有没有办法让某些traefik服务自己管理自己的tls证书?

时间:2020-01-29 16:35:04

标签: ssl traefik

我将尝试为此类配置traefik:

1)server.example.com-> traefik-> httpChallengeToLetsEncrypt

2)客户端-> traefik(直通tls)-> server.example.com(让我们进行加密)

N.B.:traefik在example.com级别收到其请求

发生了什么事

1)仅在traefik不能自行管理证书加密时有效(否则,它不会传输路径前缀以“ .well-known / acme-challenge”:-\开头的任何请求)

2)不适用于tcp路由器的配置,如下所示:

tcp:
  routers:
    example:
      entryPoints:
        - web-secure
      rule: "HostSNI(`server.example.com`)"
      service: example
      tls:
        passthrough: true

  services:
    example:
      loadBalancer:
        servers:
          - url: "https://192.168.0.1:443/"

您将如何让一个或多个服务自己管理其加密证书? 并且有可能在traefik还管理让我们加密证书的同时进行此操作,或者第1点提到的问题是可重做吗?

最诚挚的问候,

jmc

1 个答案:

答案 0 :(得分:1)

使用tls.passthrough=truetcp路由器代替http

下面是一个完全有效的示例,其中apache负责其自己的证书。

traefik永远不会碰他们

version: "3"

services:
    traefik:
        image: traefik
        command:
            - --api.insecure=true
            - --providers.docker=true
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
        labels:
            - traefik.http.routers.api.rule=Host(`traefik.docker.local`)
            - traefik.http.routers.api.service=api@internal

    whoami:
        image: containous/whoami
        labels:
            - traefik.http.routers.whoami.rule=Host(`whoami.docker.local`)
            - traefik.http.routers.whoami.service=whoami@docker
            - traefik.http.services.whoami.loadbalancer.server.port=80

    apache:
        build: php-apache
        depends_on: [traefik]
        env_file: ./php-apache/env
        volumes:
            - "./php-apache/cert/haproxy/:/etc/ssl/haproxy/"
            - "./php-apache/cert/private/:/etc/ssl/private/"
            - "./php-apache/cert/trusted/:/usr/local/share/ca-certificates/"
            - "./php-apache/conf/:/etc/apache2/conf-enabled/"
            - "./php-apache/log/:/var/log/apache2/"
            - "./php-apache/sites/available/:/etc/apache2/sites-available/"
            - "./php-apache/sites/enabled/:/etc/apache2/sites-enabled/"
            - "./php-apache/www/:/var/www/"
        labels:
            - "traefik.http.routers.apache.entrypoints=http"
            - "traefik.http.routers.apache.priority=1"
            - "traefik.http.routers.apache.rule=HostRegexp(`{catchall:.*}`)"
            - "traefik.http.routers.apache.service=apache@docker"
            - "traefik.http.services.apache.loadbalancer.server.port=80"

            - "traefik.tcp.routers.apache.entrypoints=https"
            - "traefik.tcp.routers.apache.rule=HostSNI(`*`)"
            - "traefik.tcp.routers.apache.service=apache@docker"
            - "traefik.tcp.routers.apache.tls.passthrough=true"
            - "traefik.tcp.services.apache.loadbalancer.server.port=443"
相关问题
最新问题