Question

我对此很陌生，但是在阅读了一些好的指南后，我遇到了以下问题...

我在Ubuntu上设置了一个家庭服务器，并在docker上运行了针对不同应用程序的容器； plex，Minecraft，portainer和traefik。我已经成功地设置了带有反向代理，https，ssl路由和traefik的Lets加密和duckdns.org。

从昨天开始，我已经为我的家庭自动化设备安装了带有hass.io的RaspberryPi。要让hass.io连接到我的Alexa帐户，我需要将其设为https，并且因为我已经使用traefik来认证我与服务器的连接...我想我也可以为此使用它。 >

但是我无法使其正常工作。

如何设置traefik，使其也可以处理服务器上docker以外的服务器？

从我的docker-compose.yaml

 #Portainer - WebUI for Containers
  portainer:
    image: portainer/portainer
    hostname: portainer
    container_name: portainer
    restart: always
    command: -H unix:///var/run/docker.sock
#    ports:
#      - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${USERDIR}/docker/portainer/data:/data
      - ${USERDIR}/docker/shared:/shared
    environment:
      - TZ=${TZ}
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.backend=portainer"
      - "traefik.frontend.rule=Host:portainer.${DOMAINNAME}"
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /portainer"
      - "traefik.port=9000"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"

# Traefik reverse proxy
  traefik:
    hostname: traefik
    image: traefik:v1.7.18
    container_name: traefik
    restart: always
    domainname: ${DOMAINNAME}
    networks:
      - default
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
      - "traefik.port=8080"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"
      - "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik:/etc/traefik
      - ${USERDIR}/docker/shared:/shared

#traefik networks block, to set up reverse proxy
networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

和我的traefik.toml

#debug = true

logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend an$
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[file]
  watch = true
  filename = "/etc/traefik/rules.toml"

# Let's encrypt configuration
[acme]
email = "john.doe@notreal.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
  provider = "duckdns"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "notmine.duckdns.org"
[[acme.domains]]
   main = "*.notmine.duckdns.org"

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "notmine.duckdns.org"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

上面是工作代码，我只是想不出如何进行调整，而这并没有破坏一切……

Answer 1

这很棘手，就像我说的那样，菜鸟，但是有可能解决该问题，方法是在rules.toml中添加另一个域，然后创建一个指向另一个服务器后端的前端。我使用此指南来解决此问题：docs.traefik.io/v1.5/configuration/backends/file

所以我必须将“非docker服务器”添加到traefik.toml中，作为需要证书的新域

# Domain for my server on the Raspberry
[[acme.domains]]
   main = "eklandaresidenset.duckdns.org"

我还必须使用密钥来编辑acme.json文件...当您重新启动trefik时，它必须自行完成，但是我从未实现过，所以我自己对其进行了编辑，并复制了我已经拥有的密钥在文件中。：-）

然后，我设置了已经在traefik.toml中引用但未创建的rules.toml，所以我做了并添加了以下内容：

# Putting non-docker apps behind traefik proxy.
[backends]
  [backends.backend-anotherserver]
    [backends.backend-anotherserver.servers.anotherserver]
        url = "http://xxx.xxx.xxx.xxx:yyy" #the other servers local IP and port
        weight = 1

[frontends]
  [frontends.frontend-anotherserver]
    backend = "backend-anotherserver"
     passHostHeader = true
     passTLSCert = true
    [frontends.frontend-anotherserver.routes.domain]
        rule = "Host:anotherserver.duckdns.org"  #created another server dns-subdirectory at duckdns.org pointing to the same IP as before... just to get another header!
     [frontends.frontend-anotherserver.headers]
       SSLRedirect = true
       SSLHost = "anotherserver.duckdns.org"
       STSSeconds = 315360000
       STSIncludeSubdomains = true
       STSPreload = true
       forceSTSHeader = true
       frameDeny = true
       browserXSSFilter = true

问题解决了！

使用traefik将ssl路由到不同docker上的不同服务器

1 个答案: