默认证书在 traefik v2 和 docker compose 中不起作用

tag-icon tag-icon docker-compose traefik
默认证书在 traefik v2 和 docker compose 中不起作用

我正在尝试将 traefik 设置为容器,但无法使现有证书正常工作。当我在 中定义它时,它可以正常工作,traefik_dynamic.toml但我无法通过 docker compose 文件中的标签条目使其正常工作。

我的 traefik.toml 包含:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "DEBUG"

[accessLog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

我的 docker-compse YAML 包含:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    labels:
      # Enable Traefik
      - "traefik.enable=true"
      - "traefik.port=8080"

      # Create middlewares (authentication)
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:[snip]"

      # Configure web entrypoint rules(":80")
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`foo.rna.nl`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.tls.stores.default.defaultCertificate.certFile=/example.live.fullchain.pem" 
      - "traefik.tls.stores.default.defaultCertificate.keyFile=/example.live.privkey.pem" 

      # Use Middlewares for basic auth
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

我想知道如何让 traefik 使用任何服务的默认证书(在traefik.toml或 标签: 部分中docker-compose.yml)。请注意:我不想使用 traefik 自己的 letsencrypt 集成,它需要使用系统某处文件中的证书(无论当前是否是 letsencrypt 提供证书)

注意:这在 traefik_dynamic.toml 中之前有效:

  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"```

(I also have a problem to access the dashboard even with the self-signed certificate that traefik generates — I just get 404s, but the cert is the first problem I'm trying to solve). [UPDATE: that problems was a misconfiguration also, see provided answer below for the working result]

答案1

答案是:无法通过 docker compose 标签实现。我现在在“文件提供程序”中有一些共享的动态设置。

traefik.toml:

[log]
  filePath = "/var/log/traefik/traefik.log"
  level = "WARN"

[accesslog]
  filePath = "/var/log/traefik/access.log"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true
  debug = true
  insecure = false

# This file provider contains the following settings which are shared across other providers:
# - basic auth
# - default cert
[providers.file]
  watch = true
  filename = "/etc/traefik/shared_providers_dynamic.toml"

[providers.docker]
  watch = true
  exposedbydefault = false
  network = "proxy"

共享提供程序动态.toml:

[http.middlewares.simpleAuth.basicAuth]
  users = [
    "(snip):(snip)"
  ]

[http.middlewares.mylan.ipWhiteList]
  sourceRange = ["(snip)", "(snip)"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/example.live.fullchain.pem"
      keyFile  = "/example.live.privkey.pem"

docker-compose.yml 包含:

    volumes:
      - /srv/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /srv/docker/traefik/shared_providers_dynamic.toml:/etc/traefik/shared_providers_dynamic.toml
      - /srv/docker/traefik/log/:/var/log/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/letsencrypt/live/example.com/fullchain.pem:/example.live.fullchain.pem
      - /etc/letsencrypt/live/example.com/privkey.pem:/example.live.privkey.pem
    ports:
      - "443:443"
    labels:
      - "traefik.enable=true"

      # Configure secure entrypoint (":443")
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.middlewares=simpleAuth@file"
      - "traefik.http.routers.traefik-secure.middlewares=mylan@file"

相关内容