比nginx还有快的traefik使用
Published in -
24-05-21 15:12
# 什么是traefik
使用go开发现代的HTTP反向代理和负载均衡器
轻量、快速、自动重启、证书申请简单、适合各种微服务,k3s默认集成的反向代理
# 安装
# 环境
docker
# 结构如下
traefik
├── README.md
├── data
│ ├── acme-dns
│ ├── acme.json
│ ├── configurations
│ │ ├── dynamic.yml
│ │ └── whoami.yml
│ ├── log
│ │ └── log-file.log
│ └── traefik.yml
└── docker-compose.yml
# docker-compose.yml
services:
traefik:
restart: always
image: traefik:v2.11.2
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/acme-dns:/acme-dns
# Add folder with dynamic configuration yml
- ./data/configurations/:/configurations/
- ./data/log/:/log/
networks:
- proxy
environment:
# 阿里云域名证书需要的参数
- ALICLOUD_ACCESS_KEY=xxx
- ALICLOUD_SECRET_KEY=xxx
- ALICLOUD_REGION_ID=xxx
# CLOUDFLARE域名证书需要的参数
- CLOUDFLARE_EMAIL=xxx
- CLOUDFLARE_API_KEY=xxx
extra_hosts:
- "host.docker.internal:host-gateway"
# 证书提取为pem文件,便于上传到其他平台使用,选用
certdumper:
restart: always
image: humenius/traefik-certs-dumper:latest
container_name: certdumper
volumes:
- ./data:/traefik:ro
- /data/ssl:/output:rw
networks:
- proxy
networks:
proxy:
external: true
# traefik.yml
traefik的配置文件
api:
dashboard: true
log:
filePath: "/log/log-file.log"
format: json
# 入口点定义
entryPoints:
web:
address: ":80"
# http:
# redirections:
# entryPoint:
# to: https
websecure:
address: ":443"
http:
middlewares:
- httpsHeaders@file
tls:
certResolver: le-dns
domains:
# 这里直接申请泛域名证书,后续这个域名将直接开启ssl
- main: "xxx.cn"
sans:
- "*.xxx.cn"
pilot:
dashboard: false
certificatesResolvers:
# 阿里云验证
le-dns:
acme:
email: xxx@qq.com
storage: acme.json
dnsChallenge:
provider: alidns
delayBeforeCheck: 0
# cf-dns:
# acme:
# email: xxx@qq.com
# storage: acme.json
# dnsChallenge:
# provider: cloudflare
# delayBeforeCheck: 0
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /configurations/
watch: true
启动traefik服务
docker compose up -d
# 配置 /configurations/dynamic.yml
配置一些常用的中间件
# 中间件
http:
middlewares:
# 自定义的标头
nofloc:
headers:
customResponseHeaders:
Permissions-Policy: "interest-cohort=()"
# https中间件
httpsHeaders:
headers:
# 设置为true时仅允许 HTTPS请求(已弃用)
# sslRedirect: true
# 添加 STS 标头
forceSTSHeader: true
# 各种标头
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
# 输入账号密码才能访问的中间件 UserName: test Password: test
user-auth:
basicAuth:
users:
- "test:$apr1$lH3nyBaa$/wCu0V3.1kYdpZPHRbiyv/"
# traefik面板代理/configurations/default.yml
http:
# 路由
routers:
router-traefik:
rule: Host(`traefik.xxx.cn`)
middlewares:
- user-auth@file
service: api@internal
# 启动一个whoami的docker服务
services:
whoami:
# 这里设置的container_name就是docker同一个network能互相访问的服务名
container_name: whoami
image: traefik/whoami
networks:
- proxy
networks:
proxy:
external: true
# 配置 /configurations/whoami.yml
配置whoami的反向代理
http:
# 路由
routers:
router-whoami:
rule: Host(`whoami.xxx.cn`)
service: service-whoami
# 服务
services:
service-whoami:
loadBalancer:
servers:
# whoami就是docker-compose.yml的container_name,端口对应服务启动什么端口
- url: "http://whoami:80"
访问:whoami.xxx.cn即可
如果无法访问,可以查看**/data/log/log-file.log**文件中的日志排查
Prev
Next
^_^ Be the first to comment.
Comment
Nickname
Email (Reply notice)
Website
Content (can use Markdown syntax)