Я пытаюсь понять, почему я получаю ошибку 404. Я сократил его до сетей, создаваемых докерами, но все еще не в состоянии разобраться в Traefik.
Этот docker compose возвращает ошибку 404.
version: '3'
networks:
# keycloak_network:
# driver: bridge
web:
external: true
internal-network:
internal: true
volumes:
keycloak_data:
driver: local
services:
keycloak_postgres:
image: postgres
volumes:
- keycloak_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
restart: always
networks:
# keycloak_network:
web:
keycloak:
image: jboss/keycloak
#build: ./server
environment:
DB_VENDOR: ${DB_VENDOR}
DB_ADDR: ${DB_ADDR}
POSTGRES_DB: ${POSTGRES_DB}
DB_USER: ${DB_USER}
DB_SCHEMA: ${DB_SCHEMA}
DB_PASSWORD: ${DB_PASSWORD}
KEYCLOAK_USER: ${KEYCLOAK_USER}
KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
#PROXY_ADDRESS_FORWARDING: "true"
# Uncomment the line below if you want to specify JDBC parameters. The parameter below is just an example, and it shouldn't be used in production without knowledge. It is highly recommended that you read the PostgreSQL JDBC driver documentation in order to use it.
#JDBC_PARAMS: "ssl=true"
depends_on:
- keycloak_postgres
volumes:
- ./themes:/opt/jboss/keycloak/themes/custom_theme
- ./disable_ssl.sh:/opt/jboss/keycloak/disable_ssl.sh
- ./themes/base/account/account.ftl:/opt/jboss/keycloak/themes/base/account/account.ftl
#- ./nginx/ssl:/etc/x509/https
restart: always
networks:
#keycloak_network:
web:
# aliases:
# - "api.adwin.usa.northeast.dn"
ports:
- "8444:8080"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"
labels:
- traefik.port=8080
- traefik.frontend.rule=Path:/keycloak
- traefik.docker.network=web
#- traefik.frontend.rule=Host:api.adwin.usa.northeast.dn
#- traefik.frontend.rule=Path:/keycloak
omgwtfssl:
image: paulczar/omgwtfssl
volumes:
- "./certs:/certs"
environment:
- SSL_SUBJECT=*
keycloak_graphql:
image: hasura/graphql-engine:v1.0.0-alpha40
# ports:
# - "9091:8080"
depends_on:
- "keycloak_postgres"
- "keycloak_auth"
restart: always
environment:
HASURA_GRAPHQL_DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DB_ADDR}:5432/${POSTGRES_DB}
HASURA_GRAPHQL_ENABLE_TELEMETRY: "false" # https://docs.hasura.io/1.0/graphql/manual/guides/telemetry.html
HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_GRAPHQL_ADMIN_SECRET}
HASURA_GRAPHQL_AUTH_HOOK: ${HASURA_GRAPHQL_AUTH_HOOK}
networks:
#keycloak_network:
web:
labels:
- traefik.port=8080
- traefik.frontend.rule=Path:/keycloak-graphql
- traefik.docker.network=web
#- traefik.frontend.rule=Host:api.adwin.usa.northeast.dn
keycloak_auth:
image: httpsomkar/keycloak-hasura-connector:latest
environment:
KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID}
KEYCLOAK_SERVER_URL: ${KEYCLOAK_SERVER_URL}
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_SECRET: ${KEYCLOAK_SECRET}
AUTH_MODE: ${AUTH_MODE} # SINGLE USER, ORGANIZATION
networks:
#keycloak_network:
web:
Этот docker-compose проксирует образ контейнера whoami для localhost / whoami, и он работает, как я и ожидал. Здесь я раскрываю контейнер whoami для публичной сети. Однако смысл Traefik (поправьте меня, если я ошибаюсь) заключается в ограничении дыр в безопасности. Я бы хотел выставить только 80 / 443.
Я пытаюсь заставить keycloak работать с Traefik, но получаю ошибку 404. Я могу получить тайм-аут шлюза, переключившись на внутреннюю сеть, и могу проверить, работает ли keytainak cointainer, нажав localhost: 8443 (с указанием портов).
Что мне не хватает? Я пробовал субдомены keycloak.adwin.usa.northeast.dn и adwin.usa.northeast.dn / keycloak. Мне повезло больше с / keycloak, чем с поддоменами. Возможно ли это без структуры DNS?
version: '3'
networks:
web:
external: true
internal-network:
internal: true
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --api --docker --docker.watch --logLevel=DEBUG
# depends_on:
# - omgwtfssl
networks:
- web
ports:
- "80:80"
- "443:443"
- "5000:8080"
volumes:
- ./traefik.toml:/traefik.toml
- ./certs/:/certs/
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
#labels:
#- traefik.port=8080
#- traefik.frontend.rule=Path:/monitor
#- traefik.protocol=http
# - traefik.docker.network=web
# We only need to run this one time to generate our ./cert directory.
# omgwtfssl:
# image: paulczar/omgwtfssl
# volumes:
# - "./certs:/certs"
# environment:
# - SSL_SUBJECT=api.adwin.usa.northeast.dn
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- traefik.port=80
#- traefik.protocol=http
- traefik.frontend.rule=Path:/whoami
#- traefik.frontend.rule=Host:whoami.adwin.usa.northeast.dn
- traefik.docker.network=web
networks:
- web
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/certs/cert.pem"
keyFile = "/certs/key.pem"
[docker]
domain = "adwin.usa.northeast.dn"
watch = true
#usebindportip = true