我在这里有一个dnsmasq用于 DNS 的工作设置,运行 dockerized 服务 (whoami) 和裸机服务 ( ruby -run -e httpd . -p 3000)。配置重定向到https就好了,名称解析就好了。
另请注意,我在 10.xxx 网络上使用辅助 IP 来解析scuar.homedns。我的本地局域网通过 dnsmasql 解析 192.169.xx 流量 - 这也都可以正常工作。此外,我正在使用自签名证书。
我的问题是,经过数小时的搜索和反复试验:如何basic auth在此配置中添加裸机服务?
这是我的工作配置文件:
[edit1:添加 dnsmasq.config 以防您想知道事情是如何解决的]
[edit2:我在路由器中添加了一个中间件部分,traefik-dyn.yml它确实给了我一个登录对话框(在下面更新)。但是密码不起作用-所以嗯....任何帮助将不胜感激]
码头工人-compose.yml
version: "3.3"
services:
traefik:
image: "traefik:v2.0"
# network_mode: host # Allows traefik to talk to your host machine (not necessary we have dnsmasq running)
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
#
- "${PWD}/traefik.yml:/etc/traefik/traefik.yml"
- "${PWD}/traefik-dyn.yml:/etc/traefik/traefik-dyn.yml"
#
- "${PWD}/certs:/etc/traefik/certs"
- "${PWD}/logs/access.log:/access.log"
labels:
# Dashboard (including: dashboard.scuar.lan/api/rawdata -with https redirect)
- "traefik.enable=true"
#
- "traefik.http.routers.traefik_https.rule=Host(`dashboard.scuar.lan`)"
- "traefik.http.routers.traefik_https.service=api@internal"
- "traefik.http.routers.traefik_https.entrypoints=websecure"
- "traefik.http.routers.traefik_https.tls=true"
#
- "traefik.http.routers.http_traefik.rule=Host(`dashboard.scuar.lan`)"
- "traefik.http.routers.http_traefik.entrypoints=web"
- "traefik.http.routers.http_traefik.middlewares=https_redirect"
# auth
# generate with: echo $(htpasswd -nb admin password) | sed -e s/\\$/\\$\\$/g
- "traefik.http.routers.traefik_https.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$KPaYkFZF$$1O/da7HYF0eqrWTb.Ig2H0"
# global HTTP to HTTPS redirect (forces https)
# accomidates for wildcard host
- "traefik.http.routers.http_catchall.rule=hostregexp(`{any:.+}`)"
- "traefik.http.routers.http_catchall.entrypoints=web"
- "traefik.http.routers.http_catchall.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
whoami:
image: containous/whoami:v1.3.0
labels:
- "traefik.enable=true"
- "traefik.http.routers.https_whoami.rule=Host(`whoami.scuar.lan`)"
- "traefik.http.routers.https_whoami.entrypoints=websecure"
- "traefik.http.routers.https_whoami.tls=true"
#
# Same as dashboard auth
- "traefik.http.routers.https_whoami.middlewares=traefik-auth"
#
#This is not necessary: we globally redirect to https/websecure
# http section not needed with global https redirect
# - "traefik.http.routers.whoami_http.rule=Host(`whoami.scuar.lan`)"
# - "traefik.http.routers.whoami_http.entrypoints=web"
# - "traefik.http.routers.whoami_http.middlewares=https_redirect"
traefik.yml
#Traefik.yml
# statick Traefik v2 configuration
global:
sendAnonymousUsage: false
log:
level: "DEBUG" #INFO #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
format: "common"
api:
insecure: false
dashboard: true
# accessLog: {} # use {} for empty placeholder
accessLog:
filepath: "/access.log"
# allow health check
ping: {}
#Define HTTP and HTTPS entrypoints
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
#Dynamic configuration will come from docker labels
docker:
endpoint: "unix:///var/run/docker.sock"
network: "docker.devnet"
exposedByDefault: false
# domain: "scuar.lan"
# watch: true
file:
# dynamic config file
filename: "/etc/traefik/traefik-dyn.yml"
watch: true
##Enable acme with http file challenge
# this is a placeholder as example
# used for let's encrypt (requires net connection)
# certificatesResolvers:
# le:
# acme:
# email: someemail@example.com
# storage: /acme.json
# httpChallenge:
# # used during the challenge
# entryPoint: insecure
traefik-dyn.yml
http:
routers:
# http-to-myapp:
# # This is not necessary: we are already redirecting
# entryPoints:
# - web
# rule: "Host(`myapp.scuar.lan`)"
# service: "myapp"
# - "redirect"
https-to-myapp:
rule: "Host(`myapp.scuar.lan`)"
service: "myapp"
entryPoints:
- websecure
middlewares:
- "traefik_auth_myapp"
tls: {}
middlewares:
traefik_auth_myapp:
basicAuth:
users:
- "admin:$$apr1$$Nzb5.wP6$$ZOnWvJtWujuLLRcYynUSl0"
# middlewares:
# redirect:
# # This is not necessary: we are already redirecting
# redirectScheme:
# scheme: "websecure" #works as new entrypoint
# ## scheme: "https" #does not work
services:
myapp:
loadBalancer:
servers:
- url: "http://myapp.scuar.home:3000"
passHostHeader: true
tls:
certificates:
- certFile: "/etc/traefik/certs/scuar.lan+1.pem"
keyFile: "/etc/traefik/certs/scuar.lan+1-key.pem"
dnsmasq.conf
no-dhcp-interface=
bind-dynamic # could use bind-interfaces instead
# localhost
listen-address=127.0.0.1
# scuar.home
listen-address=10.127.127.1
address=/scuar.home/10.127.127.1
domain=scuar.home,10.127.127.0/24
# local machine docker.devnet
domain=docker.devnet,172.17.0.0/24
# scuar.lan
# allow external listeners (local network)
# allow/deny firewall as needed
# sudo ufw <allow|deny> 53; sudo ufw reload
# change IP based on current dhcp connection
listen-address=192.168.1.8
address=/scuar.lan/192.168.1.8
domain=scuar.lan,192.168.1.0/24
## to add this server to another dnsmasq permanently:
## add this to dnsmasq.conf
# server=/server.lan/192.168.1.8
## otherwise, temporarily, add this to the resolv.conf
#nameserver 192.168.1.8
# standard dns servers for the system level
# btw nework manager has it's own dns settings
## cloudflare
server=1.1.1.1
## google
server=8.8.8.8