我对 Traefik 中的配置文件有疑问。我想将我的动态配置文件拆分为多个基于服务的文件。
设置
我有一个运行 pfSense VM 的 proxmox 实例。所有流量都发送到 pfSense,如果获得授权,它会将所有内容分派到正确的位置。pfSense 还用作 dns 本地名称的内部解析器,例如:jenkins.sub-domain.domain.com、heimdall.sub-domain.domain.com 等。
最后,pfSense 正在运行一个 openVPN 服务器,我用它来访问“proxmox 本地网络”。
我有一个在 docker 上运行 traefik 实例的 VM。只有 traefik,此主机上没有其他内容。
我有一个 VM 正在运行我想仅在本地网络内使用的服务(heimdall、jenkins、portainer 等)。
最后,我有一个 VM 正在运行我想从外部(互联网)访问的服务(gitea、bookstack、wireguard 等)。
我为外部服务设置了一些 dns,例如:gitea.mydomain.com、bookstack.mydomain.com 等……
我将端口 80 和 443 重定向到 traefik 代理。
_ Traefik 设置
以下是配置文件:
/home/用户/traefik/docker-compose.yml
version: '3'
services:
traefik:
image: traefik:latest
container_name: "Traefik-Proxy"
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- proxy
ports:
- "80:80"
- "443:443"
environment:
- "OVH_ENDPOINT=${OVH_ENDPOINT}"
- "OVH_APPLICATION_KEY=${OVH_AK}"
- "OVH_APPLICATION_SECRET=${OVH_AS}"
- "OVH_CONSUMER_KEY=${OVH_CK}"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik-data/traefik.yml:/traefik.yml:ro
- ./traefik-data/acme.json:/acme.json
- ./traefik-data/dynconf/:/dynconf/:ro
- ./traefik-data/logs/:/logs/
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefikdashboard.sub-domain.domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${AUTH_USER}:${AUTH_PWD}"
# Following are relative to the SSL configuration
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=domain.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
/home/用户/traefik/traefik-data/traefik.yml
global:
sendanonymoususage: false
log:
level: debug
filePath: "./logs/traefik.log"
accessLog:
filePath: "./logs/access.log"
api:
dashboard: true
debug: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
directory: ./dynconf/
watch: true
certificatesResolvers:
letsencrypt:
acme:
# Use the following line to use the letsenctypt's staging api
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
storage: acme.json
keyType: EC384
dnsChallenge:
provider: ovh
#disablePropagationCheck: true
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
/home/用户/traefik/traefik-data/dynconf/dynamic.yml
http:
#region routers
routers:
bookstack:
entryPoints:
- "websecure"
rule: "Host(`bookstack.mydomain.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: bookstack
heimdall:
entryPoints:
- "websecure"
rule: "Host(`heimdall.sub-domain.domain.com`)"
middlewares:
- secured-chain
tls: {}
service: heimdall
gitea:
entryPoints:
- "websecure"
rule: "Host(`gitea.domain.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: gitea
... some other routers ...
#endregion
#region services
services:
bookstack:
loadBalancer:
servers:
- url: "http://192.168.0.1:5555"
passHostHeader: true
heimdall:
loadBalancer:
servers:
- url: "https://192.168.0.2:3333"
passHostHeader: true
gitea:
loadBalancer:
servers:
- url: "http://192.168.0.1:6666"
passHostHeader: true
... some other routers ...
#endregion
#region middleware
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
whitelist-VPN-ONLY:
ipWhiteList:
sourceRange:
- "10.0.0.2/32"
whitelist-VPN-AND-LOCAL:
ipWhiteList:
sourceRange:
- "10.0.0.2/32"
- "192.168.0.0/24"
secured-chain:
chain:
middlewares:
- whitelist-VPN-ONLY
- default-headers
- https-redirectscheme
#endregion
目前正在运行
我想要的是,但我没有成功尝试获得(我阅读了很多帖子、文章以及 traefik 文档本身,并尝试了很多不同的尝试):
_ 我想将 dynamic.yml 文件拆分为多个文件,每个服务一个。当我这样做时,什么都没起作用。
我尝试了类似的方法,但没有效果: dynconf/middlewares.yml
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
whitelist-VPN-ONLY:
ipWhiteList:
sourceRange:
- "10.0.0.2/32"
whitelist-VPN-AND-LOCAL:
ipWhiteList:
sourceRange:
- "10.0.0.2/32"
- "192.168.0.0/24"
secured-chain:
chain:
middlewares:
- whitelist-VPN-ONLY
- default-headers
- https-redirectscheme
dynconf/bookstack.yml
http:
routers:
bookstack:
entryPoints:
- "websecure"
rule: "Host(`bookstack.mydomain.com`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: bookstack
services:
bookstack:
loadBalancer:
servers:
- url: "http://192.168.0.1:5555"
passHostHeader: true
_ 我是否必须在每个服务文件中都写入中间件部分?这样做似乎有些多余...
_ 我希望在 docker-compose.yml 文件之外设置仪表板并进入 dynconf 目录,如下所示:traefik-dashboard.yml。我认为可以做到,但我的任何尝试都无法做到。
_ 最后,我可以将 docker-compose.yml 中的 ssl 相关标签移动到 dynconf 文件夹中,并使用如下文件:ssl-config.yml 吗?
_ 关于如何改进/清理此设置的任何想法都欢迎提出
尽管我的英语不好,还是感谢您的帮助!