Traefik est un serveur proxy inverse open source qui permet une utilisation facile avec des microservices et / ou simplement des conteneurs avec vos applications.
Un proxy inverse (proxy inverse, proxy inverse) sert à relayer les demandes du réseau externe à tous les serveurs / services du réseau interne (par exemple, un serveur Web, une base de données ou un stockage de fichiers) et vous permet de:
- assurer la dissimulation de la structure du réseau interne et des détails des services qui s'y trouvent;
- équilibrer la charge (équilibrage de charge) entre des instances du même service ou des serveurs avec les mêmes tâches;
- fournir une connexion cryptée (HTTPS) entre le client et n'importe quel service, dans ce cas une session SSL est créée entre le client et le proxy, et une connexion HTTP non cryptée est établie entre le proxy et le service sur le réseau interne, si le service prend en charge HTTPS, vous pouvez alors organiser une connexion cryptée sur le réseau interne;
- organiser le contrôle d'accès aux services (authentification client), ainsi que mettre en place un pare-feu (pare-feu).
Cet article décrira l'utilisation de Traefik dans Docker comme proxy inverse pour d'autres conteneurs Docker ainsi que pour des services non conteneurisés.
introduction
Traefik “Edge Router”, . , , : -, Traefik ; -, Traefik EE — , HA (Hight Availability, ), (), , . , Traefik.
Traefik (“ ”) , .
:
- Docker
- Kubernetes
- Consul Catalog
- Marathon
- Rancher
- File
.
, , — “File”, ( ), - , , -. .
Traefik, “File” TOML YAML, YAML , - , . Traefik Docker. docker-compose, .
* Linux.
Traefik
docker docker-compose, .
traefik, ,
mkdir ~/traefik
cd ~/traefik () Traefik docker-compose.yml . :
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro 80 443 HTTP HTTPS . Docker . Traefik traefik.yml data .
networks Docker-, Traefik .
.
( , ):
entryPoints:
http:
address: ":80"
https:
address: ":443" http https ( , a b) .
— Docker, :
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: falseTraefik , . — Traefik ( ).
HTTP HTTPS ( ):
http:
routers:
http-catchall:
rule: HostRegexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: falseTraefik HTTP , TCP UDP, http.
Traefik 2 routers () middlewares( ), .
:
http-catchall— , ,httpTraefik;rule:— , ,HostRegexp,Host.+( ), Traefik — (host),{name:reg_exp};entrypoints— , ,http;middlewares— , ( ).
redirect-to-https— , ,httpTraefik;redirectScheme— , ;scheme: https— HTTPS ;permanent: false— .
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false.
sudo docker-compose up -d , (sudo docker-compose logs -f) , .
Let's Encrypt
HTTPS - SSL , , Let's Encrypt.
(traefik.yml) :
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http:
letsEncrypt— ;acme— ( - );storage— , ;httpChallenge— acme-, — ;caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"— Let's Encrypt , API ( , ).
volumes docker-compose.yml, ( data/acme.json):
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.jsonDocker
HTTPS , , Traefik, Traefik Docker, .
Docker Traefik (labels) . docker-compose.yml:
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888" :
traefik.enable=true — Traefik , ;
traefik.http.routers.traefik.entrypoints=https — https;
traefik.http.routers.traefik.rule=Host(traefik.example.com) — traefik.example.com;
traefik.http.routers.traefik.tls=true — TLS;
traefik.http.routers.traefik.tls.certresolver=letsEncrypt — ;
traefik.http.routers.traefik.service=api@internal — , — api@internal, , , ;
traefik.http.services.traefik-traefik.loadbalancer.server.port=888 — , , .
, traefik.yml:
api:
dashboard: true ( docker-compose.yml):
sudo docker-compose down && sudo docker-compose up -d traefik.example.com ( , Traefik) .
, , , BasicAuth, Traefik middleware.
(admin/password)^
$ htpasswd -nb admin password
admin:$apr1$vDSqkf.v$GTJOtsd9CBiAFFnHTI2Ds1 docker-compose.yml :
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth", $ $$.
traefik.http.middlewares.traefik-auth.basicauth.users=... — middleware basicauth users;
traefik.http.routers.traefik.middlewares=traefik-auth — traefik - middleware.
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth".
, docker-compose ( docker):
labels:
- "traefik.enable=true"
- "traefik.http.routers.test.entrypoints=https"
- "traefik.http.routers.test.rule=Host(`test.example.com`)"
- "traefik.http.routers.test.tls=true"
- "traefik.http.routers.test.tls.certresolver=letsEncrypt"
- "traefik.http.services.test-service.loadbalancer.server.port=80" traefik.http.services.test-service.loadbalancer.server.port=80 — test-service 80, test, Traefik , .
File
, - ( IP 192.168.1.222 8080) , HTTPS. .
docker-compose.yml volume:
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json data/custom/ ( , ).
traefik.yml file :
providers:
...
file:
directory: /custom
watch: true docker-compose.yml, watch: true Traefik ( “ ”, , ).
Traefik (data/custom/host.yml):
http:
routers:
host:
entryPoints:
- https
service: service-host
rule: Host(`host.example.com`)
tls:
certResolver: letsEncrypt
services:
service-host:
loadBalancer:
servers:
- url: http://192.168.1.222:8080/
passHostHeader: true , service: service-host — , TLS.
:
_:
loadBalancer:
servers:
-
- ... passHostHeader: true , .
:
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth"api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /custom
watch: true
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: httphttp:
routers:
host:
entryPoints:
- https
service: service-host
rule: Host(`host.example.com`)
tls:
certResolver: letsEncrypt
services:
service-host:
loadBalancer:
servers:
- url: http://192.168.1.222:8080/
passHostHeader: true Traefik HTTP Docker File. SSL Let's Encrypt, HTTPS, .
TCP UDP ( , — TCP), , Traefik .
.
Traefik vous permet de collecter des informations sur votre travail dans différents formats, voyons comment cela se fait lors de l'utilisation de Prometheus.
Ajoutons un nouveau point d'entrée
data/traefik.yml::
entryPoints:
...
metrics:
address: ":8082"docker-compose.yml:
ports:
- 80:80
- 443:443
- 8082:8082Et ajoutez la possibilité de collecter des métriques pour Prometheus à partir de ce port data/traefik.yml:
metrics:
prometheus:
entryPoint: metricsIl ne reste plus qu'à configurer Prometheus pour collecter des métriques à partir de traefik_ip:8082.
Voici le contenu des fichiers avec les configurations résultantes:
version: '3'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
- 8082:8082
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/custom/:/custom/:ro
- ./data/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$vDSqkf.v$$GTJOtsd9CBiAFFnHTI2Ds1"
- "traefik.http.routers.traefik.middlewares=traefik-auth"api:
dashboard: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
metrics:
address: ":8082"
metrics:
prometheus:
entryPoint: metrics
http:
routers:
http-catchall:
rule: hostregexp(`{host:.+}`)
entrypoints:
- http
middlewares:
- redirect-to-https
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: false
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: /custom
watch: true
certificatesResolvers:
letsEncrypt:
acme:
email: postmaster@example.com
storage: acme.json
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: http