Traefik adalah proxy terbalik open source untuk memudahkan penanganan layanan microser dan / atau hanya dengan aplikasi Anda.
Proxy terbalik (reverse proxy, reverse proxy) berfungsi untuk menyampaikan permintaan dari jaringan eksternal ke server / layanan apa pun di jaringan internal (misalnya, server web, database, atau penyimpanan file) dan memungkinkan Anda untuk:
- memastikan penyembunyian struktur jaringan internal dan perincian tentang layanan yang berada di dalamnya;
- melakukan load balancing antara instance dari layanan yang sama atau server dengan tugas yang sama;
- menyediakan koneksi terenkripsi (HTTPS) antara klien dan layanan apa pun, dalam hal ini sesi SSL dibuat antara klien dan proksi, dan koneksi HTTP yang tidak terenkripsi dibuat antara proxy dan layanan di jaringan internal; jika layanan mendukung HTTPS, koneksi terenkripsi juga dapat dibuat di jaringan internal;
- mengatur kontrol akses ke layanan (otentikasi klien), serta menginstal firewall (firewall).
Artikel ini akan menjelaskan penggunaan Traefik di Docker sebagai proksi terbalik untuk kontainer Docker lainnya serta layanan non-kemas.
pengantar
Traefik βEdge Routerβ, . , , : -, Traefik ; -, Traefik EE β , HA (Hight Availability, ), (), , . , Traefik.
Traefik (β β) , .
:
- Docker
- Kubernetes
- Consul Catalog
- Marathon
- Rancher
- File
.
, , β βFileβ, ( ), - , , -. .
Traefik, βFileβ TOML YAML, YAML , - , . Traefik Docker. docker-compose, .
* Linux.
Traefik
docker docker-compose, .
traefik, ,
mkdir ~/traefik
cd ~/traefik () Traefik docker-compose.yml . :
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro 80 443 HTTP HTTPS . Docker . Traefik traefik.yml data .
networks Docker-, Traefik .
.
( , ):
entryPoints:
http:
address: ":80"
https:
address: ":443" http https ( , a b) .
β Docker, :
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: falseTraefik , . β Traefik ( ).
HTTP HTTPS ( ):
http:
routers:
http-catchall:
rule: HostRegexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: falseTraefik HTTP , TCP UDP, http.
Traefik 2 routers () middlewares( ), .
:
http-catchallβ , ,httpTraefik;rule:β , ,HostRegexp,Host.+( ), Traefik β (host),{name:reg_exp};entrypointsβ , ,http;middlewaresβ , ( ).
redirect-to-httpsβ , ,httpTraefik;redirectSchemeβ , ;scheme: httpsβ HTTPS ;permanent: falseβ .
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false.
sudo docker-compose up -d , (sudo docker-compose logs -f) , .
Let's Encrypt
HTTPS - SSL , , Let's Encrypt.
(traefik.yml) :
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http:
letsEncryptβ ;acmeβ ( - );storageβ , ;httpChallengeβ acme-, β ;caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"β Let's Encrypt , API ( , ).
volumes docker-compose.yml, ( data/acme.json):
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.jsonDocker
HTTPS , , Traefik, Traefik Docker, .
Docker Traefik (labels) . docker-compose.yml:
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888" :
traefik.enable=true β Traefik , ;
traefik.http.routers.traefik.entrypoints=https β https;
traefik.http.routers.traefik.rule=Host(traefik.example.com) β traefik.example.com;
traefik.http.routers.traefik.tls=true β TLS;
traefik.http.routers.traefik.tls.certresolver=letsEncrypt β ;
traefik.http.routers.traefik.service=api@internal β , β api@internal, , , ;
traefik.http.services.traefik-traefik.loadbalancer.server.port=888 β , , .
, traefik.yml:
api:
dashboard: true ( docker-compose.yml):
sudo docker-compose down && sudo docker-compose up -d traefik.example.com ( , Traefik) .
, , , BasicAuth, Traefik middleware.
(admin/password)^
$ htpasswd -nb admin password
admin:$apr1$vDSqkf.v$GTJOtsd9CBiAFFnHTI2Ds1 docker-compose.yml :
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth", $ $$.
traefik.http.middlewares.traefik-auth.basicauth.users=... β middleware basicauth users;
traefik.http.routers.traefik.middlewares=traefik-auth β traefik - middleware.
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth".
, docker-compose ( docker):
labels:
- "traefik.enable=true"
- "traefik.http.routers.test.entrypoints=https"
- "traefik.http.routers.test.rule=Host(`test.example.com`)"
- "traefik.http.routers.test.tls=true"
- "traefik.http.routers.test.tls.certresolver=letsEncrypt"
- "traefik.http.services.test-service.loadbalancer.server.port=80" traefik.http.services.test-service.loadbalancer.server.port=80 β test-service 80, test, Traefik , .
File
, - ( IP 192.168.1.222 8080) , HTTPS. .
docker-compose.yml volume:
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json data/custom/ ( , ).
traefik.yml file :
providers:
...
file:
directory: /custom
watch: true docker-compose.yml, watch: true Traefik ( β β, , ).
Traefik (data/custom/host.yml):
http:
routers:
host:
entryPoints:
- https
service: service-host
rule: Host(`host.example.com`)
tls:
certResolver: letsEncrypt
services:
service-host:
loadBalancer:
servers:
- url: http://192.168.1.222:8080/
passHostHeader: true , service: service-host β , TLS.
:
_:
loadBalancer:
servers:
-
- ... passHostHeader: true , .
:
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth"api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /custom
watch: true
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: httphttp:
routers:
host:
entryPoints:
- https
service: service-host
rule: Host(`host.example.com`)
tls:
certResolver: letsEncrypt
services:
service-host:
loadBalancer:
servers:
- url: http://192.168.1.222:8080/
passHostHeader: true Traefik HTTP Docker File. SSL Let's Encrypt, HTTPS, .
TCP UDP ( , β TCP), , Traefik .
.
Traefik memungkinkan Anda mengumpulkan informasi tentang pekerjaan Anda dalam berbagai format, mari kita lihat bagaimana hal ini dilakukan ketika menggunakan Prometheus.
Mari kita tambahkan titik masuk baru
data/traefik.yml::
entryPoints:
...
metrics:
address: ":8082"docker-compose.yml:
ports:
- 80:80
- 443:443
- 8082:8082Dan tambahkan kemampuan untuk mengumpulkan metrik untuk Prometheus dari port ini data/traefik.yml:
metrics:
prometheus:
entryPoint: metricsTetap hanya mengonfigurasi Prometheus untuk mengumpulkan metrik dari traefik_ip:8082.
Berikut adalah isi file dengan konfigurasi yang dihasilkan:
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
- 8082:8082
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth"api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
metrics:
address: ":8082"
metrics:
prometheus:
entryPoint: metrics
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /custom
watch: true
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http