出于安全原因,我想从 npm 迁移到 traefik。我找到了一个很好的在线博客来进行 traefik 的初始设置。它有效,但不是真的。看在上帝的份上,我不明白为什么。
这是我的
docker-compose.yml
:
services:
traefik:
image: traefik:v2.10
container_name: traefik
restart: always
networks:
- proxy
ports:
- 80:80
- 8080:8080
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/configs:/configs:ro
- ./data/acme.json:/acme.json:rw
- ./data/logs:/logs:rw
environment:
- CF_DNS_API_TOKEN=${CFAPI}
read_only: true
security_opt:
- no-new-privileges=true
labels:
- traefik.enable=true
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.rule=Host(`traefik.example.com`)
- traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIKADMIN}
- traefik.http.routers.traefik-https.middlewares=traefik-auth
- traefik.http.routers.traefik-https.service=api@internal
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
- traefik.http.routers.traefik-https.tls.domains[0].main=example.com
- traefik.http.routers.traefik-https.tls.domains[0].sans=*.example.com
whoami:
image: containous/whoami:latest
container_name: whoami
hostname: whoami
restart: unless-stopped
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.whoami-https.entrypoints=websecure
- traefik.http.routers.whoami-https.rule=Host(`whoami.example.com`)
#- traefik.http.routers.whoami-https.service=whoami
- traefik.http.services.whoami-https.loadbalancer.server.port=80
- traefik.http.routers.whoami-https.tls=true
- traefik.http.routers.whoami-https.tls.certresolver=letsencrypt
networks:
proxy:
external: {}
静态配置文件 (
traefik.yml
) 如下所示:
api:
dashboard: true
insecure: true
debug: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls: {}
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
network: proxy
file:
directory: "/configs"
watch: true
certificatesResolvers:
http:
acme:
email: [email protected]
storage: acme.json
httpChallenge:
entryPoint: web
letsencrypt:
acme:
email: [email protected]
storage: acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
#serversTransport:
# insecureSkipVerify: false
accessLog:
filePath: "/logs/access.log"
fields:
headers:
names:
User-Agent: keep
log:
filePath: "/logs/traefik.log"
level: INFO
现在,当我启动堆栈并运行时,我永远无法访问以下内容:
但是我只能通过 http://serverip:8080 不安全地访问 traefik 仪表板,因为我已经设置了
insecure=true
。有没有办法安全地到达仪表板?!我究竟做错了什么?我在日志文件或仪表板中没有看到任何错误。
现在谈谈服务本身,当我删除该行
- traefik.http.routers.whoami-https.entrypoints=websecure
时,我可以访问这两个服务:
我只想通过 websecure 访问 traefik 仪表板和我的服务。但这似乎不起作用。我对 traefik 正在做什么以及我做错了什么感到非常困惑?
非常感谢任何帮助!谢谢!
我不知道这是否是“最佳”解决方案,但是经过一些建议,我创建了一个中间件来将我的 http 重定向到 https。这解决了我的问题。如果有人有兴趣的话。