在我之前比较Traefik 1.7和Traefik 2.x版本的文章里我狠狠地吐槽了Traefik 2的笨重。比如说我们需要为每一个service都声明http和https两个entrypoints,必须声明使用tls和指定certresolver,然后再使用一个middleware把http转接到https。这两天研究搭配acmd-dns获取通配符证书的时候偶然发现三月26号Traefik更新的2.2新版本一举解决大部分我抱怨的问题。初试之下非常惊喜,所以写此文来记录一下。
推荐阅读
- 官方文档
- Containeroo相关的文章 👍
配置实例
Static Configuration
由于静态配置是这次的重点,容我先说这个文件。
这是之前定义的entryPoints
1
2
3
4
5
| entryPoints:
http:
address: ":80"
https:
address: ":443"
|
这是升级之后entryPoints的写法。可以看到我们在这里默认把http转到https并且默认使用secureHeaders这个middleware以及指定使用letsencrypt作为SSL的证书提供方。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
https:
address: ":443"
http:
middlewares:
- secureHeaders@file
tls:
certResolver: letsencrypt
|
这里其实还可以定义其他的东西,比如说想要获取一张多域名或者通配符域名的SSL证书,我们可以直接在这里定义。
完整的配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| api:
dashboard: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
https:
address: ":443"
http:
middlewares:
- secureHeaders@file
tls:
certResolver: letsencrypt
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
letsencrypt:
acme:
email: admin@yourdomain
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: http
buypass:
acme:
email: admin@yourdomain
storage: acme.json
caServer: https://api.buypass.com/acme/directory
keyType: EC256
httpChallenge:
entryPoint: http
|
docker compose
我们再来对比一下之前BitWarden那篇文章Traefik Labels的部分
1
2
3
4
5
6
7
8
9
10
11
12
13
| labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain`)"
- "traefik.http.routers.traefik.middlewares=https-redirect@file"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-secure.service=api@internal"
|
可以看到在使用了新版本的Traefik之后,我们需要添加的label大幅减少到了6个。再也不需要在每一个service分别定义两个entryPoints,使用middleware做转接以及指定tls了。
1
2
3
4
5
6
7
| labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`raefik.yourdomain`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
|
完整的配置如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| version: '3.3'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/configurations:/configurations
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`raefik.yourdomain`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
|
dynamic configuration不需要做任何修改。当然,由于不再需要用middleware做转接,我们可以删除https-redirect这个middleware。
Traefik真的是个超级棒的工具,虽然它的配置由于自由度太高可以有多种配置方法导致很多人在开始学习的时候比较吃力,我很开心可以看到他们在朝着简化配置这方面做出了修正。这一点点的改变一扫之前Traefik 2给人笨重的印象,也回应了用户社区对于简化配置的呼声。我很期待它之后还会带来哪些有意思的改变。
感谢您的阅读,希望本文对您有所帮助。