为什么Traefik 2.0无法检测到我指定的默认静态证书,而是自己生成一个?

时间:2019-11-06 21:37:30

标签: https docker-swarm traefik

在我最初尝试将基于docker-swarm的Traefik安装从1.7迁移到2.0时,我发现traefik.toml配置文件中默认的静态指定SSL配置被忽略,并且启用了调试后,我的docker日志显示了许多类似的内容消息:

time="2019-11-06T20:26:30Z" level=debug msg="No default certificate, generating one"

1 个答案:

答案 0 :(得分:3)

事实证明,在Traefik 2.0中,SSL配置始终被视为动态配置(请仔细阅读here),因此必须定义一个动态文件提供程序(请参见here),并且还要定义此动态配置必须位于与Traefik主配置文件不同的文件中。

如果尝试简化此过程,并将主traefik配置文件声明为动态文件提供程序,则可能会在日志中看到此无帮助的消息:

time="2019-11-06T20:26:30Z" level=error msg="Cannot start the provider *file.Provider: template: :179:35: executing \"\" at <.Name>: can't evaluate field Name in type bool"

正确配置的消息将改为显示如下:

time="2019-11-06T20:45:20Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"tls\":{\"stores\":{\"default\":{\"defaultCertificate\":{\"certFile\":\"/etc/certs/server.crt\",\"keyFile\":\"/etc/certs/server.key\"}}}}}" providerName=file

containous的社区论坛(例如here)和Reddit(例如here)上的几篇文章无疑有助于解决此问题,但希望此摘要也有所帮助。

以下docker-compose.yml(手动编辑以删除某些抽象,例如位置限制,网络,我们自己的身份验证等)在此时可以有效地将Traefik作为docker swarm上的扩展docker服务运行,仪表板已启用且位于https后面。在这种情况下,Traefik标签位于Traefik服务本身上,并为运行在8080上的仪表板设置了路由器和“后端”服务。

version: '3.3'
secrets:
  rsa_private_key:
    file: key.pem
  rsa_cert:
    file: crt.pem
configs:
  toml_conf:
    file: traefik.toml
  dynamic_toml_conf:
    file: dynamic_conf.toml
services:
  svc:
    # The official v2.0 Traefik docker image
    image: traefik:v2.0.2
    # Enables the web UI and tells Traefik to listen to docker
    ports:
      # Primary inbound HTTPS traffic.
      - "443:443"
      # HTTP traffic open for the purposes of permanent redirect to HTTPS.
      - "80:80"
    deploy:
      replicas: 3
      restart_policy:
        condition: on-failure
        max_attempts: 3
        delay: 30s
        window: 60s
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.api-sec.entrypoints=websecure"
        - "traefik.http.routers.api-sec.tls=true"
        - "traefik.http.routers.api-sec.tls.options=default"
        - "traefik.http.routers.api-sec.rule=Host(`myhost`)"
        - "traefik.http.routers.api-sec.service=api@internal"
        # Now the backend service...
        - "traefik.http.services.api.loadbalancer.server.port=8080"
    secrets:
      - source: rsa_private_key
        target: /etc/certs/server.key
      - source: rsa_cert
        target: /etc/certs/server.crt
    configs:
      - source: toml_conf
        target: /etc/traefik/traefik.toml
      - source: dynamic_toml_conf
        target: /etc/dynamic_conf.toml
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
相关问题
最新问题