企业级——容器反向代理利器之traefik
zhezhongyun 2025-05-08 08:06 24 浏览
traefik
Traefk 是一个云原生的新型的 HTTP 反向代理、负载均衡软件,能轻易的部署微服务。它支持多种后端 (Docker, Swarm, Mesos/Marathon, Consul, Etcd, Zookeeper, BoltDB, Rest API, file...) , 可以对配置进行自动化、动态的管理。
证书
证书生成,采用acme.sh自动生成,推荐neilpang/acme.sh镜像,支持aliyun dns api直接操作dns的创建和修改。
version: "3"
services:
acme.sh:
image: neilpang/acme.sh
container_name: acme.sh
restart: always
network_mode: host
environment:
- TZ=Asia/Shanghai
- Ali_Key='替换aliyun的 key'
- Ali_Secret='替换aliyun的 secret'
- ACCOUNT_THUMBPRINT='acme.sh 日志中 可以看到 账号信息'
volumes:
- ./ssl:/acme.sh
- ./html:/webroot
command: daemon生成泛域名证书
acme.sh --issue --dns dns_ali --force --log -d clibing.com -d \*.clibing.com结果
ssl
├── account.conf
├── acme.sh.log
├── ca
│ ├── acme-v02.api.letsencrypt.org
│ │ └── directory
│ │ ├── account.json
│ │ ├── account.key
│ │ └── ca.conf
│ └── acme.zerossl.com
│ └── v2
│ └── DV90
│ ├── account.json
│ ├── account.key
│ └── ca.conf
├── clibing.com
│ ├── ca.cer
│ ├── clibing.com.cer
│ ├── clibing.com.conf
│ ├── clibing.com.csr
│ ├── clibing.com.csr.conf
│ ├── clibing.com.key
│ └── fullchain.cer
├── dhparams.pem
├── http.header
└── linuxcrypt.cn
├── ca.cer
├── fullchain.cer
├── linuxcrypt.cn.cer
├── linuxcrypt.cn.conf
├── linuxcrypt.cn.csr
├── linuxcrypt.cn.csr.conf
└── linuxcrypt.cn.key快速部署traefix
tls.toml 配置文件
[tls]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
# TLS 1.3
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
# TLS 1.2
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
[tls.stores.default.defaultCertificate]
certFile = "/certs/clibing.com/fullchain.cer"
keyFile = "/certs/clibing.com/clibing.com.key"
[[tls.certificates]]
certFile = "/certs/clibing.com/fullchain.cer"
keyFile = "/certs/clibing.com/clibing.com.key"
[[tls.certificates]]
certFile = "/certs/linuxcrypt.cn/fullchain.cer"
keyFile = "/certs/linuxcrypt.cn/linuxcrypt.cn.key"docker-compose.yaml
name: traefik
services:
traefik:
image: traefik:v3.1.1
restart: always
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
# 避免 Traefik 进行数据上报
extra_hosts:
# https://github.com/traefik/traefik/blob/master/pkg/version/version.go#L64
- "update.traefik.io:127.0.0.1"
# https://github.com/containous/traefik/blob/master/pkg/collector/collector.go#L20
- "collect.traefik.io:127.0.0.1"
- "stats.g.doubleclick.net:127.0.0.1"
command:
- "--global.sendanonymoususage=false" # 避免 Traefik 进行数据上报
- "--global.checknewversion=false" # 避免 Traefik 进行数据上报
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true" # dashboard 默认8080
- "--api.debug=false"
- "--ping=true"
- "--log.level=INFO"
- "--log.format=common"
- "--accesslog=false"
- "--providers.docker=true"
- "--providers.docker.watch=true"
- "--providers.docker.exposedbydefault=false" # 为了避免Traefik智能的自动解析和将所有在Traefik网络的服务都尝试进行公开服务,我们可以在命令中添加下面的命令,让 Traefik 只对我们在 labels 中声明了要进行服务注册的应用提供服务
- "--providers.docker.endpoint=unix:///var/run/docker.sock" #
- "--providers.docker.useBindPortIP=false"
- "--providers.docker.network=traefik" # 使用指定虚拟网络
- "--providers.file=true"
- "--providers.file.watch=true"
- "--providers.file.directory=/etc/traefik/config" # 配置目录 当启用tls,默认会读取该目录下的tls.toml
- "--providers.file.debugloggeneratedtemplate=true"
networks:
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.middlewares.gzip.compress=true"
# 将服务协议从 HTTP 自动切换为 HTTPS 的 Traefik 中间件规则
- "traefik.http.middlewares.redir-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redir-https.redirectscheme.permanent=false"
# HTTP 网页服务的路由上添加这个中间件规则
- "traefik.http.routers.traefik-dashboard.middlewares=redir-https@docker"
- "traefik.http.routers.traefik-dashboard-secure.middlewares=gzip@docker"
- "traefik.http.routers.traefik-dashboard-api-secure.middlewares=gzip@docker"
- "traefik.http.routers.traefik-dashboard.entrypoints=http"
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.console.clibing.com`)"
- "traefik.http.routers.traefik-dashboard.service=noop@internal"
- "traefik.http.routers.traefik-dashboard-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-secure.rule=Host(`traefik.console.clibing.com`)"
- "traefik.http.routers.traefik-dashboard-secure.service=dashboard@internal"
- "traefik.http.routers.traefik-dashboard-api-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-api-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-api-secure.rule=Host(`traefik.console.clibing.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.traefik-dashboard-api-secure.service=api@internal"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/:/etc/traefik/config/:ro
- ./certs/:/certs/:ro
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]
interval: 3s
retries: 10
logging:
driver: "json-file"
options:
max-size: "10m"
networks:
traefik:
external: true访问8080查看 traefik dashboard管理界面
gitea增加labels
以下贴出关键部分
name: gitea
services:
gitea:
labels:
# https://soulteary.com/2020/02/04/gitea-git-server-with-docker-and-traefik-v2.html
- "traefik.enable=true"
- "traefik.http.routers.giteaweb.middlewares=https-redirect@file"
- "traefik.http.routers.giteaweb.entrypoints=http"
- "traefik.http.routers.giteaweb.rule=Host(`git.clibing.com`)"
- "traefik.http.routers.giteassl.middlewares=content-compress@file"
- "traefik.http.routers.giteassl.entrypoints=https"
- "traefik.http.routers.giteassl.tls=true"
- "traefik.http.routers.giteassl.rule=Host(`git.clibing.com`)"
- "traefik.http.services.giteabackend.loadbalancer.server.scheme=http"
- "traefik.http.services.giteabackend.loadbalancer.server.port=3000"
- "traefik.tcp.routers.giteassh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.giteassh.tls=true"
- "traefik.tcp.routers.giteassh.entrypoints=git"
- "traefik.tcp.routers.giteassh.service=gitea"
networks:
- traefik
networks:
traefik:
external: true配置jenkins lables
以下贴出关键部分
name: jenkins
services:
jenkins:
labels:
- "traefik.enable=true"
- "traefik.http.routers.jenkins.rule=Host(`build.clibing.com`)"
- "traefik.http.routers.jenkins.tls=true"
networks:
- traefik
networks:
traefik:
external: true配置nexus lables
name: nexus
services:
nexus:
labels:
- "traefik.enable=true"
- "traefik.http.routers.nexus.rule=Host(`nexus.clibing.com`)"
- "traefik.http.routers.nexus.tls=true"
networks:
- traefik
networks:
traefik:
external: true测试
追加本地dns记录
sudo vi /etc/hosts
192.168.1.101 git.clibing.com
192.168.1.101 build.clibing.com
192.168.1.101 nexus.clibing.com
jenkins:
curl -iv https://build.clibing.com/login
* Trying 192.168.1.101:443...
* Connected to build.clibing.com (192.168.1.101) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=clibing.com
* start date: Jun 17 00:00:00 2024 GMT
* expire date: Sep 15 23:59:59 2024 GMT
* subjectAltName: host "build.clibing.com" matched cert's "*.clibing.com"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faae3012200)
> GET /login HTTP/2
> Host: build.clibing.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
HTTP/2 200
< cache-control: no-cache,no-store,must-revalidate
cache-control: no-cache,no-store,must-revalidate
< content-type: text/html;charset=utf-8
content-type: text/html;charset=utf-8
< date: Sun, 04 Aug 2024 16:20:59 GMT
date: Sun, 04 Aug 2024 16:20:59 GMT
< expires: Thu, 01 Jan 1970 00:00:00 GMT
expires: Thu, 01 Jan 1970 00:00:00 GMT
< server: Jetty(10.0.20)
server: Jetty(10.0.20)
< set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: sameorigin
x-frame-options: sameorigin
< x-hudson: 1.395
x-hudson: 1.395
< x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
< x-jenkins: 2.452.3
x-jenkins: 2.452.3
< x-jenkins-session: a6707f59
x-jenkins-session: a6707f59
<
<!DOCTYPE html><html lang="en-US"><head resURL="/static/a6707f59" data-rooturl="" data-resurl="/static/a6707f59" data-imagesurl="/static/a6707f59/images"><title>Sign in [Jenkins]</title><meta name="ROBOTS" content="NOFOLLOW"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="icon" href="/static/a6707f59/favicon.svg" type="image/svg+xml"><link sizes="any" rel="alternate icon" href="/static/a6707f59/favicon.ico"><link rel="stylesheet" href="/static/a6707f59/jsbundles/simple-page.css" type="text/css"><script id="theme-manager-theme" type="application/json">{ "id": "none", "respect_system_appearance": false }</script><script src='/adjuncts/a6707f59/io/jenkins/plugins/thememanager/header/main.js' type='text/javascript'></script>
<link type="text/css" rel="stylesheet" href="http://localhost:8080/theme-dark/theme.css"/>
<script id="theme-manager-properties" type="application/json">{}</script>
* Connection #0 to host build.clibing.com left intact
</head><body class="app-sign-in-register"><section class="app-sign-in-register__branding"><div class="app-sign-in-register__branding__starburst"></div><img src="/static/a6707f59/images/svgs/logo.svg" alt="logo"></section><main id="main-panel" class="app-sign-in-register__content"><div class="app-sign-in-register__content-inner"><h1>Sign in to Jenkins</h1><script id="theme-manager-theme" type="application/json">{ "id": "none" }</script><form method="post" name="login" action="j_spring_security_check"><div><label class="app-sign-in-register__form-label" for="j_username">Username</label><input autocorrect="off" autocomplete="off" name="j_username" id="j_username" type="text" autofocus="autofocus" class="jenkins-input " autocapitalize="off"></div><div><label class="app-sign-in-register__form-label" for="j_password">Password</label><input name="j_password" id="j_password" type="password" class="jenkins-input "></div><div class="jenkins-checkbox"><input type="checkbox" id="remember_me" name="remember_me"><label for="remember_me">Keep me signed in</label></div><input name="from" type="hidden"><button type="submit" name="Submit" class="jenkins-button jenkins-button--primary">Sign in</button></form><div class="footer"></div></div></main></body></html>%参考
- 官网文档:https://doc.traefik.io/traefik/https/tls/
- https://maimai.cn/article/detail?fid=1795202127&efid=-fHLwxX3blYvcJlBQuvd8A
- https://cloud.tencent.com/developer/article/2323382
相关推荐
- 怎样设置EditText内部文字被锁定不可删除和修改
-
在做项目的时候,我曾经遇到过这样的要求,就是跟百度贴吧客户端上的一样,在回复帖子的时候,在EditText中显示回复人的名字,而且这个名字不可以修改和删除,说白了就是不可操作,只能在后面输入内容。在E...
- iOS的布局体系-流式布局MyFlowLayout
-
iOS布局体系的概览在我的CSDN博客中的几篇文章分别介绍MyLayout布局体系中的视图从一个方向依次排列的线性布局(MyLinearLayout)、视图层叠且停靠于父布局视图某个位置的框架布局(M...
- 浏览器滚动条hover时变粗、改变颜色
-
今天应UED的要求对项目的滚动条进行美化,原生的滚动条虽然很实用,但确实不美观。用了一些css美化后::-webkit-scrollbar{height:9px;width:9...
- QML控件类型:ComboBox、Control(qml buttongroup)
-
Control一、描述Control是所有控件通用功能的抽象基类型。它从窗口系统接收输入事件,并在屏幕上绘制自身。二、控件布局控件的implicitWidth和implicitHeight通...
- 学习CSS布局:简单表格布局代码示例
-
性能优化-学习CSS布局:简单表格布局代码示例CSS是现代Web设计和开发的必备技能之一。而表格布局是Web页面中常用的布局之一,用于展示数据和信息。在这篇文章中,我们将介绍如何使用CSS创建一个简单...
- UE5之UMG基础第1篇:统一网格面板(ue5 新功能)
-
目标:记录和学习UE5的UMG方法制作UI,使用UniformGridPanel制作效果如下:步骤1.增加前言:UniformGridPanel统一网格面板,就是所有子元素大小和间隔等统一,这种效果...
- JS的 DOM 尺寸与位置属性(js设置dom属性)
-
#头条深一度-深度阅读计划#在JavaScript开发中,操作DOM元素的尺寸和位置是常见的任务,尤其是在实现动画、布局调整或响应式设计时。本文将全面解析JavaScript中与DOM...
- SpriteJS:图形库造轮子的那些事儿
-
从2017年到2020年,我花了大约4年的时间,从零到一,实现了一个可切换WebGL和Canvas2D渲染的,跨平台支持浏览器、SSR、小程序,基于DOM结构和支持响应式的,高...
- 理解CSS中的百分比单位:相对尺寸的核心规则
-
在CSS中,百分比(`%`)是一种灵活且强大的相对单位,但其具体行为常让开发者感到困惑。本文将深入解析百分比单位的计算规则,帮助你彻底掌握其背后的逻辑。一、百分比的核心:参考系(包含块)百分比的值始...
- 36个工作中常用的JavaScript函数片段「值得收藏」
-
作者:Eno_Yao转发链接:https://segmentfault.com/a/1190000022623676前言如果文章和笔记能带您一丝帮助或者启发,请不要吝啬你的赞和收藏,你的肯定是我前进的...
- 如何使用css完成视差滚动效果?(css 视距)
-
视差滚动(ParallaxScrolling)是指多层背景以不同的速度移动,形成立体的运动效果,带来非常出色的视觉体验我们可以把网页解刨成:背景层、内容层、悬浮层使用css形式实现视觉差滚动效果的方...
- vant-List 列表(vant select)
-
引入importVuefrom'vue';import{List}from'vant';Vue.use(List);基础用法List组件通过lo...
- Vue3问题:如何使用WangEditor富文本?能自定义才是真的会用!
-
笔者|大澈大家好,我是大澈!今天的问题,来自于上周末问题留言的朋友嘻嘻哈哈。欢迎大家在周末的问题留言推文中,积极进行问题留言,把这周工作日遇到的问题,分享给大家瞧瞧,或者直接进问答群,一起交流唠...
- 微信小程序开发极简入门(二):样式,页面,数据
-
前文:微信小程序开发极简入门(一)样式wxss:/**放在页面的wxss**/.scrollarea{flex:1;overflow-y:hidden;}.idx_view{...
- AI+Code驱动的M站首页重构实践:从技术债务到智能化开发
-
本文分享了阿里巴巴找品M站首页重构项目中AI+Code提效的实践经验。面对M站技术栈陈旧、开发效率低下的挑战,我们通过楼层动态化架构重构和AI智能脚手架,实现了70%首页场景的标准化覆盖+30%的...
- 一周热门
- 最近发表
- 标签列表
-
- HTML 教程 (33)
- HTML 简介 (35)
- HTML 实例/测验 (32)
- HTML 测验 (32)
- JavaScript 和 HTML DOM 参考手册 (32)
- HTML 拓展阅读 (30)
- HTML文本框样式 (31)
- HTML滚动条样式 (34)
- HTML5 浏览器支持 (33)
- HTML5 新元素 (33)
- HTML5 WebSocket (30)
- HTML5 代码规范 (32)
- HTML5 标签 (717)
- HTML5 标签 (已废弃) (75)
- HTML5电子书 (32)
- HTML5开发工具 (34)
- HTML5小游戏源码 (34)
- HTML5模板下载 (30)
- HTTP 状态消息 (33)
- HTTP 方法:GET 对比 POST (33)
- 键盘快捷键 (35)
- 标签 (226)
- HTML button formtarget 属性 (30)
- CSS 水平对齐 (Horizontal Align) (30)
- opacity 属性 (32)