企业级——容器反向代理利器之traefik
myzbx 2025-09-29 08:32 48 浏览
traefik
Traefk 是一个云原生的新型的 HTTP 反向代理、负载均衡软件,能轻易的部署微服务。它支持多种后端 (Docker, Swarm, Mesos/Marathon, Consul, Etcd, Zookeeper, BoltDB, Rest API, file...) , 可以对配置进行自动化、动态的管理。
证书
证书生成,采用acme.sh自动生成,推荐neilpang/acme.sh镜像,支持aliyun dns api直接操作dns的创建和修改。
version: "3"
services:
acme.sh:
image: neilpang/acme.sh
container_name: acme.sh
restart: always
network_mode: host
environment:
- TZ=Asia/Shanghai
- Ali_Key='替换aliyun的 key'
- Ali_Secret='替换aliyun的 secret'
- ACCOUNT_THUMBPRINT='acme.sh 日志中 可以看到 账号信息'
volumes:
- ./ssl:/acme.sh
- ./html:/webroot
command: daemon生成泛域名证书
acme.sh --issue --dns dns_ali --force --log -d clibing.com -d \*.clibing.com结果
ssl
├── account.conf
├── acme.sh.log
├── ca
│ ├── acme-v02.api.letsencrypt.org
│ │ └── directory
│ │ ├── account.json
│ │ ├── account.key
│ │ └── ca.conf
│ └── acme.zerossl.com
│ └── v2
│ └── DV90
│ ├── account.json
│ ├── account.key
│ └── ca.conf
├── clibing.com
│ ├── ca.cer
│ ├── clibing.com.cer
│ ├── clibing.com.conf
│ ├── clibing.com.csr
│ ├── clibing.com.csr.conf
│ ├── clibing.com.key
│ └── fullchain.cer
├── dhparams.pem
├── http.header
└── linuxcrypt.cn
├── ca.cer
├── fullchain.cer
├── linuxcrypt.cn.cer
├── linuxcrypt.cn.conf
├── linuxcrypt.cn.csr
├── linuxcrypt.cn.csr.conf
└── linuxcrypt.cn.key快速部署traefix
tls.toml 配置文件
[tls]
[tls.options.default]
minVersion = "VersionTLS12"
sniStrict = true
cipherSuites = [
# TLS 1.3
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
# TLS 1.2
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
]
[tls.stores.default.defaultCertificate]
certFile = "/certs/clibing.com/fullchain.cer"
keyFile = "/certs/clibing.com/clibing.com.key"
[[tls.certificates]]
certFile = "/certs/clibing.com/fullchain.cer"
keyFile = "/certs/clibing.com/clibing.com.key"
[[tls.certificates]]
certFile = "/certs/linuxcrypt.cn/fullchain.cer"
keyFile = "/certs/linuxcrypt.cn/linuxcrypt.cn.key"docker-compose.yaml
name: traefik
services:
traefik:
image: traefik:v3.1.1
restart: always
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
# 避免 Traefik 进行数据上报
extra_hosts:
# https://github.com/traefik/traefik/blob/master/pkg/version/version.go#L64
- "update.traefik.io:127.0.0.1"
# https://github.com/containous/traefik/blob/master/pkg/collector/collector.go#L20
- "collect.traefik.io:127.0.0.1"
- "stats.g.doubleclick.net:127.0.0.1"
command:
- "--global.sendanonymoususage=false" # 避免 Traefik 进行数据上报
- "--global.checknewversion=false" # 避免 Traefik 进行数据上报
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true" # dashboard 默认8080
- "--api.debug=false"
- "--ping=true"
- "--log.level=INFO"
- "--log.format=common"
- "--accesslog=false"
- "--providers.docker=true"
- "--providers.docker.watch=true"
- "--providers.docker.exposedbydefault=false" # 为了避免Traefik智能的自动解析和将所有在Traefik网络的服务都尝试进行公开服务,我们可以在命令中添加下面的命令,让 Traefik 只对我们在 labels 中声明了要进行服务注册的应用提供服务
- "--providers.docker.endpoint=unix:///var/run/docker.sock" #
- "--providers.docker.useBindPortIP=false"
- "--providers.docker.network=traefik" # 使用指定虚拟网络
- "--providers.file=true"
- "--providers.file.watch=true"
- "--providers.file.directory=/etc/traefik/config" # 配置目录 当启用tls,默认会读取该目录下的tls.toml
- "--providers.file.debugloggeneratedtemplate=true"
networks:
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.middlewares.gzip.compress=true"
# 将服务协议从 HTTP 自动切换为 HTTPS 的 Traefik 中间件规则
- "traefik.http.middlewares.redir-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redir-https.redirectscheme.permanent=false"
# HTTP 网页服务的路由上添加这个中间件规则
- "traefik.http.routers.traefik-dashboard.middlewares=redir-https@docker"
- "traefik.http.routers.traefik-dashboard-secure.middlewares=gzip@docker"
- "traefik.http.routers.traefik-dashboard-api-secure.middlewares=gzip@docker"
- "traefik.http.routers.traefik-dashboard.entrypoints=http"
- "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.console.clibing.com`)"
- "traefik.http.routers.traefik-dashboard.service=noop@internal"
- "traefik.http.routers.traefik-dashboard-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-secure.rule=Host(`traefik.console.clibing.com`)"
- "traefik.http.routers.traefik-dashboard-secure.service=dashboard@internal"
- "traefik.http.routers.traefik-dashboard-api-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-api-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-api-secure.rule=Host(`traefik.console.clibing.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.traefik-dashboard-api-secure.service=api@internal"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/:/etc/traefik/config/:ro
- ./certs/:/certs/:ro
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]
interval: 3s
retries: 10
logging:
driver: "json-file"
options:
max-size: "10m"
networks:
traefik:
external: true访问8080查看 traefik dashboard管理界面
gitea增加labels
以下贴出关键部分
name: gitea
services:
gitea:
labels:
# https://soulteary.com/2020/02/04/gitea-git-server-with-docker-and-traefik-v2.html
- "traefik.enable=true"
- "traefik.http.routers.giteaweb.middlewares=https-redirect@file"
- "traefik.http.routers.giteaweb.entrypoints=http"
- "traefik.http.routers.giteaweb.rule=Host(`git.clibing.com`)"
- "traefik.http.routers.giteassl.middlewares=content-compress@file"
- "traefik.http.routers.giteassl.entrypoints=https"
- "traefik.http.routers.giteassl.tls=true"
- "traefik.http.routers.giteassl.rule=Host(`git.clibing.com`)"
- "traefik.http.services.giteabackend.loadbalancer.server.scheme=http"
- "traefik.http.services.giteabackend.loadbalancer.server.port=3000"
- "traefik.tcp.routers.giteassh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.giteassh.tls=true"
- "traefik.tcp.routers.giteassh.entrypoints=git"
- "traefik.tcp.routers.giteassh.service=gitea"
networks:
- traefik
networks:
traefik:
external: true配置jenkins lables
以下贴出关键部分
name: jenkins
services:
jenkins:
labels:
- "traefik.enable=true"
- "traefik.http.routers.jenkins.rule=Host(`build.clibing.com`)"
- "traefik.http.routers.jenkins.tls=true"
networks:
- traefik
networks:
traefik:
external: true配置nexus lables
name: nexus
services:
nexus:
labels:
- "traefik.enable=true"
- "traefik.http.routers.nexus.rule=Host(`nexus.clibing.com`)"
- "traefik.http.routers.nexus.tls=true"
networks:
- traefik
networks:
traefik:
external: true测试
追加本地dns记录
sudo vi /etc/hosts
192.168.1.101 git.clibing.com
192.168.1.101 build.clibing.com
192.168.1.101 nexus.clibing.com
jenkins:
curl -iv https://build.clibing.com/login
* Trying 192.168.1.101:443...
* Connected to build.clibing.com (192.168.1.101) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=clibing.com
* start date: Jun 17 00:00:00 2024 GMT
* expire date: Sep 15 23:59:59 2024 GMT
* subjectAltName: host "build.clibing.com" matched cert's "*.clibing.com"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faae3012200)
> GET /login HTTP/2
> Host: build.clibing.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
HTTP/2 200
< cache-control: no-cache,no-store,must-revalidate
cache-control: no-cache,no-store,must-revalidate
< content-type: text/html;charset=utf-8
content-type: text/html;charset=utf-8
< date: Sun, 04 Aug 2024 16:20:59 GMT
date: Sun, 04 Aug 2024 16:20:59 GMT
< expires: Thu, 01 Jan 1970 00:00:00 GMT
expires: Thu, 01 Jan 1970 00:00:00 GMT
< server: Jetty(10.0.20)
server: Jetty(10.0.20)
< set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
set-cookie: JSESSIONID.d80c0716=node01v5orf3w4gj2f1g2xkyq3lfswf4.node0; Path=/; Secure; HttpOnly
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: sameorigin
x-frame-options: sameorigin
< x-hudson: 1.395
x-hudson: 1.395
< x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
x-instance-identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPFmhRk8FB4H+Cj+JQ1Ibxemt9RatJlZsigI6mjWzZG7HEinJGJpBHrtdU+yNevwD+J8kF6PihabWP4xhK4nAebg6sFZvLCbD8AgJ/P7H1/+PBjRuKlhvpHsJPJ8SVLbDD/8wXB2yBhAIvEJoEzOKEFinIQ3X4zt/qPv8w+JgM47MWGaol06Bux7HnT5e4DF7ZrEfsI1JHj6JYepc8ElPC5nZbLM4tpXV63hA+2ir74cbuJf8Aj8zm+lgLM3VaOodtVRxcsxnE0zPjOsIjdJ0EFuPMxaOXah9lHcASrDnG8IvsJJPEIwzxm51Gkah6Q0GnC3dQ9la2yxpo+s1oZnPQIDAQAB
< x-jenkins: 2.452.3
x-jenkins: 2.452.3
< x-jenkins-session: a6707f59
x-jenkins-session: a6707f59
<
<!DOCTYPE html><html lang="en-US"><head resURL="/static/a6707f59" data-rooturl="" data-resurl="/static/a6707f59" data-imagesurl="/static/a6707f59/images"><title>Sign in [Jenkins]</title><meta name="ROBOTS" content="NOFOLLOW"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="icon" href="/static/a6707f59/favicon.svg" type="image/svg+xml"><link sizes="any" rel="alternate icon" href="/static/a6707f59/favicon.ico"><link rel="stylesheet" href="/static/a6707f59/jsbundles/simple-page.css" type="text/css"><script id="theme-manager-theme" type="application/json">{ "id": "none", "respect_system_appearance": false }</script><script src='/adjuncts/a6707f59/io/jenkins/plugins/thememanager/header/main.js' type='text/javascript'></script>
<link type="text/css" rel="stylesheet" href="http://localhost:8080/theme-dark/theme.css"/>
<script id="theme-manager-properties" type="application/json">{}</script>
* Connection #0 to host build.clibing.com left intact
</head><body class="app-sign-in-register"><section class="app-sign-in-register__branding"><div class="app-sign-in-register__branding__starburst"></div><img src="/static/a6707f59/images/svgs/logo.svg" alt="logo"></section><main id="main-panel" class="app-sign-in-register__content"><div class="app-sign-in-register__content-inner"><h1>Sign in to Jenkins</h1><script id="theme-manager-theme" type="application/json">{ "id": "none" }</script><form method="post" name="login" action="j_spring_security_check"><div><label class="app-sign-in-register__form-label" for="j_username">Username</label><input autocorrect="off" autocomplete="off" name="j_username" id="j_username" type="text" autofocus="autofocus" class="jenkins-input " autocapitalize="off"></div><div><label class="app-sign-in-register__form-label" for="j_password">Password</label><input name="j_password" id="j_password" type="password" class="jenkins-input "></div><div class="jenkins-checkbox"><input type="checkbox" id="remember_me" name="remember_me"><label for="remember_me">Keep me signed in</label></div><input name="from" type="hidden"><button type="submit" name="Submit" class="jenkins-button jenkins-button--primary">Sign in</button></form><div class="footer"></div></div></main></body></html>%参考
- 官网文档:https://doc.traefik.io/traefik/https/tls/
- https://maimai.cn/article/detail?fid=1795202127&efid=-fHLwxX3blYvcJlBQuvd8A
- https://cloud.tencent.com/developer/article/2323382
相关推荐
- 如何设计一个优秀的电子商务产品详情页
-
加入人人都是产品经理【起点学院】产品经理实战训练营,BAT产品总监手把手带你学产品电子商务网站的产品详情页面无疑是设计师和开发人员关注的最重要的网页之一。产品详情页面是客户作出“加入购物车”决定的页面...
- 怎么在JS中使用Ajax进行异步请求?
-
大家好,今天我来分享一项JavaScript的实战技巧,即如何在JS中使用Ajax进行异步请求,让你的网页速度瞬间提升。Ajax是一种在不刷新整个网页的情况下与服务器进行数据交互的技术,可以实现异步加...
- 中小企业如何组建,管理团队_中小企业应当如何开展组织结构设计变革
-
前言写了太多关于产品的东西觉得应该换换口味.从码农到架构师,从前端到平面再到UI、UE,最后走向了产品这条不归路,其实以前一直再给你们讲.产品经理跟项目经理区别没有特别大,两个岗位之间有很...
- 前端监控 SDK 开发分享_前端监控系统 开源
-
一、前言随着前端的发展和被重视,慢慢的行业内对于前端监控系统的重视程度也在增加。这里不对为什么需要监控再做解释。那我们先直接说说需求。对于中小型公司来说,可以直接使用三方的监控,比如自己搭建一套免费的...
- Ajax 会被 fetch 取代吗?Axios 怎么办?
-
大家好,很高兴又见面了,我是"高级前端进阶",由我带着大家一起关注前端前沿、深入前端底层技术,大家一起进步,也欢迎大家关注、点赞、收藏、转发!今天给大家带来的主题是ajax、fetch...
- 前端面试题《AJAX》_前端面试ajax考点汇总
-
1.什么是ajax?ajax作用是什么?AJAX=异步JavaScript和XML。AJAX是一种用于创建快速动态网页的技术。通过在后台与服务器进行少量数据交换,AJAX可以使网页实...
- Ajax 详细介绍_ajax
-
1、ajax是什么?asynchronousjavascriptandxml:异步的javascript和xml。ajax是用来改善用户体验的一种技术,其本质是利用浏览器内置的一个特殊的...
- 6款可替代dreamweaver的工具_替代powerdesigner的工具
-
dreamweaver对一个web前端工作者来说,再熟悉不过了,像我07年接触web前端开发就是用的dreamweaver,一直用到现在,身边的朋友有跟我推荐过各种更好用的可替代dreamweaver...
- 我敢保证,全网没有再比这更详细的Java知识点总结了,送你啊
-
接下来你看到的将是全网最详细的Java知识点总结,全文分为三大部分:Java基础、Java框架、Java+云数据小编将为大家仔细讲解每大部分里面的详细知识点,别眨眼,从小白到大佬、零基础到精通,你绝...
- 福斯《死侍》发布新剧照 "小贱贱"韦德被改造前造型曝光
-
时光网讯福斯出品的科幻片《死侍》今天发布新剧照,其中一张是较为罕见的死侍在被改造之前的剧照,其余两张剧照都是死侍在执行任务中的状态。据外媒推测,片方此时发布剧照,预计是为了给不久之后影片发布首款正式预...
- 2021年超详细的java学习路线总结—纯干货分享
-
本文整理了java开发的学习路线和相关的学习资源,非常适合零基础入门java的同学,希望大家在学习的时候,能够节省时间。纯干货,良心推荐!第一阶段:Java基础重点知识点:数据类型、核心语法、面向对象...
- 不用海淘,真黑五来到你身边:亚马逊15件热卖爆款推荐!
-
Fujifilm富士instaxMini8小黄人拍立得相机(黄色/蓝色)扫二维码进入购物页面黑五是入手一个轻巧可爱的拍立得相机的好时机,此款是mini8的小黄人特别版,除了颜色涂装成小黄人...
- 2025 年 Python 爬虫四大前沿技术:从异步到 AI
-
作为互联网大厂的后端Python爬虫开发,你是否也曾遇到过这些痛点:面对海量目标URL,单线程爬虫爬取一周还没完成任务;动态渲染的SPA页面,requests库返回的全是空白代码;好不容易...
- 最贱超级英雄《死侍》来了!_死侍超燃
-
死侍Deadpool(2016)导演:蒂姆·米勒编剧:略特·里斯/保罗·沃尼克主演:瑞恩·雷诺兹/莫蕾娜·巴卡林/吉娜·卡拉诺/艾德·斯克林/T·J·米勒类型:动作/...
- 停止javascript的ajax请求,取消axios请求,取消reactfetch请求
-
一、Ajax原生里可以通过XMLHttpRequest对象上的abort方法来中断ajax。注意abort方法不能阻止向服务器发送请求,只能停止当前ajax请求。停止javascript的ajax请求...
- 一周热门
- 最近发表
- 标签列表
-
- HTML 简介 (30)
- HTML 响应式设计 (31)
- HTML URL 编码 (32)
- HTML Web 服务器 (31)
- HTML 表单属性 (32)
- HTML 音频 (31)
- HTML5 支持 (33)
- HTML API (36)
- HTML 总结 (32)
- HTML 全局属性 (32)
- HTML 事件 (31)
- HTML 画布 (32)
- HTTP 方法 (30)
- 键盘快捷键 (30)
- CSS 语法 (35)
- CSS 轮廓宽度 (31)
- CSS 谷歌字体 (33)
- CSS 链接 (31)
- CSS 定位 (31)
- CSS 图片库 (32)
- CSS 图像精灵 (31)
- SVG 文本 (32)
- 时钟启动 (33)
- HTML 游戏 (34)
- JS Loop For (32)