基于Traefik3.0和Let’s Encrypt以及阿里dns的HTTPS方案(docker 部署)
前提
- 申请Let’s Encrypt邮箱绑定域名,https://easy.zhetao.com/
- 购买域名和服务器(备案),域名解析配置泛域名和主域名
- 安装docker以及docker-compose
docker-compose
version: '3'
services:
traefik:
restart: unless-stopped
# The latest Traefik Docker image
image: traefik
# Enables the web UI and tells Traefik to listen to Docker
environment:
- ALICLOUD_ACCESS_KEY=${ALICLOUD_ACCESS_KEY}
- ALICLOUD_SECRET_KEY=${ALICLOUD_SECRET_KEY}
command:
- --api.insecure=true
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.email=${EMAIL}
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=alidns
ports:
- "80:80"
- "443:443"
- "9080:8080"
volumes:
- ./letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.sshheader.headers.customrequestheaders.X-Forward-Proto=https
- traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD_HASH}
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAIN}`)
- traefik.http.routers.traefik-secure.middlewares=auth
- traefik.http.routers.traefik-secure.service=api@internal
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAIN}
- traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAIN}
whoami:
restart: unless-stopped
image: traefik/whoami
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)
- traefik.http.routers.whoami.entrypoints=https
- traefik.http.routers.whoami.tls.certresolver=${CERT_RESOLVER}
- traefik.docker.network=proxy
安装htpasswd
yum install httpd-tools
htpasswd -nb admin password
配置env
#vim .env
DOMAIN=****
EMAIL=a@xx.com
CERT_RESOLVER=****
TRAEFIK_USER=admin
## htpasswd -nb admin password 生成
TRAEFIK_PASSWORD_HASH=****
ALICLOUD_ACCESS_KEY=******
ALICLOUD_SECRET_KEY=****
阿里云配置子账户DNS
复制ACCESS_KEY和SECRET_KEY。
开放两个策略
- AliyunDNSReadOnlyAccess
- 自定义策略
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "alidns:*",
"Resource": "acs:alidns:*:*:domain/xx.com"
},
{
"Effect": "Allow",
"Action": [
"alidns:DescribeDomains",
"alidns:DescribeDomainNs",
"alidns:DescribeDomainGroups",
"alidns:DescribeSiteMonitorIspInfos",
"alidns:DescribeSiteMonitorIspCityInfos"
],
"Resource": "acs:alidns:*:*:*"
}
]
}
访问成功