3

我已经设法将 Traefik 设置为与我的 docker swarm 一起工作,并且对于 HTTP 请求它工作得很好。但是,我不知道如何为我的一些容器设置 SSL。我将使用letsencrypt 生成证书。

traefik.toml(部分)

defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[acme]
email = "acme@example.com"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"

码头工人-compose.yml

version: '3'
services:
  web:
    ...
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.frontend.rule=Host:example.com,www.example.com"
        - "traefik.docker.network=public"
        - "traefik.frontend.entryPoints=http"
        - "traefik.backend=service_web"

在此配置中,我的应用程序永远不会到达 SSL,因为我的容器没有设置 SSL entryPoint。如果我将“traefik.frontend.entryPoints”更改为“https”,则会调用 Letsencrypt(LE 由于暂存而出错,但此时这对我来说并不重要)。

我最大的问题是,我仍然不知道如何将 traefik TOML 配置转换为 docker-compose 标签。例如,Traefik 文档解释了入口点,但我有一堆服务在不同的域下。有些有 SSL,有些没有 SSL;因此,我希望能够仅使用 docker-compose 设置 http 和 https 入口点、http 到 https 重定向等。

另外,一旦我能够在 docker-compose 中设置入口点,我是否需要将[entryPoints]块保留在 traefik.toml 中?

4

1 回答 1

0

啊喂!

要求:本地持久卷插件: https ://github.com/CWSpear/local-persist (否则必须更改卷驱动程序)必须预先创建 Traefik 网络:“docker network create proxy -d overlay "

(1) 启动 Traefik:

version: "3"

services:
  traefik:
    image: traefik
    #command: --consul --consul.endpoint=consul:8500
    #command: storeconfig --consul --consul.endpoint=consul:8500
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      #- 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - traefikdata:/etc/traefik/
    deploy:
      #replicas: 3
      replicas: 1
      placement:
        constraints: [node.role == manager]
      update_config:
        parallelism: 1
        delay: 45s
        monitor: 15s
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 10
        window: 60s

volumes:
  traefikdata:
    driver: local-persist
    driver_opts:
      mountpoint: /data/docker/proxy

networks:
  proxy:
    external: true

重要提示:当使用 ACME 并且您想扩展 Traefik(如此处 3)时,您必须使用 Consul 或 ETCD 作为 Config 的“存储”。如果您只使用一个 Traefik 实例,则不要使用 Consule 或 ETCD。使用普通证书 ETCD 和领事永远不需要。

(2) 挂载traefik.toml

logLevel = "WARN"
debug = false
defaultEntryPoints = ["http", "https"]

[entryPoints]
 [entryPoints.http]
 address = ":80"
 compress = false
   [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

#Letsencrypt
[acme]
email = "admin@berndklaus.at"
storage = "traefik/acme/account"
entryPoint = "https"
onHostRule = true
onDemand = true

#[[acme.domains]]
# main = "yourdomain.at"
# sans = ["sub1.yourdomain.at", "www.yourdomain.at"]
#[[acme.domains]]
# main = "anotherdomain.at"


#[web]
#address = ":8080"

[docker]
domain = "docker.localhost"
watch = true
swarmmode = true

未注释的部分不是强制性的

(3) 启动任何服务

version: '3'

services:
  nginx:
    image: nginx
    deploy:
      labels:
        - "traefik.port=80"
        - "traefik.docker.network=proxy"
        - "traefik.frontend.rule=Host:sub1.yourdomain.at"
        - "traefik.backend=nginx"
        - "traefik.frontend.entryPoints=http,https"
      replicas: 1
    networks:
      proxy:
        aliases:
          - nginx
    volumes:
      - html:/usr/share/nginx/html
    environment:
      - NGINX_HOST=sub.yourdomain.at
      - NGINX_PORT=80
    #command: /bin/bash -c "envsubst < /etc/nginx/conf.d/mysite.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"

networks:
  proxy:
    external: true
  default:
    driver: overlay

volumes:
  html:
    driver: local-persist
    driver_opts:
      mountpoint: /data/docker/html

更多示例:https ://github.com/Berndinox/compose-v3-collection

于 2017-10-11T10:44:31.577 回答