Traefik

前言

雖然之前有講過可以用Nginx Proxy Manager來進行內外網路的轉址不過那些還要真的Mapping出來才能用,使用Traefik的話就不需要這麼麻煩了

基本概念

其實就是一堆virtual host只是它不用去寫一堆設定檔,可以在docker-compose.yml內用label定義後直接就可以用了

Traek本體

# Docker-compose.yml
services:
  traefik:
    image: "traefik:v2.5"
    container_name: "traefik"
    networks:
      - backend
    command:
      #### Traefik CLI commands to configure Traefik! ####
      - --api.insecure=false # <== DisEnabling insecure api. Default is ture.
      - --api.dashboard=true # <== Enabling the dashboard to view services, middlewares, routers, etc...
      - --api.debug=true # <== Enabling additional endpoints for debugging and profiling
      ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
      - --providers.docker=true # <== Enabling docker as the provider for traefik
      - --providers.docker.exposedbydefault=false # <== Don't expose every container to traefik, only expose enabled ones
      ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
      - --entrypoints.web.address=:80 # <== Defining an entrypoint for port :80 named web
      - --entrypoints.web-secured.address=:443 # <== Defining an entrypoint for https on port :443 named web-secured
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.email=kiwi@kaienroid.com"
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/lib/docker/volumes/traefik/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      #### Labels define the behavior and rules of the traefik proxy for this container ####
      traefik.enable: true # <== Enable traefik on itself to view dashboard and assign subdomain to view it

      #redirecting ALL HTTP to HTTPS
      traefik.http.routers.http_catchall.rule: hostregexp(`{host:.*}`)
      traefik.http.routers.http_catchall.entryPoints: web
      traefik.http.routers.http_catchall.middlewares: redirect_https # <== apply redirect_https middleware which is defined in the below

      #dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.example.com`) # <== Setting the domain for the dashboard
      traefik.http.routers.traefik.entryPoints: web-secured
      traefik.http.routers.traefik.tls: true
      traefik.http.routers.traefik.tls.certresolver: myresolver
      traefik.http.routers.traefik.service: api@internal

      #to define middlewares
      traefik.http.middlewares.redirect_https.redirectscheme.scheme: https # <== define a https redirection middleware

networks:
  backend:
    driver: bridge

其實是可以把command裡的指令改用traefik.toml載入也可以,簡單說明如下(雖然裡面的說明很多了)

• Docker Network 這個其實沒差,只是一般來說有多到需要Traefik的Server一般來說還是會整理一下Docker Network才不會那麼亂
• Command 這個指令其實是讓docker container啟動後自動執行的指令裡可以從上面看得出來幾乎都是定義環境的
• Volumes 這裡特別說明一下為什麼SSL要另外找地方放,因為Traefik是用ACME.Json的形式來存所有的SSL Key,另外一個要對應docker.sock很常見就是要知道你哪些container在跑
• labels 這個就是traefik的精華部份了,traefik就是利用labels定義讓他自動產生virtual host這樣container一打開就會自動弄好非常方便連NPM的操作都免了

對應App的設定方式

docker-compose.yml相關設定

# 不需要定義Port Mapping

# 須讓該app加入Traefik的網路中所以要在docker-compose.yml內加上
services:
  # ...
networks:
  default:
    external: true
    name: my-pre-existing-network

Labels範例

# V2ray traefik labels
labels:
      traefik.enable: true # 表示這個container需要啟動Traefik
      traefik.http.routers.v2ray.rule: Host(`v2ray.example.com`) # 定義對應的virtual Host
      traefik.http.routers.v2ray.tls: true # 使用tls確認用https
      traefik.http.routers.v2ray.tls.certresolver: myresolver # SSL證書的簽發單位,要對應traefik本體Command定義的

可以看得出來基本的邏輯是

traefik.<主要服務,http/tcp/udp>.<子項,routers/services/middlewares>.<App Name>.<label item>: <define>

注意事項

在Traefik後的服務請不要跑SSL,把前端的部份都交給Traefik就好了