我正在尝试将 traefik 设置为容器,但无法使现有证书正常工作。当我在 中定义它时,它可以正常工作,traefik_dynamic.toml
但我无法通过 docker compose 文件中的标签条目使其正常工作。
我的 traefik.toml 包含:
[log]
filePath = "/var/log/traefik/traefik.log"
level = "DEBUG"
[accessLog]
filePath = "/var/log/traefik/access.log"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
[providers.docker]
watch = true
exposedbydefault = false
network = "proxy"
我的 docker-compse YAML 包含:
volumes:
- /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
- /srv/docker/traefik/log/:/var/log/traefik/
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
- /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
ports:
- "80:80"
- "443:443"
- "8080:8080"
labels:
# Enable Traefik
- "traefik.enable=true"
- "traefik.port=8080"
# Create middlewares (authentication)
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:[snip]"
# Configure web entrypoint rules(":80")
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
# Configure secure entrypoint (":443")
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.tls.stores.default.defaultCertificate.certFile=/example.live.fullchain.pem"
- "traefik.tls.stores.default.defaultCertificate.keyFile=/example.live.privkey.pem"
# Use Middlewares for basic auth
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
我想知道如何让 traefik 使用任何服务的默认证书(在traefik.toml
或 标签: 部分中docker-compose.yml
)。请注意:我不想使用 traefik 自己的 letsencrypt 集成,它需要使用系统某处文件中的证书(无论当前是否是 letsencrypt 提供证书)
注意:这在 traefik_dynamic.toml 中之前有效:
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/example.live.fullchain.pem"
keyFile = "/example.live.privkey.pem"```
(I also have a problem to access the dashboard even with the self-signed certificate that traefik generates — I just get 404s, but the cert is the first problem I'm trying to solve). [UPDATE: that problems was a misconfiguration also, see provided answer below for the working result]
答案1
答案是:无法通过 docker compose 标签实现。我现在在“文件提供程序”中有一些共享的动态设置。
traefik.toml:
[log]
filePath = "/var/log/traefik/traefik.log"
level = "WARN"
[accesslog]
filePath = "/var/log/traefik/access.log"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
debug = true
insecure = false
# This file provider contains the following settings which are shared across other providers:
# - basic auth
# - default cert
[providers.file]
watch = true
filename = "/etc/traefik/shared_providers_dynamic.toml"
[providers.docker]
watch = true
exposedbydefault = false
network = "proxy"
共享提供程序动态.toml:
[http.middlewares.simpleAuth.basicAuth]
users = [
"(snip):(snip)"
]
[http.middlewares.mylan.ipWhiteList]
sourceRange = ["(snip)", "(snip)"]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/example.live.fullchain.pem"
keyFile = "/example.live.privkey.pem"
docker-compose.yml 包含:
volumes:
- /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
- /srv/docker/traefik/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml
- /srv/docker/traefik/log/:/var/log/traefik/
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
- /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
ports:
- "443:443"
labels:
- "traefik.enable=true"
# Configure secure entrypoint (":443")
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=simpleAuth@file"
- "traefik.http.routers.traefik-secure.middlewares=mylan@file"