我正在尝试使用 docker、letsencrypt 和 traefik 设置家庭自动化服务器。还使用 duckdns 作为 ddns。我在同一台机器上还有一些其他容器,例如 sickrage 等。
我已打开路由器上的端口 80 和 443 并将其转发到我的 ubuntu 18.04 服务器。当我尝试通过 http 连接到 sickrage.myserver.duckdns.org 时,出现以下错误:
**Your connection is not private**
Attackers might be trying to steal your information from sabnzbd.myserver.duckdns.org
NET::ERR_CERT_AUTHORITY_INVALID
这是我的 traefik.toml 文件:
logLevel = "WARN" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
defaultEntryPoints = ["http", "https"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[file]
watch = true
filename = "${USERDIR}/docker/traefik/rules.toml"
# Let's encrypt configura
[acme]
caServer = "https://acme-v02.api.letsencrypt.org/directory"
email = "[email protected]" #any email id will work
storage="${USERDIR}/docker/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
onHostRule = true
# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
# uncomment 2 lines for subdirs
#[acme.httpChallenge]
[acme.dnsChallenge]
provider = "duckdns"
entryPoint = "https"
# uncomment follwoing for suubsomains
#[[acme.domains]]
#main = "myserver.duckdns.org"
#[[acme.domains]]
#main = "*.myserver.duckdns.org"
#[acme.dnsChallenge]
#provider = "duckdns"
#delayBeforeCheck = 0
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "myserver.duckdns.org"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
我的docker-compose文件的部分内容如下:
---
version: "3.6"
services:
############################################# Frontends ############################
############################################# Traefik - Reverse proxy ###########################
traefik:
hostname: traefik
image: traefik:latest
container_name: traefik
restart: always
domainname: ${DOMAINNAME}
command: --api --docker --docker.domain=${DOMAINNAME} --docker.watch --loglevel=DEBUG
#command: --api --docker --docker.domain=docker.localhost --docker.watch --loglevel=DEBUG
networks:
- default
- traefik_proxy
depends_on:
- duckdns
environment:
- TOKEN=${DUCKDNS_TOKEN}
ports:
- "80:80"
- "443:443"
- "8008:8080"
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.port=8080"
- "traefik.protocol=http"
#- "traefik.frontend.auth.basic=patrick:$$2y$$05$$a8dtYfcMqH.kUFq3zZPGqe9kq7Tyok7.3/mKdMa1NaCuSwAZ0InOq"
#- "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
- "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.entryPoints=https"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=dellubuntu.duckdns.org"
- "traefik.frontend.headers.STSIncludeSubdomains=false"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
#- "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${USERDIR}/docker/traefik/acme/acme.json:/acme.json
- ${USERDIR}/docker/traefik/traefik.toml:/traefik.toml
- ${USERDIR}/docker/letsencrypt/config/etc/letsencrypt:/le-ssl
- ${USERDIR}/docker/traefik:/etc/traefik
- ${USERDIR}/docker/shared:/shared
#Letsencrypt ------------------------ Letsencrypt
letsencrypt:
image: linuxserver/letsencrypt
container_name: le
#ports:
#- "447:443"
networks:
- default
- traefik_proxy
volumes:
- ${USERDIR}/docker/letsencrypt/config:/config
restart: always
depends_on:
- portainer
- heimdall
- organizr2
- lazylibrarian
- plex
- tautulli
- headphones
#- lidarr
- couchpotato
#- radarr
- sickrage
#- sonarr
#- airsonic
- glances
- ghost
- transmission-vpn
- sabnzbd
- huginn
- netdata
#- nextcloud
#- hydra2
#- nzbget
#- jackett
##- duplicati
##- bazarr
##- homeassistant
##- filebrowser
##- ombi
##- elkarbackup
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- URL=${DOMAINNAME}
- EMAIL=${EMAIL}
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- DUCKDNSTOKEN=${DUCKDNS_TOKEN}
- ONLY_SUBDOMAINS=false
- DHLEVEL=4096
我尝试遵循的示例不包括 letsencrypt 容器。我应该删除它吗?如果是这样,letsencrypt 将如何跟踪已停止和已启动的容器?还有其他方法可以运行它吗?
答案1
Traefik 包含 letsencrypt 集成,因此不需要单独的 letsencrypt 容器。
Traefik 还默认终止 TLS 连接,通过 docker 内部网络以 HTTP 形式将请求传递给您的应用程序。您的连接在互联网上仍然是安全的,但您连接的应用程序不会知道这一点。您可以通过在服务traefik.protocol=https上指定来重新加密连接,但您的应用程序需要维护自己的 TLS 证书,Traefik 需要将其配置为信任这些证书,因为这些证书不会来自 LetsEncrypt。