Traefik2 Basic Configuration

利用Docker-compose 运行 Traefik2 所需要的基础配置文件,修改email 和 host name 即可。

原文已经整理得非常丝滑,traefik 配置与 app 配置已分离,简单易上手,详情可跳 原文

1. Create Files

//创建目录

mkdir -p traefik2 && cd traefik2
mkdir -p data/configurations
touch docker-compose.yml
touch data/traefik.yml
touch data/acme.json
touch data/configurations/dynamic.yml
chmod 600 data/acme.json
创建文件及赋权
mkdir 创建文件夹

touch 创建文件

chomd 更改权限

2. Docker-compose

//编辑文件 nano docker-compose.yml

文件路径 ~/docker-compose.yml

旧配置,带labels,已被弃用
version: '3.7'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true
[note]Traefik2 docker compose配置[/note]
"traefik.http.routers.traefik-secure.rule=Host('traefik.yourdomain')"

注意 'traefik.yourdomain' 的引用是 TAB 左上角的 '~'键,非单引号

修改 traefik.yourdomain 为你的域名,如 'traefik.xxx.com',域名要提前修改好 A 记录

"traefik.http.routers.traefik-secure.middlewares=user-auth@file"

定义的 中间件middlewares user-auth@filedynamic.yml中有定义,这里使用的是basicAuth

格式更新:去除labels,改在dynamic.yml文件中控制
version: '3.7'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy

volumes:
  data:

networks:
  proxy:
    external: true

3. Static Configuration

文件路径 ~/data/traefik.yml

api:
  dashboard: true
  debug: true
  
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure

  websecure:
    address: :443
    http:
      middlewares:
        - secureHeaders@file
      tls:
        certResolver: letsencrypt
              
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /configurations/dynamic.yml

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@yourdomain
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web
        
  buypass:
    acme:
      email: admin@yourdomain
      storage: acme.json
      caServer: https://api.buypass.com/acme/directory 
      keyType: EC256
      httpChallenge:
        entryPoint: web
Traefik 配置文件
email: admin@yourdomain 修改email 为可用地址

buypass 或 letsencrypt 两个地方需要修改

certResolver: letsencrypt 定义使用的服务商,buypass 或 letsencrypt 皆可。

4. Dynamic Configuration

文件路径 ~/data/configurations/dynamic.yml

旧配置,带labels,已被弃用
# Dynamic configuration
http:
  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
                
    # UserName : admin
    # Password : qwer1234          
    user-auth:
      basicAuth:
        users:
          - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
          
tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12
格式更新:增加 router 和 service 进行动态控制
# Dynamic configuration
http:
  routers:
    # Roter1:  traefik deshboard
    dashboard:
      entryPoints:
        - "websecure"
      middlewares: 
        - "user-auth"
      service: api@internal
      rule: "Host(`dash.yourdomain.com`)"

    # Roter2:  typecho-1
    typecho:
      entryPoints:
        - "websecure"
      middlewares: 
        - "nonwww-www"
      rule: "Host(`www.yourdomain.com`) || Host(`yourdomain.com`)"
      service: typecho-service

    # Roter3 ... ...

  middlewares:
    secureHeaders:
      headers:
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
                
    # UserName : admin
    # Password : qwer1234          
    user-auth:
      basicAuth:
        users:
          - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"     

    # nonwww-www
    nonwww-www:
      redirectregex:
        regex: "^https://yourdomain.com/(.*)"
        replacement: "https://www.yourdomain.com/${1}"

    # websocket
    openSocket:
      headers:
        customRequestHeaders:
          X-Custom-Request-Header: " https" # Removes
 
  services:
    # service1:  typecho-1-service
    typecho-service:
      loadBalancer:
        servers:
        -  url: "http://172.18.0.3"

    # service2:  ... ... 
        
tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      minVersion: VersionTLS12

要增加新网站,只需要在这dynamic.yml文件中增加相应的 router 和 service 即可。

关于如何找到对应服务的容器 url,之前已经提过,可跳转阅读,关键是找到对应的url并填写正确即可。

动态配置

这里需要修改的是Web UI 的登录验证信息

users: - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"

这是文件引用的方式,单$**符号即可,若在docker-compose.yml 中使用要使用 **$$

即 labels中的形式如下:

"traefik.http.middlewares.test-auth.basicauth.users=admin:$$apr1$$tm53ra6x$$FntXd6jcvxYM/YH0P2hcc1"

格式为 用户名:密码,Basic Auth使用的是htpasswd生成的 md5 密码:

  • 生成方式一:

    # 安装 apach htpasswd
    sudo apt-get install apache2-utils
    # 生成用户名密码
    htpasswd -nb admin qwer1234
    admin:$apr1$tyg7xqjc$OjnLArW4el/npX3pKWu6B0
  • 生成方式二:

    #利用 docker 镜像生成
    docker run --rm -it --entrypoint /usr/local/apache2/bin/htpasswd httpd:alpine -nb test test
  • 生成方式三:

    利用在线生成工具:

    https://www.askapache.com/online-tools/htpasswd-generator/
    Docker-compose安装Traefik2基本配置文件
    Docker-compose安装Traefik2基本配置文件

5. 运行traefik

配置中声明了external proxy,运行docker-compose 前先创建 proxy network

创建proxy网络
docker network create --driver bridge --subnet=172.18.0.0/24 proxy

然后是 docker-compose up -d 运行traefik。

文章引用:

文章目录