AWS ECS Fargate:如何使用Traefik配置SSL

时间:2019-10-01 12:56:11

标签: amazon-web-services load-balancing amazon-ecs traefik aws-fargate

我正在使用AWS Fargate,并且已经从AWS AELB切换到Traefik v1.7,并且加载时间加快了一点,这是明智的选择。我在我的VPC的EC2上的Docker容器中安装了Traefik。

但是,您知道,使用AWS LB管理SSL证书很容易。 Traefik也很容易,但是我在设置它时遇到了问题。

仪表盘显示出来,我的配置正确,所有转发内容都还不错,当我进入子域时,我的站点就在那里。新的部署正确显示,等等。一切都很好。但是SSL永远行不通。我尝试了“加密”和我的自定义通配符域。我已经尝试过httpChallenge和dnsChallenge,但是仍然无法正常工作。让我们加密生成证书,但不将其附加到配置了子域的ECS部署中。我在网上找到的文件很少,他们不是在谈论这个问题。官方文件也没有那么详细。我的问题特别是与ECS有关。我也不知道,我的traefik.toml或AWS ECS任务定义docker标签中可能还会丢失某些东西。

这是我当前的traefik.toml文件,显示带有我自己的通配符证书的配置。就像我说过的那样,我们也可以使用Traefik Docs中完全一样的方式编写“让我们加密”版本。但现在将其用作参考:

# Entrypoints configuration

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/traefik/MYCERT.pem"
      keyFile = "/etc/traefik/MYPRIVATEKEY.pem"

# ECS Provider

[ecs]
#cluster = "default"
clusters = ["MYCLUSTERNAME"]
watch = true
domain = "MYDOMAIN.com"
autoDiscoverClusters = false
refreshSeconds = 15
exposedByDefault = true

region = "eu-central-1"
accessKeyID = "MYACCESSKEY"
secretAccessKey = "MYSECRETKEY"

我的Docker标签在ECS任务定义上的附属容器中

traefik.frontend.rule=Host:MYSUBDOMAIN.MYDOMAIN.com
traefik.enable=true
traefik.backend=MY-PROJECT-BE-DUMMY-TEXT
traefik.port=80
traefik.frontend.entryPoints=http,https

这是我在EC2中运行Traefik容器的方式:

docker run -d \
--name traefik-lb \
--restart unless-stopped \
-v $PWD/traefik.toml:/etc/traefik/traefik.toml \
-v $PWD/MYCERT.pem:/etc/traefik/MYCERT.pem \
-v $PWD/MYPRIVATEKEY.pem:/etc/traefik/MYPRIVATEKEY.pem \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 \
-p 80:80 \
traefik

部分日志:

time="2019-10-01T08:31:00Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
time="2019-10-01T08:31:00Z" level=debug msg="Adding certificate for domain(s) *.MYDOMAIN.com,MYDOMAIN.com"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000c4c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server https &{Address::443 TLS:0xc0001ad440 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000ccc0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :80"
time="2019-10-01T08:31:00Z" level=debug msg="Adding certificate for domain(s) *.MYDOMAIN.com,MYDOMAIN.com"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000cce0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :443"
time="2019-10-01T08:31:00Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :8080"

什么可能导致此问题?我只需要Traefik来映射已确认的通配符域并将其分配给我的部署,因此当我输入subdomain.domain.com时,我会在最上面看到domain.com SSL。

谢谢。

0 个答案:

没有答案
相关问题
最新问题