Traefik v2:404,同时将HTTP流量全局路由到HTTPS

时间:2019-11-01 22:46:59

标签: docker docker-compose docker-swarm traefik

我有一个问题,我可以路由HTTPS流量,但是无法将HTTP流量全局重定向到HTTPS。就我而言,我只需要HTTPS流量,因此我想重定向所有传入的流量。

当我尝试通过HTTP提供URL时,当前出现404错误。 我已经在Treafik中启用了DEBUG日志,但是在日志中看不到任何问题或不正常的内容。

此外,我在Stackoverflow上看到了一个非常相似的主题,但是我们发现,他的错误与我的错误有所不同:How to redirect http to https with Traefik 2.0 and Docker Compose labels?

以下设置基于此处的博客条目:https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d

我的设置

我在集群中这样配置Traefik:

global:
  checkNewVersion: false
  sendAnonymousUsage: false
api:
  dashboard: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
providers:
  providersThrottleDuration: 2s
docker:
  watch: true
  endpoint: unix:///var/run/docker.sock
  swarmMode: true
  swarmModeRefreshSeconds: 15s
  exposedByDefault: false
  network: webgateway
log:
  level: DEBUG
accessLog: {}
certificatesResolvers:
  default:
    acme:
    email: {email}
    storage: /etc/traefik/acme/acme.json
    httpChallenge:
      entryPoint: web

并使用以下docker-compose文件启动Traefik 

version: '3'

services:
proxy:
    image: traefik:latest
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /data/docker_data/traefik/traefik-2.yml:/etc/traefik/traefik.yml
    - /data/docker_data/traefik/acme-2.json:/etc/traefik/acme/acme.json
    labels:
    # redirect
    - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
    - "traefik.http.routers.redirs.entrypoints=web"
    - "traefik.http.routers.redirs.middlewares=redirect-to-https"

我的服务配置有以下标签:

traefik.http.routers.myapp.rule=Host(`myapp.ch`)
traefik.http.routers.myapp.service=myapp
traefik.http.routers.myapp.entrypoints=websecure
# I don't think that the following one is required here...
# traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
traefik.http.routers.myapp.tls.certresolver=default
traefik.http.services.myapp.loadbalancer.server.port=3000
traefik.http.routers.myapp.tls=true
traefik.enable=true

有什么想法为什么不起作用?

2 个答案:

答案 0 :(得分:2)

这是为那些试图在Traefik 2上尝试从全局HTTP到HTTPS重定向的用户提供的。某些人可能在http端点上得到404。经过数小时的时间在不同的论坛上花费。这对我有用。这也适用于希望使用预签名的ssl证书的人。

由于我们大多数人都使用traefik博客中提供的配置,并且许多人不包含traefik容器的命令部分(出于安全目的而在此声明)

"--providers.docker.exposedbydefault=false"

如果我们不提供,则会阻止全局https重定向器工作

"traefik.enable=true"

这是完整文件

version: "3.8"
services:
  traefik:
    image: "traefik:v2.2.1"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.watch=true"
      - "--providers.file.directory=/conf/"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - somenetwork
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./certs:/certs
      - ./conf:/conf
    labels:
      # this is needed as we did the --providers.docker.exposedbydefault=false
      - "traefik.enable=true"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    networks:
      - somenetwork
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.tls=true"
      - "traefik.http.routers.whoami-secure.rule=Host(`test.traefik.localhost`)"

我还在conf目录中添加了certificates.toml。如果您在本地主机上工作,则可以使用mkcert openssl等添加它。对于生产,您需要从证书提供者那里获取。并且您需要将证书添加到certs文件夹中。

[[tls.certificates]] #first certificate
   certFile = "/certs/_wildcard.traefik.localhost.pem"
   keyFile = "/certs/_wildcard.traefik.localhost-key.pem"

当然可以使用let加密。关于这个主题的博客很多。

希望这可以节省您的时间。 :)

答案 1 :(得分:1)

您不需要配置Traefik服务本身。在Traefik上,您仅需要具有:443(websecure)和:80(web)的入口点

由于Traefik仅充当入口点,并且不会执行重定向,因此目标服务上的中间件将执行此操作。

现在将目标服务配置如下:

version: '2'
services:
  mywebserver:
    image: 'httpd:alpine'
    container_name: mywebserver
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.mywebserver-redirect-websecure.redirectscheme.scheme=https
      - traefik.http.routers.mywebserver-web.middlewares=mywebserver-redirect-websecure
      - traefik.http.routers.mywebserver-web.rule=Host(`sub.domain.com`)
      - traefik.http.routers.mywebserver-web.entrypoints=web
      - traefik.http.routers.mywebserver-websecure.rule=Host(`sub.domain.com`)
      - traefik.http.routers.mywebserver-websecure.tls.certresolver=mytlschallenge
      - traefik.http.routers.mywebserver-websecure.tls=true
      - traefik.http.routers.mywebserver-websecure.entrypoints=websecure
      # if you have multiple ports exposed on the service, specify port in the websecure service
      - traefik.http.services.mywebserver-websecure.loadbalancer.server.port=9000

所以基本上流程是这样的:

请求:http://sub.domain.com:80-> traefik(服务)-> mywebserver-web(路由器,http规则)-> mywebserver-redirect-websecure(中间件,重定向到https)-> mywebserver-websecure (路由器,https规则)-> mywebserver(服务)

相关问题
最新问题