: traefik --configFile /etc/traefik.toml
    labels:
      - "traefik.enable=false"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./ssl/:/data/ssl/:ro
      - ./traefik.toml:/etc/traefik.toml:ro
      - ./config/:/etc/traefik/config/:ro
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:4398/ping || exit 1"]

# 先创建外部网卡
# docker network create traefik
networks:
  traefik:
    external: true

Traefik核心配置文件:

traefik.toml

# traefik.toml

[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[log]
  level = "WARN"
  format = "common"

[api]
  dashboard = true
  insecure = true

[ping]

[accessLog]

[providers]
  [providers.docker]
    watch = true
    exposedByDefault = false
    endpoint = "unix:///var/run/docker.sock"
    swarmMode = false
    useBindPortIP = false
    network = "traefik"
  [providers.file]
    watch = true
    directory = "/etc/traefik/config"
    debugLogGeneratedTemplate = true

[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"

config 文件

default.toml (名字随便取)

  • 公共中间件实现 http 自动跳转 https
# default.toml

[http.middlewares.https-redirect.redirectScheme]
  scheme = "https"
[http.middlewares.content-compress.compress]

# tricks
# https://github.com/containous/traefik/issues/4863#issuecomment-491093096
[http.services]
  [http.services.noop.LoadBalancer]
     [[http.services.noop.LoadBalancer.servers]]
        url = "" # or url = "localhost"

[http.routers]
  [http.routers.https-redirect]
    entryPoints = ["http"]
    rule = "HostRegexp(`{any:.*}`)"
    middlewares = ["https-redirect"]
    service = "noop"

tls.toml (名字随便取)

  • SSL证书管理
# tls.toml 

[tls]
  [tls.options]
    [tls.options.default]
      minVersion = "VersionTLS12"
      maxVersion = "VersionTLS12"
    [tls.options.test-tls13]
      minVersion = "VersionTLS13"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      ]

  [[tls.certificates]]
    certFile = "/data/ssl/kx.me.crt"
    keyFile = "/data/ssl/kx.me.key"

your.domain.toml (名字随便取)

  • 自定义规则配置

!!!注意:要转发端口的地址尽量用IP地址(如果是本地,尽量用局域网地址)

# your.domain.toml

[http.middlewares.dash-compress.compress]
[http.middlewares.dash-auth.basicAuth]
  users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  ]

[http.routers.dashboard-redirect-https]
  rule = "Host(`your.domain`,`md.your.domain`)"
  entryPoints = ["http"]
  service = "noop"
  middlewares = ["https-redirect"]
  priority = 100

[http.routers.dashboard]
  rule = "Host(`your.domain`)"
  entrypoints = ["https"]
  service = "dashboard@internal"
  middlewares = ["dash-auth", "dash-compress"]
  [http.routers.dashboard.tls]

[http.routers.api]
  rule = "Host(`your.domain`) && PathPrefix(`/api`)"
  entrypoints = ["https"]
  service = "api@internal"
  middlewares = ["dash-auth", "dash-compress"]
  [http.routers.api.tls]

[http.routers.ping]
  rule = "Host(`your.domain`) && PathPrefix(`/ping`)"
  entrypoints = ["https"]
  service = "ping@internal"
  middlewares = ["dash-auth", "dash-compress"]
  [http.routers.ping.tls]

[http.routers.md]
  rule = "Host(`md.your.domain`)"
  entrypoints = ["https"]
  service = "md"
  middlewares = ["dash-auth", "dash-compress"]
  [http.routers.md.tls]

[http.services.md]
  [[http.services.md.LoadBalancer.servers]]
    url = "http://ip.ip.ip.ip:port" # 要转发端口的地址尽量用IP地址(如果是本地,尽量用局域网地址)

参考:

推荐阅读更多精彩内容