再从头|再回首Traefik2 Basic Configuration
利用Docker-compose 运行 Traefik2 所需要的基础配置文件,修改email 和 host name 即可。
原文已经整理得非常丝滑,traefik 配置与 app 配置已分离,简单易上手,详情可跳 原文。
1. Create Files
//创建目录
mkdir -p traefik2 && cd traefik2
mkdir -p data/configurations
touch docker-compose.yml
touch data/traefik.yml
touch data/acme.json
touch data/configurations/dynamic.yml
chmod 600 data/acme.json创建文件及赋权
mkdir创建文件夹
touch创建文件
chomd更改权限
2. Docker-compose
//编辑文件 nano docker-compose.yml
文件路径 ~/docker-compose.yml
旧配置,带labels,已被弃用
version: '3.7'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
# Add folder with dynamic configuration yml
- ./data/configurations:/configurations
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true"traefik.http.routers.traefik-secure.rule=Host('traefik.yourdomain')"注意 'traefik.yourdomain' 的引用是 TAB 左上角的 '~'键,非单引号
修改
traefik.yourdomain为你的域名,如 'traefik.xxx.com',域名要提前修改好 A 记录
"traefik.http.routers.traefik-secure.middlewares=user-auth@file"定义的 中间件middlewares
user-auth@file在dynamic.yml中有定义,这里使用的是basicAuth
格式更新:去除labels,改在dynamic.yml文件中控制
version: '3.7'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
# Add folder with dynamic configuration yml
- ./data/configurations:/configurations
networks:
- proxy
volumes:
data:
networks:
proxy:
external: true3. Static Configuration
文件路径 ~/data/traefik.yml
api:
dashboard: true
debug: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
tls:
certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
letsencrypt:
acme:
email: admin@yourdomain
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: web
buypass:
acme:
email: admin@yourdomain
storage: acme.json
caServer: https://api.buypass.com/acme/directory
keyType: EC256
httpChallenge:
entryPoint: webTraefik 配置文件
email: admin@yourdomain修改email 为可用地址buypass 或 letsencrypt 两个地方需要修改
certResolver: letsencrypt定义使用的服务商,buypass 或 letsencrypt 皆可。
4. Dynamic Configuration
文件路径 ~/data/configurations/dynamic.yml
旧配置,带labels,已被弃用
# Dynamic configuration
http:
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
# UserName : admin
# Password : qwer1234
user-auth:
basicAuth:
users:
- "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12格式更新:增加 router 和 service 进行动态控制
# Dynamic configuration
http:
routers:
# Roter1: traefik deshboard
dashboard:
entryPoints:
- "websecure"
middlewares:
- "user-auth"
service: api@internal
rule: "Host(`dash.yourdomain.com`)"
# Roter2: typecho-1
typecho:
entryPoints:
- "websecure"
middlewares:
- "nonwww-www"
rule: "Host(`www.yourdomain.com`) || Host(`yourdomain.com`)"
service: typecho-service
# Roter3 ... ...
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
# UserName : admin
# Password : qwer1234
user-auth:
basicAuth:
users:
- "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
# nonwww-www
nonwww-www:
redirectregex:
regex: "^https://yourdomain.com/(.*)"
replacement: "https://www.yourdomain.com/${1}"
# websocket
openSocket:
headers:
customRequestHeaders:
X-Custom-Request-Header: " https" # Removes
services:
# service1: typecho-1-service
typecho-service:
loadBalancer:
servers:
- url: "http://172.18.0.3"
# service2: ... ...
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
要增加新网站,只需要在这dynamic.yml文件中增加相应的 router 和 service 即可。
关于如何找到对应服务的容器 url,之前已经提过,可跳转阅读,关键是找到对应的url并填写正确即可。
动态配置
这里需要修改的是Web UI 的登录验证信息
users: - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"这是文件引用的方式,单$**符号即可,若在docker-compose.yml 中使用要使用 **$$
即 labels中的形式如下:
"traefik.http.middlewares.test-auth.basicauth.users=admin:$$apr1$$tm53ra6x$$FntXd6jcvxYM/YH0P2hcc1"格式为 用户名:密码,Basic Auth使用的是htpasswd生成的 md5 密码:
生成方式一:
# 安装 apach htpasswd sudo apt-get install apache2-utils # 生成用户名密码 htpasswd -nb admin qwer1234 admin:$apr1$tyg7xqjc$OjnLArW4el/npX3pKWu6B0生成方式二:
#利用 docker 镜像生成 docker run --rm -it --entrypoint /usr/local/apache2/bin/htpasswd httpd:alpine -nb test test生成方式三:
利用在线生成工具:
https://www.askapache.com/online-tools/htpasswd-generator/
5. 运行traefik
配置中声明了external proxy,运行docker-compose 前先创建 proxy network
创建proxy网络docker network create --driver bridge --subnet=172.18.0.0/24 proxy
然后是 docker-compose up -d 运行traefik。
