老年组折腾 Treafik 真的是脑花都烧完了。
好久没写学习笔记了,都以为自己可能没脑子写了呢。[Sigh]
本文为学习记录,仅供参考。
Key:基于 Docker Compose,用 Traefik 实现本地自定义域名端口转发。
上图:
Traefik
先贴文件结构
.
├── config
│ ├── default.toml
│ ├── your.domain.toml
│ └── tsl.toml
├── ssl
│ ├── your.domain.conf
│ ├── your.domain.crt
│ └── your.domain.key
├── traefik.toml
└── traefik.yml
Docker Compose 配置文件:
version: '3.7'
services:
traefik:
container_name: traefik
image: traefik:v2.1.3
restart: always
ports:
- 80:80
- 443:443
networks:
- traefik
command: traefik --configFile /etc/traefik.toml
labels:
- "traefik.enable=false"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./ssl/:/data/ssl/:ro
- ./traefik.toml:/etc/traefik.toml:ro
- ./config/:/etc/traefik/config/:ro
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:4398/ping || exit 1"]
# 先创建外部网卡
# docker network create traefik
networks:
traefik:
external: true
Traefik核心配置文件:
traefik.toml
# traefik.toml
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "WARN"
format = "common"
[api]
dashboard = true
insecure = true
[ping]
[accessLog]
[providers]
[providers.docker]
watch = true
exposedByDefault = false
endpoint = "unix:///var/run/docker.sock"
swarmMode = false
useBindPortIP = false
network = "traefik"
[providers.file]
watch = true
directory = "/etc/traefik/config"
debugLogGeneratedTemplate = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
config 文件
default.toml (名字随便取)
- 公共中间件实现 http 自动跳转 https
# default.toml
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
[http.middlewares.content-compress.compress]
# tricks
# https://github.com/containous/traefik/issues/4863#issuecomment-491093096
[http.services]
[http.services.noop.LoadBalancer]
[[http.services.noop.LoadBalancer.servers]]
url = "" # or url = "localhost"
[http.routers]
[http.routers.https-redirect]
entryPoints = ["http"]
rule = "HostRegexp(`{any:.*}`)"
middlewares = ["https-redirect"]
service = "noop"
tls.toml (名字随便取)
- SSL证书管理
# tls.toml
[tls]
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
maxVersion = "VersionTLS12"
[tls.options.test-tls13]
minVersion = "VersionTLS13"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[[tls.certificates]]
certFile = "/data/ssl/kx.me.crt"
keyFile = "/data/ssl/kx.me.key"
your.domain.toml (名字随便取)
- 自定义规则配置
!!!注意:要转发端口的地址尽量用IP地址(如果是本地,尽量用局域网地址)
# your.domain.toml
[http.middlewares.dash-compress.compress]
[http.middlewares.dash-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[http.routers.dashboard-redirect-https]
rule = "Host(`your.domain`,`md.your.domain`)"
entryPoints = ["http"]
service = "noop"
middlewares = ["https-redirect"]
priority = 100
[http.routers.dashboard]
rule = "Host(`your.domain`)"
entrypoints = ["https"]
service = "dashboard@internal"
middlewares = ["dash-auth", "dash-compress"]
[http.routers.dashboard.tls]
[http.routers.api]
rule = "Host(`your.domain`) && PathPrefix(`/api`)"
entrypoints = ["https"]
service = "api@internal"
middlewares = ["dash-auth", "dash-compress"]
[http.routers.api.tls]
[http.routers.ping]
rule = "Host(`your.domain`) && PathPrefix(`/ping`)"
entrypoints = ["https"]
service = "ping@internal"
middlewares = ["dash-auth", "dash-compress"]
[http.routers.ping.tls]
[http.routers.md]
rule = "Host(`md.your.domain`)"
entrypoints = ["https"]
service = "md"
middlewares = ["dash-auth", "dash-compress"]
[http.routers.md.tls]
[http.services.md]
[[http.services.md.LoadBalancer.servers]]
url = "http://ip.ip.ip.ip:port" # 要转发端口的地址尽量用IP地址(如果是本地,尽量用局域网地址)
参考:
- 《Traefik 2 使用指南,愉悦的开发体验》
- Traefik 中文网
- Traefik Labs