企业级——容器反向代理利器之traefik

zhezhongyun 2025-05-08 08:06 30 浏览

traefik

Traefk 是一个云原生的新型的 HTTP 反向代理、负载均衡软件，能轻易的部署微服务。它支持多种后端 (Docker, Swarm, Mesos/Marathon, Consul, Etcd, Zookeeper, BoltDB, Rest API, file...) , 可以对配置进行自动化、动态的管理。

证书

证书生成，采用acme.sh自动生成，推荐neilpang/acme.sh镜像，支持aliyun dns api直接操作dns的创建和修改。

version: "3"
services:
  acme.sh:
    image: neilpang/acme.sh
    container_name: acme.sh
    restart: always
    network_mode: host
    environment:
      - TZ=Asia/Shanghai
      - Ali_Key='替换aliyun的 key'
      - Ali_Secret='替换aliyun的 secret'
      - ACCOUNT_THUMBPRINT='acme.sh 日志中 可以看到 账号信息'

    volumes:
      - ./ssl:/acme.sh
      - ./html:/webroot
    command: daemon

生成泛域名证书

acme.sh --issue --dns dns_ali --force --log -d clibing.com -d \*.clibing.com

结果

ssl
├── account.conf
├── acme.sh.log
├── ca
│   ├── acme-v02.api.letsencrypt.org
│   │   └── directory
│   │       ├── account.json
│   │       ├── account.key
│   │       └── ca.conf
│   └── acme.zerossl.com
│       └── v2
│           └── DV90
│               ├── account.json
│               ├── account.key
│               └── ca.conf
├── clibing.com
│   ├── ca.cer
│   ├── clibing.com.cer
│   ├── clibing.com.conf
│   ├── clibing.com.csr
│   ├── clibing.com.csr.conf
│   ├── clibing.com.key
│   └── fullchain.cer
├── dhparams.pem
├── http.header
└── linuxcrypt.cn
    ├── ca.cer
    ├── fullchain.cer
    ├── linuxcrypt.cn.cer
    ├── linuxcrypt.cn.conf
    ├── linuxcrypt.cn.csr
    ├── linuxcrypt.cn.csr.conf
    └── linuxcrypt.cn.key

快速部署traefix

tls.toml 配置文件

[tls]
  [tls.options.default]
  minVersion = "VersionTLS12"
  sniStrict = true
  cipherSuites = [
    # TLS 1.3
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    # TLS 1.2
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  ]

  [tls.stores.default.defaultCertificate]
  certFile = "/certs/clibing.com/fullchain.cer"
  keyFile = "/certs/clibing.com/clibing.com.key"

  [[tls.certificates]]
  certFile = "/certs/clibing.com/fullchain.cer"
  keyFile = "/certs/clibing.com/clibing.com.key"

  [[tls.certificates]]
  certFile = "/certs/linuxcrypt.cn/fullchain.cer"
  keyFile = "/certs/linuxcrypt.cn/linuxcrypt.cn.key"

docker-compose.yaml

name: traefik

services:
  traefik:
    image: traefik:v3.1.1
    restart: always
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host

    # 避免 Traefik 进行数据上报
    extra_hosts:
      # https://github.com/traefik/traefik/blob/master/pkg/version/version.go#L64
      - "update.traefik.io:127.0.0.1"
      # https://github.com/containous/traefik/blob/master/pkg/collector/collector.go#L20
      - "collect.traefik.io:127.0.0.1"
      - "stats.g.doubleclick.net:127.0.0.1"

    command:
      - "--global.sendanonymoususage=false" # 避免 Traefik 进行数据上报
      - "--global.checknewversion=false"    # 避免 Traefik 进行数据上报

      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--api=true"
      - "--api.insecure=true"

      - "--api.dashboard=true"              # dashboard 默认8080

      - "--api.debug=false"
      - "--ping=true"
      - "--log.level=INFO"
      - "--log.format=common"
      - "--accesslog=false"
      - "--providers.docker=true"
      - "--providers.docker.watch=true"
      - "--providers.docker.exposedbydefault=false"               # 为了避免Traefik智能的自动解析和将所有在Traefik网络的服务都尝试进行公开服务，我们可以在命令中添加下面的命令，让 Traefik 只对我们在 labels 中声明了要进行服务注册的应用提供服务
      - "--providers.docker.endpoint=unix:///var/run/docker.sock" #
      - "--providers.docker.useBindPortIP=false"
      - "--providers.docker.network=traefik"                      # 使用指定虚拟网络

      - "--providers.file=true"
      - "--providers.file.watch=true"
      - "--providers.file.directory=/etc/traefik/config"          # 配置目录 当启用tls，默认会读取该目录下的tls.toml
      - "--providers.file.debugloggeneratedtemplate=true"
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"

      - "traefik.http.middlewares.gzip.compress=true"

      # 将服务协议从 HTTP 自动切换为 HTTPS 的 Traefik 中间件规则
      - "traefik.http.middlewares.redir-https.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redir-https.redirectscheme.permanent=false"

      # HTTP 网页服务的路由上添加这个中间件规则
      - "traefik.http.routers.traefik-dashboard.middlewares=redir-https@docker"

      - "traefik.http.routers.traefik-dashboard-secure.middlewares=gzip@docker"
      - "traefik.http.routers.traefik-dashboard-api-secure.middlewares=gzip@docker"

      - "traefik.http.routers.traefik-dashboard.entrypoints=http"
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.console.clibing.com`)"
      - "traefik.http.routers.traefik-dashboard.service=noop@internal"

      - "traefik.http.routers.traefik-dashboard-secure.entrypoints=https"
      - "traefik.http.routers.traefik-dashboard-secure.tls=true"
      - "traefik.http.routers.traefik-dashboard-secure.rule=Host(`traefik.console.clibing.com`)"
      - "traefik.http.routers.traefik-dashboard-secure.service=dashboard@internal"

      - "traefik.http.routers.traefik-dashboard-api-secure.entrypoints=https"
      - "traefik.http.routers.traefik-dashboard-api-secure.tls=true"
      - "traefik.http.routers.traefik-dashboard-api-secure.rule=Host(`traefik.console.clibing.com`) && PathPrefix(`/api`)"
      - "traefik.http.routers.traefik-dashboard-api-secure.service=api@internal"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/:/etc/traefik/config/:ro
      - ./certs/:/certs/:ro

    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]
      interval: 3s
      retries: 10

    logging:
      driver: "json-file"
      options:
        max-size: "10m"

networks:
  traefik:
    external: true

访问8080查看 traefik dashboard管理界面

gitea增加labels

以下贴出关键部分

name: gitea

services:
  gitea:
    labels:
      # https://soulteary.com/2020/02/04/gitea-git-server-with-docker-and-traefik-v2.html
      - "traefik.enable=true"
      - "traefik.http.routers.giteaweb.middlewares=https-redirect@file"
      - "traefik.http.routers.giteaweb.entrypoints=http"
      - "traefik.http.routers.giteaweb.rule=Host(`git.clibing.com`)"

      - "traefik.http.routers.giteassl.middlewares=content-compress@file"
      - "traefik.http.routers.giteassl.entrypoints=https"
      - "traefik.http.routers.giteassl.tls=true"
      - "traefik.http.routers.giteassl.rule=Host(`git.clibing.com`)"

      - "traefik.http.services.giteabackend.loadbalancer.server.scheme=http"
      - "traefik.http.services.giteabackend.loadbalancer.server.port=3000"

      - "traefik.tcp.routers.giteassh.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.giteassh.tls=true"
      - "traefik.tcp.routers.giteassh.entrypoints=git"
      - "traefik.tcp.routers.giteassh.service=gitea"
    networks:
      - traefik

networks:
  traefik:
    external: true

配置jenkins lables

以下贴出关键部分

name: jenkins

services:
  jenkins:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jenkins.rule=Host(`build.clibing.com`)"
      - "traefik.http.routers.jenkins.tls=true"
    networks:
      - traefik

networks:
  traefik:
    external: true

配置nexus lables

name: nexus

services:
  nexus:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nexus.rule=Host(`nexus.clibing.com`)"
      - "traefik.http.routers.nexus.tls=true"
    networks:
      - traefik

networks:
  traefik:
    external: true

测试

追加本地dns记录

sudo vi /etc/hosts

192.168.1.101   git.clibing.com
192.168.1.101   build.clibing.com
192.168.1.101   nexus.clibing.com

jenkins:

 curl -iv https://build.clibing.com/login
*   Trying 192.168.1.101:443...
* Connected to build.clibing.com (192.168.1.101) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=clibing.com
*  start date: Jun 17 00:00:00 2024 GMT
*  expire date: Sep 15 23:59:59 2024 GMT
*  subjectAltName: host "build.clibing.com" matched cert's "*.clibing.com"
*  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faae3012200)
> GET /login HTTP/2
> Host: build.clibing.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
HTTP/2 200
< cache-control: no-cache,no-store,must-revalidate
cache-control: no-cache,no-store,must-revalidate
< content-type: text/html;charset=utf-8
content-type: text/html;charset=utf-8
< date: Sun, 04 Aug 2024 16:20:59 GMT
date: Sun, 04 Aug 2024 16:20:59 GMT
< expires: Thu, 01 Jan 1970 00:00:00 GMT
expires: Thu, 01 Jan 1970 00:00:00 GMT
< server: Jetty(10.0.20)
server: Jetty(10.0.20)
< set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: sameorigin
x-frame-options: sameorigin
< x-hudson: 1.395
x-hudson: 1.395
< x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
< x-jenkins: 2.452.3
x-jenkins: 2.452.3
< x-jenkins-session: a6707f59
x-jenkins-session: a6707f59

<





    <!DOCTYPE html><html lang="en-US"><head resURL="/static/a6707f59" data-rooturl="" data-resurl="/static/a6707f59" data-imagesurl="/static/a6707f59/images"><title>Sign in [Jenkins]</title><meta name="ROBOTS" content="NOFOLLOW"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="icon" href="/static/a6707f59/favicon.svg" type="image/svg+xml"><link sizes="any" rel="alternate icon" href="/static/a6707f59/favicon.ico"><link rel="stylesheet" href="/static/a6707f59/jsbundles/simple-page.css" type="text/css"><script id="theme-manager-theme" type="application/json">{ "id": "none", "respect_system_appearance":  false }</script><script src='/adjuncts/a6707f59/io/jenkins/plugins/thememanager/header/main.js' type='text/javascript'></script>
  <link type="text/css" rel="stylesheet" href="http://localhost:8080/theme-dark/theme.css"/>
<script id="theme-manager-properties" type="application/json">{}</script>
* Connection #0 to host build.clibing.com left intact
</head><body class="app-sign-in-register"><section class="app-sign-in-register__branding"><div class="app-sign-in-register__branding__starburst"></div><img src="/static/a6707f59/images/svgs/logo.svg" alt="logo"></section><main id="main-panel" class="app-sign-in-register__content"><div class="app-sign-in-register__content-inner"><h1>Sign in to Jenkins</h1><script id="theme-manager-theme" type="application/json">{ "id": "none" }</script><form method="post" name="login" action="j_spring_security_check"><div><label class="app-sign-in-register__form-label" for="j_username">Username</label><input autocorrect="off" autocomplete="off" name="j_username" id="j_username" type="text" autofocus="autofocus" class="jenkins-input " autocapitalize="off"></div><div><label class="app-sign-in-register__form-label" for="j_password">Password</label><input name="j_password" id="j_password" type="password" class="jenkins-input "></div><div class="jenkins-checkbox"><input type="checkbox" id="remember_me" name="remember_me"><label for="remember_me">Keep me signed in</label></div><input name="from" type="hidden"><button type="submit" name="Submit" class="jenkins-button jenkins-button--primary">Sign in</button></form><div class="footer"></div></div></main></body></html>%

参考

官网文档：https://doc.traefik.io/traefik/https/tls/
https://maimai.cn/article/detail?fid=1795202127&efid=-fHLwxX3blYvcJlBQuvd8A
https://cloud.tencent.com/developer/article/2323382

HTML button autofocus 属性

上一篇：Flutter——输入部件（flutter输入框）
下一篇：如何根据权限进行按钮级别控制「Vue小知识」

企业级——容器反向代理利器之traefik

traefik

证书

快速部署traefix

gitea增加labels

配置jenkins lables

配置nexus lables

测试

参考

相关推荐

b端详情页:各种信息聚集地，设计师要如何规划这一亩三分地呢

漏洞系列一一看我一招征服漏洞 SSRF

Web前端需要学什么?Web前端开发需要学习哪些?

接口测试遇到500报错?别慌，你的头部可能有点问题

前端Flex布局可视化布局工具介绍，vue和html5快速设计利器

「资讯」为强迫用户使用Edge浏览器，微软又出新招数

HTML 简介（html简介及优缺点）

HBuilderX，uni-app创建HTML5项目，同时支持浏览器和移动端

现在页面实时聊天都使用Websocket技术实现吗?

关于HTML5被简称做H5，你怎么看?（html5缩写）