我有我自己的duckdns域名。我在docker上设置了traefik,将https请求路由到其他docker作为后端。我可以从任何外部网络访问https://hass.mydomain.duckdns.org。但是无法从内部网络访问https的相同域名(我拒绝连接)。通过192.168.1.xxx:8123可达。
同样值得一提的是,http://hass.mydomain.duckdns.org将解析到我路由器的管理页面。
traefik.toml:
logLevel = "DEBUG"
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
[ping]
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
#permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth]
[entryPoints.traefik.auth.basic]
usersFile = "/shared/.htpasswd"
[file]
watch = true
filename = "/etc/traefik/rules.toml"
# Let's encrypt configuration
[acme]
email = "myemail@example.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging = true
#onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 300
[[acme.domains]]
main = "mydomain.duckdns.org"
[[acme.domains]]
main = "*.mydomain.duckdns.org"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.duckdns.org"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
docker-compose.yaml:
---
version: "3"
services:
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
environment:
- DUCKDNS_TOKEN
- TZ
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
- "traefik.port=8080"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/docker/traefik:/etc/traefik
- ${USERDIR}/docker/shared:/shared
healthcheck:
test: ["CMD", "/traefik", "healthcheck"]
interval: 30s
timeout: 3s
retries: 30
hass:
hostname: hass
container_name: hass
restart: unless-stopped
image: homeassistant/raspberrypi3-homeassistant
ports:
- "8123:8123"
devices:
- /dev/ttyUSB0:/dev/ttyUSB0
- /dev/ttyUSB1:/dev/ttyUSB1
- /dev/ttyACM0:/dev/ttyACM0
volumes:
- ${USERDIR}/docker/homeassistant:/config
- ${USERDIR}/docker/shared:/shared
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
network_mode: host
privileged: true
environment:
- PUID
- PGID
- TZ
labels:
- "traefik.enable=true"
- "traefik.frontend.rule=Host:hass.${DOMAINNAME}"
- "traefik.port=8123"
healthcheck:
test: ["CMD", "curl", "-f", "http://127.0.0.1:8123"]
interval: 30s
timeout: 10s
retries: 6