Docker Traefik实例无法解析TLS握手,如何从v1.7.17重新配置到v2.0.2?
我以前使用的是Traefik 1.7.17,我看到v2已经过时,并尝试将文件从1.7.17转换为v2的Go二进制,但在某些配置上失败。我到处搜索类似的问题,并查看了文档,但我试图拼凑的东西对v2都不起作用。 我开始了解Traefik v2如何与路由器、中间件和服务协同工作,但我只是在阅读其他论坛和帖子时更加困惑 在之前的1.7.17版中,我在子域上安装了仪表板,通过ACME Let's Encrypt重定向到https,这在整个过程中都被使用。下面是我的文件,希望能让Caddy反向代理我使用1.7.17的NUXT服务器 我想做的是在端口8080上安装Traefik仪表板,并在我指定的域中使用https。 让Traefik处理caddynuxt服务器,caddynuxt服务器对实际的nuxt客户机透明地进行侦听(我在1.7.17中实现了这一点)。我以为v2中Traefik的动态路由可以处理它,但我不确定 我会很感激正确的方法来做这件事和指针。如果有帮助的话,我也在使用DigitalOcean。我正在使用Docker(目前不在swarm中,希望很快使用Kubernetes) json文件是空的,因为我使用的是staging,如下所示,但我确实有一个用于生产的acme帐户。。。等我可以上班了 Traefik docker编写文件:Docker Traefik实例无法解析TLS握手,如何从v1.7.17重新配置到v2.0.2?,docker,docker-compose,traefik,caddy,Docker,Docker Compose,Traefik,Caddy,我以前使用的是Traefik 1.7.17,我看到v2已经过时,并尝试将文件从1.7.17转换为v2的Go二进制,但在某些配置上失败。我到处搜索类似的问题,并查看了文档,但我试图拼凑的东西对v2都不起作用。 我开始了解Traefik v2如何与路由器、中间件和服务协同工作,但我只是在阅读其他论坛和帖子时更加困惑 在之前的1.7.17版中,我在子域上安装了仪表板,通过ACME Let's Encrypt重定向到https,这在整个过程中都被使用。下面是我的文件,希望能让Caddy反向代理我使用1.
version: '3.5'
services:
traefik:
image: traefik:v2.0.2
restart: always
ports:
- "80:80"
- "443:443"
- "8080:8080"
# expose:
# - 8080
networks:
- unicausalpublic
- unicausalnetwork
- unicausalapi
- unicausaldevelopment
- stageunicausaldevelopment
environment:
- DO_AUTH_TOKEN=NOPE
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
#- ./acme.json:/etc/traefik/acme.json
- "./letsencrypt:/letsencrypt"
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.api.rule=Host(`monitor.unicausal.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
# - "traefik.http.routers.api.service=api@internal"
# - "traefik.http.routers.api.middlewares=dashadmin"
# - "traefik.http.routers.api.tls"
# - "traefik.http.middlewares.dashadmin.basicauth.users=yeaboii:ignore."
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
# stage network may be moved to dedicated staging environment
stageunicausaldevelopment:
external: true
version: '3.5'
services:
# For Nuxt server
devcaddynuxt:
build:
context: .
dockerfile: ./configdocker/staging/devCaddyNuxt-Dockerfile
environment:
- "ACME_AGREE=true"
restart: always
networks:
- unicausalapi
- unicausalpublic
- unicausalnetwork
- unicausaldevelopment
- stageunicausaldevelopment
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.devcaddynuxt.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.devcaddynuxt.entrypoints=web"
- "traefik.http.routers.devcaddynuxt.middlewares=file.redirectwebsecure"
- "traefik.http.routers.websecure.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.websecure.entrypoints=websecure"
- "traefik.http.routers.websecure.tls=true"
- "traefik.http.routers.devcaddynuxt.tls.certresolver=letsencrypt"
# - "traefik.http.services.devcaddynuxt.loadbalancer.server.port=443"
devnuxt:
build: ./unicausal-client-nuxt/
restart: always
networks:
- unicausalpublic
- unicausaldevelopment
- stageunicausaldevelopment
ports:
- "8004:80"
command:
"npm run start"
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
stageunicausaldevelopment:
external: true
我的Traefik v2 toml:
# Typically, a router replaces a frontend, and a service assumes
# the role of a backend, with each router referring to a service.
[global]
checkNewVersion = true
sendAnonymousUsage = true
[log]
level = "DEBUG" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
# static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[providers]
providersThrottleDuration = "5s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedbydefault = false
# swarmModeRefreshSeconds = "15s"
# [providers.file]
# filename = "/etc/traefik/traefik.toml"
[api]
insecure = false
dashboard = true
debug = false
# ref: https://docs.traefik.io/v2.0/migration/v1-to-v2/
# Routers
[http.routers]
# below is dashboard router only
[http.routers.api]
rule = "Host(`monitor.unicausal.com`)"
# rule = "Host(`traefik.docker.localhost`)"
entrypoints = ["websecure"]
service="api@internal"
middlewares = ["dashadmin"]
[http.routers.api.tls]
certResolver = "letsencrypt"
[[http.routers.api.tls.domains]]
main = "unicausal.com"
sans = ["*.unicausal.com"]
[http.middlewares]
# Redirect to https
[http.middlewares.redirectwebsecure.redirectScheme]
scheme = "websecure"
[http.middlewares.dashadmin.basicauth]
users = [
"yeaboii:IGNORE",
]
# you name your certResolvers.[name].type
[certificatesResolvers]
[certificatesResolvers.letsencrypt]
[certificatesResolvers.letsencrypt.acme]
email = "yeaboii@gmail.com"
#caServer = "https://acme-v02.api.letsencrypt.org/acme/acct/yeaboii"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
storage = "/letsencrypt/acme.json"
# [certificatesResolvers.letsencrypt.acme.dnsChallenge]
# provider = "digitalocean"
# delayBeforeCheck = 0
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"
下面是我的Traefik调试日志:
Starting v202_traefik_1 ... done
Attaching to v202_traefik_1
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.toml"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Traefik version 2.0.2 built on 2019-10-09T19:26:05Z"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":10000000000},\"respondingTimeouts\":{\"idleTimeout\":180000000000}},\"forwardedHeaders\":{}}},\"providers\":{\"providersThrottleDuration\":5000000000,\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}},\"api\":{\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"},\"certificatesResolvers\":{\"letsencrypt\":{\"acme\":{\"email\":\"yeaboiii@gmail.com\",\"caServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"storage\":\"/letsencrypt/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"}}}}}"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Stats collection is enabled."
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="More details on: https://docs.traefik.io/v2.0/contributing/data-collection/"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: permissions 644 for /letsencrypt/acme.json are too open, please use 600"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="No default certificate, generating one"
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=traefik
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Start TCP Server" entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":15000000000}"
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Provider connection established with docker 18.09.1 (API 1.39)" providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Filtering disabled container" container=devnuxt-unicausal-client-c20aa52d24acdd5e94357785abb36e6d760d79eb7ba7d64ba9879b46125ade73 providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"websecure\"],\"service\":\"traefik-v202\",\"rule\":\"Host(`monitor.unicausal.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"devcaddynuxt\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"file.redirectwebsecure\"],\"service\":\"devcaddynuxt-unicausal-client\",\"rule\":\"Host(`stage.unicausal.com`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"websecure\":{\"entryPoints\":[\"websecure\"],\"service\":\"devcaddynuxt-unicausal-client\",\"rule\":\"Host(`stage.unicausal.com`)\",\"tls\":{}}},\"services\":{\"devcaddynuxt-unicausal-client\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:80\"}],\"passHostHeader\":true}},\"traefik-v202\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.3:80" entryPointName=websecure routerName=websecure@docker serviceName=devcaddynuxt-unicausal-client serverName=0
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware devcaddynuxt-unicausal-client" routerName=websecure@docker middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.2:80" serverName=0 entryPointName=websecure routerName=api@docker serviceName=traefik-v202
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware traefik-v202" entryPointName=websecure routerName=api@docker middlewareName=tracing middlewareType=TracingForwarder
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining serviceName=devcaddynuxt-unicausal-client entryPointName=web routerName=devcaddynuxt@docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating load-balancer" routerName=devcaddynuxt@docker serviceName=devcaddynuxt-unicausal-client entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating server 0 http://172.18.0.3:80" routerName=devcaddynuxt@docker serviceName=devcaddynuxt-unicausal-client serverName=0 entryPointName=web
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Added outgoing tracing middleware devcaddynuxt-unicausal-client" entryPointName=web routerName=devcaddynuxt@docker middlewareName=tracing middlewareType=TracingForwarder
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="middleware \"file.redirectwebsecure@docker\" does not exist" entryPointName=web routerName=devcaddynuxt@docker
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik_1 | time="2019-10-13T18:33:22Z" level=debug msg="No default certificate, generating one"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="the router devcaddynuxt uses a non-existent resolver: letsencrypt"
traefik_1 | time="2019-10-13T18:33:22Z" level=error msg="the router api uses a non-existent resolver: letsencrypt"
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56299: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:13Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56300: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="Serving default certificate for request: \"stage.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="Serving default certificate for request: \"stage.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56321: read tcp 172.23.0.2:443->108.246.102.12:56321: read: connection reset by peer"
traefik_1 | time="2019-10-13T18:34:15Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56322: remote error: tls: unknown certificate"
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="Serving default certificate for request: \"monitor.unicausal.com\""
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56542: read tcp 172.23.0.2:443->108.246.102.12:56542: read: connection reset by peer"
traefik_1 | time="2019-10-13T18:34:56Z" level=debug msg="http: TLS handshake error from 108.246.102.12:56543: read tcp 172.23.0.2:443->108.246.102.12:56543: read: connection reset by peer"
现在这是一个不同的docker容器。这适用于客户端/前端:
我不确定这张照片上的标签。在docker文件或traefik toml文件中,在哪里定义它们比较好?另外,在这里我如何处理从http到https的重定向
docker编写文件:
version: '3.5'
services:
traefik:
image: traefik:v2.0.2
restart: always
ports:
- "80:80"
- "443:443"
- "8080:8080"
# expose:
# - 8080
networks:
- unicausalpublic
- unicausalnetwork
- unicausalapi
- unicausaldevelopment
- stageunicausaldevelopment
environment:
- DO_AUTH_TOKEN=NOPE
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik.toml:/etc/traefik/traefik.toml
#- ./acme.json:/etc/traefik/acme.json
- "./letsencrypt:/letsencrypt"
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.api.rule=Host(`monitor.unicausal.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
# - "traefik.http.routers.api.service=api@internal"
# - "traefik.http.routers.api.middlewares=dashadmin"
# - "traefik.http.routers.api.tls"
# - "traefik.http.middlewares.dashadmin.basicauth.users=yeaboii:ignore."
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
# stage network may be moved to dedicated staging environment
stageunicausaldevelopment:
external: true
version: '3.5'
services:
# For Nuxt server
devcaddynuxt:
build:
context: .
dockerfile: ./configdocker/staging/devCaddyNuxt-Dockerfile
environment:
- "ACME_AGREE=true"
restart: always
networks:
- unicausalapi
- unicausalpublic
- unicausalnetwork
- unicausaldevelopment
- stageunicausaldevelopment
labels:
- "traefik.enable=true"
- "traefik.docker.network=unicausalpublic"
- "traefik.http.routers.devcaddynuxt.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.devcaddynuxt.entrypoints=web"
- "traefik.http.routers.devcaddynuxt.middlewares=file.redirectwebsecure"
- "traefik.http.routers.websecure.rule=Host(`stage.unicausal.com`)"
- "traefik.http.routers.websecure.entrypoints=websecure"
- "traefik.http.routers.websecure.tls=true"
- "traefik.http.routers.devcaddynuxt.tls.certresolver=letsencrypt"
# - "traefik.http.services.devcaddynuxt.loadbalancer.server.port=443"
devnuxt:
build: ./unicausal-client-nuxt/
restart: always
networks:
- unicausalpublic
- unicausaldevelopment
- stageunicausaldevelopment
ports:
- "8004:80"
command:
"npm run start"
networks:
unicausalpublic:
external: true
unicausalnetwork:
external: true
unicausalapi:
external: true
unicausaldevelopment:
external: true
stageunicausaldevelopment:
external: true
Caddyfile配置(Dockerfile几乎只加载图像)
我也知道
level=error msg="Unable to add ACME provider to the providers list: unable to get ACME account: permissions 644 for /letsencrypt/acme.json are too open, please use 600"
我已经多次尝试将权限正确更改为600,但仍然会出现TLS握手错误
谢谢你的时间,如果我错过了更多的信息让我知道。我真的很想了解这一点,但我觉得文档中缺少明确的示例来说明我想要的内容,而且我是一名devops初学者