Ранее я использовал Traefik 1.7.17, я увидел, что v2 вышел, и попробовал двоичный файл Go для преобразования файлов из 1.7.17 в v2, но он не удался на некоторых конфигурациях. Я гуглил везде подобные вопросы и просматривал документацию, но ничего, что я пытаюсь собрать, не сработало с v2. Я начинал понимать, как Traefik v2 работает с маршрутизаторами, промежуточным программным обеспечением и службами, но я только запутался, читая другие форумы и сообщения.
Ранее в v1.7.17 у меня была панель управления на поддомене сперенаправить на https с помощью ACME Let's Encrypt, который использовался повсюду. Ниже приведены мои файлы, которые, как мы надеемся, заставят Caddy реверсировать прокси-сервер NUXT, на котором я работал с 1.7.17.
Я пытаюсь сделать так, чтобы панель мониторинга Traefik имела порт 8080 с https в моем указанном домене. Пусть Traefik обрабатывает сервер caddynuxt, а сервер caddynuxt прослушивает прозрачный для фактического клиента nuxt (у меня это работало в 1.7.17). Я думал, что динамическая маршрутизация из Traefik в v2 справится с этим, но я не уверен.
Я был бы признателен за правильный способ сделать это и указатели. Я также использую DigitalOcean, если это поможет. Я использую Docker (в данный момент не в Swarm, хотел бы использовать Kubernetes).
Файл acme.json пуст, потому что я использую staging, как вы видите ниже, но у меня есть acmeучетная запись, которую я использовал для производства ... После того, как я смогу запустить v2.
Файл создания док-станции Traefik:
version: '3.5'
services:
traefik:
image: traefik:v2.0.2
restart: always
ports:
- "80:80"
- "443:443"
- "8080:8080"
# expose:
# - 8080
networks:
- unicausalpublic
- unicausalnetwork
- unicausalapi
- unicausaldevelopment
- stageunicausaldevelopment
environment:
- DO_AUTH_TOKEN=NOPE
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
#- ./acme.json:/etc/traefik/acme.json
- "./letsencrypt:/letsencrypt"
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.api.rule=Host(`monitor.unicausal.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
# - "traefik.http.routers.api.service=api@internal"
# - "traefik.http.routers.api.middlewares=dashadmin"
# - "traefik.http.routers.api.tls"
# - "traefik.http.middlewares.dashadmin.basicauth.users=yeaboii:ignore."
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
# stage network may be moved to dedicated staging environment
stageunicausaldevelopment:
external: true
Мой том Traefik v2:
# Typically, a router replaces a frontend, and a service assumes
# the role of a backend, with each router referring to a service.
[global]
checkNewVersion = true
sendAnonymousUsage = true
[log]
level = "DEBUG" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
# static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[providers]
providersThrottleDuration = "5s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedbydefault = false
# swarmModeRefreshSeconds = "15s"
# [providers.file]
# filename = "/etc/traefik/traefik.toml"
[api]
insecure = false
dashboard = true
debug = false
# ref: https://docs.traefik.io/v2.0/migration/v1-to-v2/
# Routers
[http.routers]
# below is dashboard router only
[http.routers.api]
rule = "Host(`monitor.unicausal.com`)"
# rule = "Host(`traefik.docker.localhost`)"
entrypoints = ["websecure"]
service="api@internal"
middlewares = ["dashadmin"]
[http.routers.api.tls]
certResolver = "letsencrypt"
[[http.routers.api.tls.domains]]
main = "unicausal.com"
sans = ["*.unicausal.com"]
[http.middlewares]
# Redirect to https
[http.middlewares.redirectwebsecure.redirectScheme]
scheme = "websecure"
[http.middlewares.dashadmin.basicauth]
users = [
"yeaboii:IGNORE",
]
# you name your certResolvers.[name].type
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "yeaboii@gmail.com"
#caServer = "https://acme-v02.api.letsencrypt.org/acme/acct/yeaboii"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
storage = "/letsencrypt/acme.json"
# [certificatesResolvers.letsencrypt.acme.dnsChallenge]
# provider = "digitalocean"
# delayBeforeCheck = 0
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
Ниже приведен мой журнал отладки Traefik:
Starting v202_traefik_1 ... done
Attaching to v202_traefik_1
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Traefik version 2.0.2 built on 2019-10-09T19:26:05Z"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":5000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"letsencrypt\":{\"acme\":{\"email\":\"yeaboiii@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Stats collection is enabled."
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="More details on: https://docs.traefik.io/v2.0/contributing/data-collection/"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: permissions 644 for /letsencrypt/acme.json are too open, please use 600"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="No default certificate, generating one"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Provider connection established with docker 18.09.1 (API 1.39)" providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Filtering disabled container" container=devnuxt-unicausal-client-c20aa52d24acdd5e94357785abb36e6d760d79eb7ba7d64ba9879b46125ade73 providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"websecure\"],\"service\":\"traefik-v202\",\"rule\":\"Host(`monitor.unicausal.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"devcaddynuxt\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"file.redirectwebsecure\"],\"service\":\"devcaddynuxt-unicausal-client\",\"rule\":\"Host(`stage.unicausal.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"websecure\":{\"entryPoints\":[\"websecure\"],\"service\":\"devcaddynuxt-unicausal-client\",\"rule\":\"Host(`stage.unicausal.com`)\",\"tls\":{}}},\"services\":{\"devcaddynuxt-unicausal-client\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:80\"}],\"passHostHeader\":true}},\"traefik-v202\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.3:80" entryPointName=websecure routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client serverName=0
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware devcaddynuxt-unicausal-client" routerName=websecure@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.2:80" serverName=0 entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware traefik-v202" entryPointName=websecure routerName=api@docker middlewareName=tracing middlewareType=TracingForwarder
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining serviceName=devcaddynuxt-unicausal-client entryPointName=web routerName=devcaddynuxt@docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" routerName=devcaddynuxt@docker serviceName=devcaddynuxt-unicausal-client entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.3:80" routerName=devcaddynuxt@docker serviceName=devcaddynuxt-unicausal-client serverName=0 entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware devcaddynuxt-unicausal-client" entryPointName=web routerName=devcaddynuxt@docker middlewareName=tracing middlewareType=TracingForwarder
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="middleware \"file.redirectwebsecure@docker\" does not exist" entryPointName=web routerName=devcaddynuxt@docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="No default certificate, generating one"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="the router devcaddynuxt uses a non-existent resolver: letsencrypt"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="the router api uses a non-existent resolver: letsencrypt"
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56299: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56300: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="Serving default certificate for request: \"stage.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="Serving default certificate for request: \"stage.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56321: read tcp 172.23.0.2:443->108.246.102.12:56321: read: connection reset by peer"
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56322: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56542: read tcp 172.23.0.2:443->108.246.102.12:56542: read: connection reset by peer"
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56543: read tcp 172.23.0.2:443->108.246.102.12:56543: read: connection reset by peer"
Теперь это другой докер-контейнер. Это для клиентской / клиентской части:
Я не был уверен насчет меток в этом. Где их можно определить, в файле docker или в файле traefik toml? Также, как мне обработать перенаправления с http на https здесь?
файл составления Docker:
version: '3.5'
services:
# For Nuxt server
devcaddynuxt:
build:
context: .
dockerfile: ./configdocker/staging/devCaddyNuxt-Dockerfile
environment:
- "ACME_AGREE=true"
restart: always
networks:
- unicausalapi
- unicausalpublic
- unicausalnetwork
- unicausaldevelopment
- stageunicausaldevelopment
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.devcaddynuxt.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.devcaddynuxt.entrypoints=web"
- "traefik.http.routers.devcaddynuxt.middlewares=file.redirectwebsecure"
- "traefik.http.routers.websecure.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.websecure.entrypoints=websecure"
- "traefik.http.routers.websecure.tls=true"
- "traefik.http.routers.devcaddynuxt.tls.certresolver=letsencrypt"
# - "traefik.http.services.devcaddynuxt.loadbalancer.server.port=443"
devnuxt:
build: ./unicausal-client-nuxt/
restart: always
networks:
- unicausalpublic
- unicausaldevelopment
- stageunicausaldevelopment
ports:
- "8004:80"
command:
"npm run start"
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
stageunicausaldevelopment:
external: true
Конфигурация Caddyfile (Dockerfile просто загружает изображение в значительной степени)
:80 {
proxy / devnuxt:8004 {
transparent
}
log stdout
errors stdout
}
Также я знаю о
level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: permissions 644 for /letsencrypt/acme.json are too open, please use 600"
Я пытался корректно изменить разрешения до 600 много раз, но все равно получаю ошибку рукопожатия TLS независимо от того.
Спасибо за ваше время, если я пропускаю больше информации, дайте мне знать. Я действительно хочу научиться этому, но я чувствую, что в документации не хватает четких примеров того, чего я хочу, и я начинающий devops.