https://doc.traefik.io/traefik/middlewares/
一、目标:
1、traefik与docker集成,docker通过使用label通知traefik进行配置
2、集成https-redirect、basic-auth、digestauth等中间件
3、通过traefik http\tcp代理容器外部的端口,例如22端口
4、
二、创建docker网络
docker network create traefik
三、部暑traefik
mkdir /data/traefik -p
cd /data/traefik
cat > docker-compose.yaml << 'EOF'
version: '3'
services:
traefik:
container_name: traefik
image: traefik:v2.6.3
restart: always
environment:
- TZ=Asia/Shanghai
ports:
- 80:80
- 443:443
- 8082:8082
- 8022:8022 #此端口为代理容器外部IP+端口用
networks:
- traefik
command:
- "--global.sendanonymoususage=false"
- "--global.checknewversion=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--entrypoints.tcp_8082.address=:8082" #tcp层入口
- "--entrypoints.tcp_8022.address=:8022" #tcp层入口,代理容器外部端口
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=false"
- "--ping=true"
- "--log.level=warn"
- "--log.format=common"
- "--accesslog=false" #关闭日志
- "--accesslog.filepath=/log/access.log"
- "--accesslog.format=json"
- "--accesslog.fields.defaultmode=keep"
- "--accesslog.fields.names.ClientUsername=drop"
- "--accesslog.fields.headers.defaultmode=keep"
- "--accesslog.fields.headers.names.User-Agent=redact"
- "--accesslog.fields.headers.names.Authorization=drop"
- "--accesslog.fields.headers.names.Content-Type=keep"
- "--providers.docker=true"
- "--providers.docker.watch=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.swarmMode=false"
- "--providers.docker.useBindPortIP=false"
- "--providers.docker.network=traefik"
- "--providers.file=true"
- "--providers.file.watch=true"
- "--providers.file.directory=/etc/traefik/config"
- "--providers.file.debugloggeneratedtemplate=true"
volumes:
# 仅限标准的 Linux 环境
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/:/etc/traefik/config/:ro
- ./ssl/:/ssl/:ro
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# 定义中间件BasicAuth, 名字为basic-auth
- "traefik.http.middlewares.basic-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# 定义中间件DigestAuth, 名字为digest-auth
- "traefik.http.middlewares.digest-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
- "traefik.http.middlewares.digest-auth.digestauth.realm=traefik"
- "traefik.http.middlewares.digest-auth.digestauth.headerField=X-WebAuth-User"
- "traefik.http.middlewares.digest-auth.digestauth.removeheader=true"
# 定义中间件http跳转https, 名字为https-redirect
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
# 使用http入口,并强制由http跳转到https
- "traefik.http.routers.traefik-dash-default.entrypoints=http"
- "traefik.http.routers.traefik-dash-default.rule=Host(`dashboard.lady.cn`)"
- "traefik.http.routers.traefik-dash-default.service=dashboard@internal"
- "traefik.http.routers.traefik-dash-default.middlewares=https-redirect" #引用重定向中间件,引用名字为https-redirect
# 使用https入口,把dashboard放到根目录
- "traefik.http.routers.traefik-dash-web.entrypoints=https"
- "traefik.http.routers.traefik-dash-web.rule=Host(`dashboard.lady.cn`) && PathPrefix(`/`)"
- "traefik.http.routers.traefik-dash-web.tls=true"
- "traefik.http.routers.traefik-dash-web.service=dashboard@internal"
# 使用https入口,并把dashboard放到/dashboard目录下
- "traefik.http.routers.traefik-dash-api.entrypoints=https"
- "traefik.http.routers.traefik-dash-api.rule=Host(`dashboard.lady.cn`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dash-api.tls=true"
- "traefik.http.routers.traefik-dash-api.service=api@internal"
# 引用中间件digestauth
- "traefik.http.routers.traefik-dash-api.middlewares=digest-auth"
#tcp层路由,引用traefik中的tcp_8082入口
- "traefik.tcp.routers.tcprouter1.entrypoints=tcp_2022"
- "traefik.tcp.routers.tcprouter1.rule=HostSNI(`*`)"
- "traefik.tcp.routers.tcprouter1.service=tcpservice01@file" #以文件的方式引用外部配置
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]
interval: 3s
retries: 12
logging:
driver: "json-file"
options:
max-size: "1m"
networks:
traefik:
external: true
EOF
docker-compose up -d
应用部置
mkdir -p /data/nexus3/data
chown 200:200 /data/nexus3/data
cd /data/nexus3
cat > docker-compose.yaml << 'EOF'
version: '3'
services:
nexus3:
container_name: "nexus3"
image: 'sonatype/nexus3:3.30.1'
#image: klo2k/nexus3:3.35.0-02 #此镜像为arm64
restart: unless-stopped
hostname: 'nexus3'
environment:
INSTALL4J_ADD_VM_PARAMS: '-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m'
NEXUS_CONTEXT: 'nexus-public'
# ports:
# - '32010:8081'
networks:
- traefik
volumes:
- ./data:/nexus-data
- /etc/localtime:/etc/localtime
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
#http层路由,引用traefik中和http和https入口,并强制http跳转到https
- "traefik.http.routers.nexus3.middlewares=https-redirect"
- "traefik.http.routers.nexus3.entrypoints=http"
- "traefik.http.routers.nexus3.rule=Host(`nexus.lady.cn`)"
- "traefik.http.routers.nexus3-ssl.entrypoints=https"
- "traefik.http.routers.nexus3-ssl.tls=true"
- "traefik.http.routers.nexus3-ssl.rule=Host(`nexus.lady.cn`)"
#tcp层路由,引用traefik中的tcp_8082入口
- "traefik.tcp.routers.tcprouter0.entrypoints=tcp_8082"
- "traefik.tcp.routers.tcprouter0.rule=HostSNI(`*`)"
networks:
traefik:
external: true
EOF
docker-compose up -d
nexus3可通过http代理和tcp代理进行访问
http代理:
tcp代理:(如果tcp代理要通过域名访问,那么一定要配置tls证书)
— 分界线 —
配置traefik.yaml文件
mkdir /data/traefik/{config.ssl} -p
cd /data/traefik/config/
cat > traefik.yaml < 'EOF'
#配置tls证书
tls:
certificates:
- certFile: /ssl/server.pem
keyFile: /ssl/server-key.pem
stores:
default: default
options:
default:
sniStrict: false
serversTransport:
insecureSkipVerify: true
#配置services
tcp:
services:
tcpservice01:
loadBalancer:
servers:
- address: "192.168.11.101:22" #为docker外部IP+端口
EOF
生成自签证书
# 下载生成证书的命令
wget http://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
# 一键脚本生成证书,注:ip地址根据实际情况进行修改。
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "GuangZhou",
"ST": "GuangZhou",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"lady.cn",
"*.lady.cn"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "GuangZhou",
"ST": "GuangZhou",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
# 会生成 server.pem和server-key.pem两个证书文件
digests_auth 验证
# digest_auth 密码生成
yum install -y httpd-tools
#> htdigest -c password traefik xbzeng
Adding password for xbzeng in realm traefik.
New password:
Re-type new password:
cat password
xbzeng:traefik:7a3d9d8a364fcd5d3e93dccfff98c3b7
version: '3'
services:
gwit:
container_name: "gwit"
image: 'gwit:20220531'
restart: unless-stopped
hostname: 'gwit'
environment:
JAVA_OPTS: '-Xmx1024m -Xss128m'
networks:
- traefik
volumes:
- /etc/localtime:/etc/localtime
- /data/solution/gwit/etc/application-druid.yml:/gwit/application-druid.yml
- /data/solution/gwit/etc/application.yml:/gwit/application.yml
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.gwit.entrypoints=http"
#- "traefik.http.routers.gwit.rule=Host(`gwit.lady.cn`)"
- "traefik.http.routers.gwit.rule=Host(`192.168.11.102`) && PathPrefix(`/gwit/`)"
- "traefik.http.services.gwit.loadbalancer.server.port=8088"
networks:
traefik:
external: true