Fatal编程技术网

Amazon web services AWS ECS Fargate:如何使用Traefik配置SSL

amazon-web-services

Amazon web services AWS ECS Fargate:如何使用Traefik配置SSL,amazon-web-services,load-balancing,amazon-ecs,traefik,aws-fargate,Amazon Web Services,Load Balancing,Amazon Ecs,Traefik,Aws Fargate,我使用的是AWS Fargate,我已经从AWS AELB切换到Traefik v1.7,我的加载时间加快了一点,这是成本方面的最佳选择。我在VPC的EC2上的Docker容器中安装了Traefik 但正如您所知,使用AWS LB管理SSL证书非常简单。Traefik也很容易,但我在设置它时遇到了问题 仪表板显示,我的配置是正确的,所有转发的东西都是好的,当我进入我的子域,我的网站在那里。新部署显示正确等。一切正常。但SSL从来都不起作用。我尝试使用Let's Encrypt和我的自定义通配符域

我使用的是AWS Fargate,我已经从AWS AELB切换到Traefik v1.7,我的加载时间加快了一点,这是成本方面的最佳选择。我在VPC的EC2上的Docker容器中安装了Traefik

但正如您所知,使用AWS LB管理SSL证书非常简单。Traefik也很容易,但我在设置它时遇到了问题

仪表板显示,我的配置是正确的,所有转发的东西都是好的,当我进入我的子域,我的网站在那里。新部署显示正确等。一切正常。但SSL从来都不起作用。我尝试使用Let's Encrypt和我的自定义通配符域。我试过httpChallenge和dnsChallenge,但仍然不起作用。让我们加密生成证书,但不将其附加到已配置子域的我的ECS部署。我在网上找到的文件很少,他们也没有谈论这个问题。官方文件也没有那么详细。我想我的问题是ECS。我可能在traefik.toml或AWS ECS任务定义docker标签中也遗漏了一些东西,我不知道

下面是我当前的traefik.toml文件,它显示了我的配置和我自己的通配符证书。就像我说的,在某个时刻,让我们加密变体也出现了,完全按照Traefik文档中的方式编写。但现在请将此作为参考:

# Entrypoints configuration

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/traefik/MYCERT.pem"
      keyFile = "/etc/traefik/MYPRIVATEKEY.pem"

# ECS Provider

[ecs]
#cluster = "default"
clusters = ["MYCLUSTERNAME"]
watch = true
domain = "MYDOMAIN.com"
autoDiscoverClusters = false
refreshSeconds = 15
exposedByDefault = true

region = "eu-central-1"
accessKeyID = "MYACCESSKEY"
secretAccessKey = "MYSECRETKEY"
ECS任务定义中所属容器中的我的Docker标签:

traefik.frontend.rule=Host:MYSUBDOMAIN.MYDOMAIN.com
traefik.enable=true
traefik.backend=MY-PROJECT-BE-DUMMY-TEXT
traefik.port=80
traefik.frontend.entryPoints=http,https
以下是我如何在EC2中运行Traefik容器:

docker run -d \
--name traefik-lb \
--restart unless-stopped \
-v $PWD/traefik.toml:/etc/traefik/traefik.toml \
-v $PWD/MYCERT.pem:/etc/traefik/MYCERT.pem \
-v $PWD/MYPRIVATEKEY.pem:/etc/traefik/MYPRIVATEKEY.pem \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 \
-p 80:80 \
traefik
部分日志:

time="2019-10-01T08:31:00Z" level=info msg="No tls.defaultCertificate given for https: using the first item in tls.certificates as a fallback."
time="2019-10-01T08:31:00Z" level=debug msg="Adding certificate for domain(s) *.MYDOMAIN.com,MYDOMAIN.com"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000c4c0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server https &{Address::443 TLS:0xc0001ad440 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000ccc0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :80"
time="2019-10-01T08:31:00Z" level=debug msg="Adding certificate for domain(s) *.MYDOMAIN.com,MYDOMAIN.com"
time="2019-10-01T08:31:00Z" level=info msg="Preparing server traefik &{Address::8080 TLS:<nil> Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc00000cce0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :443"
time="2019-10-01T08:31:00Z" level=info msg="Starting provider configuration.ProviderAggregator {}"
time="2019-10-01T08:31:00Z" level=info msg="Starting server on :8080"

time=“2019-10-01T08:31:00Z”level=info msg=“没有为https提供tls.defaultCertificate:使用tls.certificates中的第一项作为备用。”
time=“2019-10-01T08:31:00Z”level=debug msg=“为域添加证书)*.MYDOMAIN.com,MYDOMAIN.com”
time=“2019-10-01T08:31:00Z”level=info msg=“准备服务器http&{Address::80 TLS:Redirect:Auth:WhitelistSourceRange:[]白名单:Compress:false ProxyProtocol:ForwardedHeaders:0xc00000c4c0}读取超时=0s writeTimeout=0s idlettimeout=3m0s”
time=“2019-10-01T08:31:00Z”level=info msg=“准备服务器https&{Address::443 TLS:0xc0001ad440重定向:Auth:WhitelistSourceRange:[]白名单:压缩:假代理协议:转发头文件:0xc00000ccc0},读取超时=0s writeTimeout=0s idlettimeout=3m0s”
time=“2019-10-01T08:31:00Z”level=info msg=“启动服务器:80”
time=“2019-10-01T08:31:00Z”level=debug msg=“为域添加证书)*.MYDOMAIN.com,MYDOMAIN.com”
time=“2019-10-01T08:31:00Z”level=info msg=“准备服务器traefik&{Address::8080 TLS:Redirect:Auth:WhitelistSourceRange:[]白名单:压缩:假代理协议:转发头:0xc00000cce0}读取超时=0s writeTimeout=0s idlettimeout=3m0s”
time=“2019-10-01T08:31:00Z”level=info msg=“启动服务器:443”
time=“2019-10-01T08:31:00Z”level=info msg=“正在启动提供程序配置。提供程序聚合器{}”
time=“2019-10-01T08:31:00Z”level=info msg=“启动服务器:8080”
是什么导致了这个问题?我只想从Traefik映射已确认的通配符域并将其分配给我的部署,这样当我进入subdomain.domain.com时,我会在顶部看到我的domain.com SSL

谢谢