traefik 未重定向到 https

traefik 未重定向到 https

我正在尝试使用 docker、letsencrypt 和 traefik 设置家庭自动化服务器。还使用 duckdns 作为 ddns。我在同一台机器上还有一些其他容器,例如 sickrage 等。

我已打开路由器上的端口 80 和 443 并将其转发到我的 ubuntu 18.04 服务器。当我尝试通过 http 连接到 sickrage.myserver.duckdns.org 时,出现以下错误:

**Your connection is not private**
Attackers might be trying to steal your information from sabnzbd.myserver.duckdns.org 
NET::ERR_CERT_AUTHORITY_INVALID

这是我的 traefik.toml 文件:

    logLevel = "WARN" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
defaultEntryPoints = ["http", "https"]

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations 
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
     entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[retry]


[file]
  watch = true
  filename = "${USERDIR}/docker/traefik/rules.toml"

# Let's encrypt configura
[acme]
caServer = "https://acme-v02.api.letsencrypt.org/directory"
email = "[email protected]"     #any email id will work
storage="${USERDIR}/docker/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true 
onDemand = false #create certificate when container is created
onHostRule = true
  # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
  # uncomment 2 lines for subdirs
#[acme.httpChallenge]
[acme.dnsChallenge]
provider = "duckdns"
entryPoint = "https"
  # uncomment follwoing for suubsomains
#[[acme.domains]]
  #main = "myserver.duckdns.org"
#[[acme.domains]]
  #main = "*.myserver.duckdns.org"
#[acme.dnsChallenge]
  #provider = "duckdns"
  #delayBeforeCheck = 0

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.duckdns.org"
watch = true
# This will hide all docker containers that don't have explicitly  
# set label to "enable"
exposedbydefault = false

我的docker-compose文件的部分内容如下:

    ---
version: "3.6"
services:
  #############################################   Frontends               ############################
  #############################################   Traefik - Reverse proxy  ###########################
  traefik:
    hostname: traefik
    image: traefik:latest
    container_name: traefik
    restart: always
    domainname: ${DOMAINNAME} 
    command: --api --docker --docker.domain=${DOMAINNAME} --docker.watch --loglevel=DEBUG
    #command: --api --docker --docker.domain=docker.localhost --docker.watch --loglevel=DEBUG
    networks:
      - default
      - traefik_proxy
    depends_on:
      - duckdns
    environment:
      - TOKEN=${DUCKDNS_TOKEN}
    ports:
      - "80:80"
      - "443:443"
      - "8008:8080"
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.port=8080"
      - "traefik.protocol=http"
        #- "traefik.frontend.auth.basic=patrick:$$2y$$05$$a8dtYfcMqH.kUFq3zZPGqe9kq7Tyok7.3/mKdMa1NaCuSwAZ0InOq"
        #- "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
      - "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"  
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.entryPoints=https"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=dellubuntu.duckdns.org"
      - "traefik.frontend.headers.STSIncludeSubdomains=false"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"
        #- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik/acme/acme.json:/acme.json
      - ${USERDIR}/docker/traefik/traefik.toml:/traefik.toml
      - ${USERDIR}/docker/letsencrypt/config/etc/letsencrypt:/le-ssl
      - ${USERDIR}/docker/traefik:/etc/traefik
      - ${USERDIR}/docker/shared:/shared
  #Letsencrypt                                                    ------------------------ Letsencrypt
  letsencrypt:
    image:  linuxserver/letsencrypt
    container_name: le
    #ports:
      #- "447:443"
    networks:
      - default
      - traefik_proxy
    volumes:
      - ${USERDIR}/docker/letsencrypt/config:/config
    restart: always
    depends_on:
      - portainer
      - heimdall
      - organizr2
      - lazylibrarian
      - plex
      - tautulli
      - headphones
        #- lidarr
      - couchpotato
        #- radarr
      - sickrage
        #- sonarr
        #- airsonic
      - glances
      - ghost
      - transmission-vpn
      - sabnzbd
      - huginn
      - netdata
        #- nextcloud
        #- hydra2
        #- nzbget
        #- jackett
        ##- duplicati
        ##- bazarr
        ##- homeassistant
        ##- filebrowser
        ##- ombi
        ##- elkarbackup
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - URL=${DOMAINNAME}
      - EMAIL=${EMAIL}
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=${DUCKDNS_TOKEN}
      - ONLY_SUBDOMAINS=false
      - DHLEVEL=4096

我尝试遵循的示例不包括 letsencrypt 容器。我应该删除它吗?如果是这样,letsencrypt 将如何跟踪已停止和已启动的容器?还有其他方法可以运行它吗?

答案1

Traefik 包含 letsencrypt 集成,因此不需要单独的 letsencrypt 容器。

Traefik 还默认终止 TLS 连接,通过 docker 内部网络以 HTTP 形式将请求传递给您的应用程序。您的连接在互联网上仍然是安全的,但您连接的应用程序不会知道这一点。您可以通过在服务traefik.protocol=https上指定来重新加密连接,但您的应用程序需要维护自己的 TLS 证书,Traefik 需要将其配置为信任这些证书,因为这些证书不会来自 LetsEncrypt。

相关内容