docker traefik letsencrypt DDNS duckdns位于dd wrt路由器后面
我想公开自托管服务以从internet访问(TinyTyrSS、owncloud和其他东西)。所以我决定使用traefik作为反向代理,使用letsencrypt进行HTTPS认证。在跳入每个服务的整个堆栈之前,a尝试使用traefik和letsencrypt测试一个简单的堆栈,以及一个响应简单文本的简单whoami容器。docker正在odroid XU-4板上运行 这是我的docker compose:docker traefik letsencrypt DDNS duckdns位于dd wrt路由器后面,docker,lets-encrypt,traefik,dd-wrt,Docker,Lets Encrypt,Traefik,Dd Wrt,我想公开自托管服务以从internet访问(TinyTyrSS、owncloud和其他东西)。所以我决定使用traefik作为反向代理,使用letsencrypt进行HTTPS认证。在跳入每个服务的整个堆栈之前,a尝试使用traefik和letsencrypt测试一个简单的堆栈,以及一个响应简单文本的简单whoami容器。docker正在odroid XU-4板上运行 这是我的docker compose: version: '3.6' services: traefik:
version: '3.6'
services:
traefik:
container_name: traefik
image: traefik:1.6.1-alpine
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
environment:
- DUCKDNS_TOKEN=my_duck_dns_token
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik/traefik.toml:/traefik.toml
- ./traefik/acme/acme.json:/etc/traefik/acme.json
- ./log:/var/log/traefik
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org
restart: always
whoami:
container_name: whoami
image: hypriot/rpi-whoami
ports:
- 8000
networks:
- proxy
labels:
- traefik.frontend.rule=Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/
- traefik.frontend.entryPoints=https
- traefik.docker.network=proxy
- traefik.protocol=http
- traefik.enable=true
- traefik.port=8000
restart: always
networks:
proxy:
name: proxy
还有我的traefik.toml:
debug = true
logLevel = "DEBUG"
checkNewVersion = true
defaultEntryPoints = ["http", "https"]
[proxy]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#[traefikLog]
# filePath = "/var/log/traefik/traefik.log"
# format = "json"
# logLevel = "DEBUG"
#[accessLog]
# filePath = "/var/log/traefik/access.log"
# format = "json"
# logLevel = "DEBUG"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my_duck_dns.duckdns.org"
exposedbydefault = false
watch = true
[acme]
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
email = "my_email_address@gmail.com"
storage = "/etc/traefik/acme.json"
entryPoint = "https"
acmeLogging = false
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
[[acme.domains]]
main = "my_duck_dns.duckdns.org"
sans = ["my_duck_dns.duckdns.org"]
我的路由器是一个dd-wrt闪存,我将80、8080和443端口转发给一台debian计算机,上面有这个dock compose。路由器提供动态鸭式DNS更新
我使用以下命令运行我的容器:
docker-compose build --no-cache && docker-compose up --build
当我试图从我的局域网外部点击时,我得到了这些日志。80已正确重定向到443,但使用此日志:
traefik | time="2018-05-18T16:15:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
整个调试堆栈如下所示:
whoami | Listening on :8000
traefik | time="2018-05-18T18:30:55Z" level=info msg="Using TOML configuration file /traefik.toml"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Traefik version v1.6.1 built on 2018-05-14_07:16:56PM"
traefik | time="2018-05-18T18:30:55Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://docs.traefik.io/basics/#collected-data\n"
traefik | time="2018-05-18T18:30:55Z" level=debug msg="Global configuration loaded {\"LifeCycle\":{\"RequestAcceptGraceTimeout\":0,\"GraceTimeOut\":10000000000},\"GraceTimeOut\":0,\"Debug\":true,\"CheckNewVersion\":true,\"SendAnonymousUsage\":false,\"AccessLogsFile\":\"\",\"AccessLog\":null,\"TraefikLogsFile\":\"\",\"TraefikLog\":null,\"Tracing\":null,\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"entryPoint\":\"https\"},\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}},\"https\":{\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null,\"ClientCA\":{\"Files\":null,\"Optional\":false}},\"Redirect\":null,\"Auth\":null,\"WhitelistSourceRange\":null,\"WhiteList\":null,\"Compress\":false,\"ProxyProtocol\":null,\"ForwardedHeaders\":{\"Insecure\":true,\"TrustedIPs\":null}}},\"Cluster\":null,\"Constraints\":[],\"ACME\":null,\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"IdleTimeout\":0,\"InsecureSkipVerify\":false,\"RootCAs\":null,\"Retry\":null,\"HealthCheck\":{\"Interval\":30000000000},\"RespondingTimeouts\":null,\"ForwardingTimeouts\":null,\"AllowMinWeightZero\":false,\"Web\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"@.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false},\"File\":null,\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null,\"Eureka\":null,\"ECS\":null,\"Rancher\":null,\"DynamoDB\":null,\"ServiceFabric\":null,\"Rest\":null,\"API\":null,\"Metrics\":null,\"Ping\":null}"
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server http &{Address::80 TLS:<nil> Redirect:0x13e3d980 Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c00} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Preparing server https &{Address::443 TLS:0x13b82080 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0x13ea6c10} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
traefik | time="2018-05-18T18:30:55Z" level=info msg="Starting server on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting server on :443"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider configuration.providerAggregator {}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *docker.Provider {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Trace\":false,\"TemplateVersion\":2,\"DebugLogGeneratedTemplate\":false,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"my_duck_dns.duckdns.org\",\"TLS\":null,\"ExposedByDefault\":false,\"UseBindPortIP\":false,\"SwarmMode\":false}"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Starting provider *acme.Provider {\"Email\":\"my_email_address@gmail.com\",\"ACMELogging\":false,\"CAServer\":\"https://acme-staging-v02.api.letsencrypt.org/directory\",\"Storage\":\"/etc/traefik/acme.json\",\"EntryPoint\":\"https\",\"OnHostRule\":false,\"OnDemand\":false,\"DNSChallenge\":{\"Provider\":\"duckdns\",\"DelayBeforeCheck\":0},\"HTTPChallenge\":{\"EntryPoint\":\"http\"},\"Domains\":[{\"Main\":\"my_duck_dns.duckdns.org\",\"SANs\":[\"my_duck_dns.duckdns.org\"]}],\"Store\":{}}"
traefik | time="2018-05-18T18:30:56Z" level=error msg="Error starting provider *acme.Provider: unable to get ACME account : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Provider connection established with docker 18.05.0-ce (API 1.37)"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true traefik.port:8080]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8000 traefik.protocol:http traefik.docker.network:proxy traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ traefik.frontend.entryPoints:https]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.service:traefik org.label-schema.docker.schema-version:1.0 org.label-schema.version:v1.6.1 traefik.port:8080 com.docker.compose.oneoff:False org.label-schema.description:A modern reverse-proxy traefik.frontend.rule:Host:my_duck_dns.duckdns.org com.docker.compose.config-hash:d0eee974d8ebe83a1e048b7e554fad562e4c3631785fe5dc2485f947910ffb90 com.docker.compose.container-number:1 org.label-schema.url:https://traefik.io org.label-schema.vendor:Containous traefik.enable:true com.docker.compose.project:odroidtests com.docker.compose.version:1.20.0 org.label-schema.name:Traefik]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.port:8080 traefik.frontend.rule:Host:my_duck_dns.duckdns.org traefik.enable:true]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="originLabelsmap[com.docker.compose.project:odroidtests com.docker.compose.service:whoami com.docker.compose.version:1.20.0 traefik.enable:true traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/ com.docker.compose.container-number:1 com.docker.compose.oneoff:False traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http com.docker.compose.config-hash:3586d1268056130cedb21e01704782c7d311fbcb286fd56b64e92ec8bb690e22 traefik.docker.network:proxy]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="allLabelsmap[:map[traefik.enable:true traefik.docker.network:proxy traefik.frontend.entryPoints:https traefik.port:8000 traefik.protocol:http traefik.frontend.rule:Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/]]"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-traefik-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Validation of load balancer method for backend backend-whoami-odroidtests failed: invalid load-balancing method ''. Using default method wrr."
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-traefik-odroidtests\":{\"servers\":{\"server-traefik\":{\"url\":\"http://172.27.0.2:8080\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-whoami-odroidtests\":{\"servers\":{\"server-whoami\":{\"url\":\"http://172.27.0.3:8000\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-my_duck_dns-duckdns-org-0\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-traefik-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-0\":{\"rule\":\"Host:my_duck_dns.duckdns.org\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]},\"frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"entryPoints\":[\"https\"],\"backend\":\"backend-whoami-odroidtests\",\"routes\":{\"route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1\":{\"rule\":\"Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/\"}},\"passHostHeader\":true,\"priority\":0,\"basicAuth\":[]}}}"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-0"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint http"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating entry point redirect http -> https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-0 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-0 Host:my_duck_dns.duckdns.org"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-traefik-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-traefik at http://172.27.0.2:8080 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Wiring frontend frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 to entryPoint https"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating route route-frontend-Host-my_duck_dns-duckdns-org-PathPrefixStrip-whoami-1 Host:my_duck_dns.duckdns.org;PathPrefixStrip:/whoami/"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating backend backend-whoami-odroidtests"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating load-balancer wrr"
traefik | time="2018-05-18T18:30:56Z" level=debug msg="Creating server server-whoami at http://172.27.0.3:8000 with weight 1"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :80"
traefik | time="2018-05-18T18:30:56Z" level=info msg="Server configuration reloaded on :443"
traefik | time="2018-05-18T18:30:05Z" level=debug msg="http: TLS handshake error from 151.58.32.33:65175: read tcp 172.27.0.3:443->154.47.32.66:64175: read: connection reset by peer"
我在网上到处搜索,但似乎没有人找到那个问题之王。trafik文档非常简短,解释得很好。有人能帮我吗?我觉得有点小毛病,但我不能说出来
谢谢
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
当您使用此配置时,实际上只使用DNS质询acme.json
的权限更改为600
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
[acme.httpChallenge]
entryPoint = "http"
[acme.dnsChallenge]
provider = "duckdns"
delayBeforeCheck = 0
当您使用此配置时,实际上只使用DNS质询acme.json
的权限更改为600
traefik | time="2018-05-18T18:30:55Z" level=error msg="Failed to read new account, ACME data conversion is not available : permissions 664 for /etc/traefik/acme.json are too open, please use 600"
谢谢你的回复。事实上,我已经修复了acme.json证书文件的访问问题(chmod 600)。我更新了挑战,只允许DNS挑战,但仍然会遇到同样的问题。traefik | time=“2018-05-21T09:18:20Z”level=debug msg=“http2:server:读取客户端的前言时出错89.3.72.155:1298:远程错误:tls:未知证书颁发机构”不可能让这件事正常运行。traefik:1.6.1-alpine image.treafik始终存在错误。treafik非常棒,但至少在我这方面不适用于lets encrypt Certificate。感谢您的回复。事实上,我已经修复了acme.json证书文件的访问问题(chmod 600)。我更新了挑战,只允许DNS挑战,但仍然会遇到同样的问题。traefik | time=“2018-05-21T09:18:20Z”level=debug msg=“http2:server:读取客户端的前言时出错89.3.72.155:1298:远程错误:tls:未知证书颁发机构”不可能让这件事正常运行。traefik:1.6.1-alpine image.treafik总是出现错误。treafik非常棒,但至少在我这方面不适用于lets encrypt Certificate。