如何在Azure Service Fabric容器中启用Traefk的前端HTTPS

时间:2019-03-06 03:44:36

标签: azure-service-fabric traefik

我的后端服务在Azure Service Fabric中托管的Docker容器中。服务是有状态的。因此,我们使用Traefik将有状态请求转换为无状态请求。为此,Traefik将请求从前端转发到我们的后端。使用HTTP时可以正常工作。现在我们必须在前端启用HTTPS。

我已经为Azure Service Fabric配置了HTTPS。登录群集节点时,可以通过专用IP访问后端服务。但是我无法从配置的域访问我的服务。 Traefik日志显示“未找到后端”。 我正在使用自签名证书。这是我的配置:

[traefikLog]
  filePath = "log/traefik.log"
  format = "json"
  logLevel = "DEBUG"
# Enable debug mode
#
# Optional
# Default: false
#
debug = true

# Traefik logs file
# If not defined, logs to stdout
#
# Optional
#
#traefikLogsFile = "log/traefik.log"

# Log level
#
# Optional
# Default: "ERROR"

#logLevel = "DEBUG"

# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.http]
address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]

[acme]
email = "abc@abc.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
  [acme.httpChallenge]
  entryPoint = "http"
[[acme.domains]]
  main = "domain1.azure.com"
[[acme.domains]]
  main = "domain2.azure.com"
[entryPoints.traefik]
address = ":8080"

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]

# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath = "log/log.txt"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"

################################################################
# API definition
################################################################

[api]
  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  entryPoint = "traefik"

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard = true

  # Enable debug mode.
  # This will install HTTP handlers to expose Go expvars under /debug/vars and
  # pprof profiling data under /debug/pprof.
  # Additionally, the log level will be set to DEBUG.
  #
  # Optional
  # Default: false
  #
  debug = true

################################################################
# Service Fabric provider
################################################################

# Enable Service Fabric configuration backend
[servicefabric]
filename = "custom_config_template.tmpl" 
debugLogGeneratedTemplate = true

# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster

# Service Fabric Management Endpoint API Version
apiversion = "3.0"

refreshSeconds = 10

# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
  cert = "certs/servicefabric.crt"
  key = "certs/servicefabric.key"
  insecureskipverify = true

# Enable REST Provider.
[rest]
  # Name of the related entry point
  #
  # Optional
  # Default: "traefik"
  #
  entryPoint = "traefik"


以下是我不明白的一些问题:

  1. 在仪表板中,为什么前端仍然是HTTP而不是HTTPS? Note the HTTP entry point

  2. 为什么我不能从域https://domain1.azure.com访问我的服务?

  3. 是否还必须为后端服务启用https?现在,我已经这样做了,但是我认为这可能是不必要的,因为后端服务的https或http仅在Traefik呼叫后端时才重要。但是我们只需要在调用Traefik前端时启用https。我说的对吗?

  4. 无论如何,由于我也为后端服务启用了https,因此是否必须将后端服务绑定到在[entryPoints.https.tls]中配置的同一证书?

1 个答案:

答案 0 :(得分:1)

问题是由我的部署引起的。更新配置后,我仅重新部署了Traefik服务。

  1. 我必须重新部署Traefik和后端服务。
  2. 某些原因是问题1。
  3. 不需要后端https。
  4. 不。