在我最初尝试将基于docker-swarm的Traefik安装从1.7迁移到2.0时,我发现traefik.toml配置文件中默认的静态指定SSL配置被忽略,并且启用了调试后,我的docker日志显示了许多类似的内容消息:
time="2019-11-06T20:26:30Z" level=debug msg="No default certificate,generating one"
为什么Traefik 2.0无法检测到我指定的默认静态证书,而是自己生成一个?
•
问答
moon5422 回答:为什么Traefik 2.0无法检测到我指定的默认静态证书,而是自己生成一个?
事实证明,在Traefik 2.0中,SSL配置始终被视为动态配置(请仔细阅读here),因此必须定义一个动态文件提供程序(请参见here),并且还要定义此动态配置必须位于与Traefik主配置文件不同的文件中。
如果尝试简化此过程,并将主traefik配置文件声明为动态文件提供程序,则可能会在日志中看到此无帮助的消息:
time="2019-11-06T20:26:30Z" level=error msg="Cannot start the provider *file.Provider: template: :179:35: executing \"\" at <.Name>: can't evaluate field Name in type bool"
正确配置的消息将改为显示如下:
time="2019-11-06T20:45:20Z" level=debug msg="Configuration received from provider file: {\"http\":{},\"tcp\":{},\"tls\":{\"stores\":{\"default\":{\"defaultCertificate\":{\"certFile\":\"/etc/certs/server.crt\",\"keyFile\":\"/etc/certs/server.key\"}}}}}" providerName=file
containous的社区论坛(例如here)和Reddit(例如here)上的几篇文章无疑有助于解决此问题,但希望此摘要也有所帮助。
以下docker-compose.yml(手动编辑以删除某些抽象,例如位置限制,网络,我们自己的身份验证等)在此时可以有效地将Traefik作为docker swarm上的扩展docker服务运行,仪表板已启用且位于https后面。在这种情况下,Traefik标签位于Traefik服务本身上,并为运行在8080上的仪表板设置了路由器和“后端”服务。
version: '3.3'
secrets:
rsa_private_key:
file: key.pem
rsa_cert:
file: crt.pem
configs:
toml_conf:
file: traefik.toml
dynamic_toml_conf:
file: dynamic_conf.toml
services:
svc:
# The official v2.0 Traefik docker image
image: traefik:v2.0.2
# Enables the web UI and tells Traefik to listen to docker
ports:
# Primary inbound HTTPS traffic.
- "443:443"
# HTTP traffic open for the purposes of permanent redirect to HTTPS.
- "80:80"
deploy:
replicas: 3
restart_policy:
condition: on-failure
max_attempts: 3
delay: 30s
window: 60s
labels:
- "traefik.enable=true"
- "traefik.http.routers.api-sec.entrypoints=websecure"
- "traefik.http.routers.api-sec.tls=true"
- "traefik.http.routers.api-sec.tls.options=default"
- "traefik.http.routers.api-sec.rule=Host(`myhost`)"
- "traefik.http.routers.api-sec.service=api@internal"
# Now the backend service...
- "traefik.http.services.api.loadbalancer.server.port=8080"
secrets:
- source: rsa_private_key
target: /etc/certs/server.key
- source: rsa_cert
target: /etc/certs/server.crt
configs:
- source: toml_conf
target: /etc/traefik/traefik.toml
- source: dynamic_toml_conf
target: /etc/dynamic_conf.toml
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock