docker与traefik2集成

https://doc.traefik.io/traefik/middlewares/

一、目标:
1、traefik与docker集成,docker通过使用label通知traefik进行配置
2、集成https-redirect、basic-auth、digestauth等中间件
3、通过traefik http\tcp代理容器外部的端口,例如22端口
4、

二、创建docker网络

docker network create traefik

三、部暑traefik

mkdir /data/traefik -p
cd  /data/traefik
cat > docker-compose.yaml << 'EOF'
version: '3'
services:traefik:container_name: traefikimage: traefik:v2.6.3restart: alwaysenvironment:- TZ=Asia/Shanghaiports:- 80:80- 443:443- 8082:8082- 8022:8022    #此端口为代理容器外部IP+端口用networks:- traefikcommand:- "--global.sendanonymoususage=false"- "--global.checknewversion=false"- "--entrypoints.http.address=:80"- "--entrypoints.https.address=:443"- "--entrypoints.tcp_8082.address=:8082"   #tcp层入口- "--entrypoints.tcp_8022.address=:8022"   #tcp层入口,代理容器外部端口- "--api=true"- "--api.insecure=true"- "--api.dashboard=true"- "--api.debug=false"- "--ping=true"- "--log.level=warn"- "--log.format=common"- "--accesslog=false"                      #关闭日志- "--accesslog.filepath=/log/access.log"- "--accesslog.format=json"- "--accesslog.fields.defaultmode=keep"- "--accesslog.fields.names.ClientUsername=drop"- "--accesslog.fields.headers.defaultmode=keep"- "--accesslog.fields.headers.names.User-Agent=redact"- "--accesslog.fields.headers.names.Authorization=drop"- "--accesslog.fields.headers.names.Content-Type=keep"- "--providers.docker=true"- "--providers.docker.watch=true"- "--providers.docker.exposedbydefault=false"- "--providers.docker.endpoint=unix:///var/run/docker.sock"- "--providers.docker.swarmMode=false"- "--providers.docker.useBindPortIP=false"- "--providers.docker.network=traefik"- "--providers.file=true"- "--providers.file.watch=true"- "--providers.file.directory=/etc/traefik/config"- "--providers.file.debugloggeneratedtemplate=true"volumes:# 仅限标准的 Linux 环境- /etc/localtime:/etc/localtime:ro- /etc/timezone:/etc/timezone:ro- /var/run/docker.sock:/var/run/docker.sock:ro- ./config/:/etc/traefik/config/:ro- ./ssl/:/ssl/:rolabels:- "traefik.enable=true"- "traefik.docker.network=traefik"
# 定义中间件BasicAuth, 名字为basic-auth- "traefik.http.middlewares.basic-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# 定义中间件DigestAuth, 名字为digest-auth- "traefik.http.middlewares.digest-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"- "traefik.http.middlewares.digest-auth.digestauth.realm=traefik"- "traefik.http.middlewares.digest-auth.digestauth.headerField=X-WebAuth-User"- "traefik.http.middlewares.digest-auth.digestauth.removeheader=true"
# 定义中间件http跳转https,  名字为https-redirect- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"- "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
# 使用http入口,并强制由http跳转到https- "traefik.http.routers.traefik-dash-default.entrypoints=http"- "traefik.http.routers.traefik-dash-default.rule=Host(`dashboard.lady.cn`)"- "traefik.http.routers.traefik-dash-default.service=dashboard@internal"- "traefik.http.routers.traefik-dash-default.middlewares=https-redirect"    #引用重定向中间件,引用名字为https-redirect
# 使用https入口,把dashboard放到根目录- "traefik.http.routers.traefik-dash-web.entrypoints=https"- "traefik.http.routers.traefik-dash-web.rule=Host(`dashboard.lady.cn`) && PathPrefix(`/`)"- "traefik.http.routers.traefik-dash-web.tls=true"- "traefik.http.routers.traefik-dash-web.service=dashboard@internal"
# 使用https入口,并把dashboard放到/dashboard目录下- "traefik.http.routers.traefik-dash-api.entrypoints=https"- "traefik.http.routers.traefik-dash-api.rule=Host(`dashboard.lady.cn`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"- "traefik.http.routers.traefik-dash-api.tls=true"- "traefik.http.routers.traefik-dash-api.service=api@internal"# 引用中间件digestauth- "traefik.http.routers.traefik-dash-api.middlewares=digest-auth"
#tcp层路由,引用traefik中的tcp_8082入口- "traefik.tcp.routers.tcprouter1.entrypoints=tcp_2022"- "traefik.tcp.routers.tcprouter1.rule=HostSNI(`*`)"- "traefik.tcp.routers.tcprouter1.service=tcpservice01@file"      #以文件的方式引用外部配置healthcheck:test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]interval: 3sretries: 12logging:driver: "json-file"options:max-size: "1m"networks:traefik:external: true
EOFdocker-compose up -d

应用部置

mkdir -p /data/nexus3/data
chown 200:200 /data/nexus3/data
cd /data/nexus3
cat > docker-compose.yaml << 'EOF'
version: '3'
services:nexus3:container_name: "nexus3"image: 'sonatype/nexus3:3.30.1'#image: klo2k/nexus3:3.35.0-02 #此镜像为arm64restart: unless-stoppedhostname: 'nexus3'environment:INSTALL4J_ADD_VM_PARAMS: '-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m'NEXUS_CONTEXT: 'nexus-public'
#      ports:
#        - '32010:8081'networks:- traefikvolumes:- ./data:/nexus-data- /etc/localtime:/etc/localtimelabels:- "traefik.enable=true"- "traefik.docker.network=traefik"#http层路由,引用traefik中和http和https入口,并强制http跳转到https- "traefik.http.routers.nexus3.middlewares=https-redirect"- "traefik.http.routers.nexus3.entrypoints=http"- "traefik.http.routers.nexus3.rule=Host(`nexus.lady.cn`)"- "traefik.http.routers.nexus3-ssl.entrypoints=https"- "traefik.http.routers.nexus3-ssl.tls=true"- "traefik.http.routers.nexus3-ssl.rule=Host(`nexus.lady.cn`)"#tcp层路由,引用traefik中的tcp_8082入口- "traefik.tcp.routers.tcprouter0.entrypoints=tcp_8082"   - "traefik.tcp.routers.tcprouter0.rule=HostSNI(`*`)"
networks:traefik:external: true
EOFdocker-compose up -d    

nexus3可通过http代理和tcp代理进行访问
http代理:
在这里插入图片描述
tcp代理:(如果tcp代理要通过域名访问,那么一定要配置tls证书)
在这里插入图片描述

— 分界线 —
配置traefik.yaml文件

mkdir /data/traefik/{config.ssl} -p
cd  /data/traefik/config/
cat > traefik.yaml < 'EOF'
#配置tls证书
tls:certificates:- certFile: /ssl/server.pemkeyFile: /ssl/server-key.pemstores:default: defaultoptions:default:sniStrict: false
serversTransport:insecureSkipVerify: true#配置services
tcp:services:tcpservice01:loadBalancer:servers:- address: "192.168.11.101:22"     #为docker外部IP+端口
EOF

生成自签证书

# 下载生成证书的命令
wget http://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo# 一键脚本生成证书,注:ip地址根据实际情况进行修改。cat > ca-config.json <<EOF
{"signing": {"default": {"expiry": "87600h"},"profiles": {"kubernetes": {"expiry": "87600h","usages": ["signing","key encipherment","server auth","client auth"]}}}
}
EOFcat > ca-csr.json <<EOF
{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "GuangZhou","ST": "GuangZhou","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca -#-----------------------cat > server-csr.json <<EOF
{"CN": "kubernetes","hosts": ["lady.cn","*.lady.cn"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "GuangZhou","ST": "GuangZhou","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server# 会生成 server.pem和server-key.pem两个证书文件

digests_auth 验证

# digest_auth 密码生成
yum install -y httpd-tools#> htdigest -c password traefik xbzeng
Adding password for xbzeng in realm traefik.
New password:
Re-type new password:cat password
xbzeng:traefik:7a3d9d8a364fcd5d3e93dccfff98c3b7
version: '3'
services:gwit:container_name: "gwit"image: 'gwit:20220531'restart: unless-stoppedhostname: 'gwit'environment:JAVA_OPTS: '-Xmx1024m -Xss128m'networks:- traefikvolumes:- /etc/localtime:/etc/localtime- /data/solution/gwit/etc/application-druid.yml:/gwit/application-druid.yml- /data/solution/gwit/etc/application.yml:/gwit/application.ymllabels:- "traefik.enable=true"- "traefik.docker.network=traefik"- "traefik.http.routers.gwit.entrypoints=http"#- "traefik.http.routers.gwit.rule=Host(`gwit.lady.cn`)"- "traefik.http.routers.gwit.rule=Host(`192.168.11.102`) && PathPrefix(`/gwit/`)" - "traefik.http.services.gwit.loadbalancer.server.port=8088"
networks:traefik:external: true

Published by

风君子

独自遨游何稽首 揭天掀地慰生平

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注