preface
The server does not expose many ports to the outside world for service exposure, but usually only opens a limited number of ports for service exposure. To achieve this effect, we use reverse proxy.
Since our Java application is distributed based on docker container, and Traefik automatically integrates Docker and related components, it is more suitable for me to build a reverse proxy based on Traefik. Recently, I have studied. The worst part is when the HTTPS certificate is automatically renewed for TLS.
Skills required:
- Docker, docker – compose
1. Introduction to Traefik (please visit the official website for more details)
1.1 website
English document
Chinese document
1.2 Creating a Directory and Configuration File
Document Description:
-
Docker-comement-traefik-demo. yml Docker-compose file for traefik
-
Traefik. Yml Static configuration file of Traefik (The modification takes effect only after the Traefik service is restarted)
-
Yml, tcp.yml, tls.yml traefik dynamic configuration files (the modification takes effect without restarting the service)
The file directory is as follows:
2. Install traefik
Traefik has a dashboard dashboard and is configured with a reverse proxy to access the dashboard in the form of a domain name. We use this console configuration to illustrate the installation of Traefik.
Several things are done here:
-
Configure the HTTP and HTTPS reverse proxy
-
Configure automatic skip HTTPS for HTTP
-
TLS Configures ACME to automatically generate HTTPS certificates and renew certificates
2.1 Static Configuration file traefik.yml
traefik.yml
api:
# Start the WEB UI
dashboard: true
# Safe mode
insecure: true
Discover services defined in docker or file
providers:
# on the file
file:
# define the directory where the dynamic configuration file resides.
directory: /data/traefik/config
Listen for dynamic configuration file changes
watch: true
# listening docker
docker:
# If set to false, docker containers need to declare traefik.enable=true in labels, otherwise containers will be ignored
exposedByDefault: false
Docker-comemage.yml (docker-comemage.yml)
entryPoints:
HTTP: / / HTTP: / / HTTP: / / HTTP: / / HTTP: / / port 80
http:
address: ": 80"
HTTP requests automatically redirect to HTTPS
http:
redirections:
entryPoint:
to: https
Port 443 is used to proxy traffic coming through port 80
https:
address: ": 443"
Mysql TCP proxy entry
mysql:
address: ": 3306"
TCP proxy entry for redis
redis:
address: ": 6379"
Enable ACME to automatically generate HTTPS certificates
certificatesResolvers:
myCertResolver:
acme:
# email address
email: "[email protected]"
# Store the issued HTTPS certificate
storage: "/letsencrypt/acme.json"
TlsChallent, dnsChallenge, tlschallenge, tlschallenge
httpChallenge:
entryPoint: http
Copy the codeConfiguration file description:
- Four ports are exposed: 80, 443, 3306, and 6379
80: external exposure, used to proxy HTTP requests;
443: HTTPS request made by the user agent.
3306: exposed, used to proxy TCP-based mysql service requests;
6379: Exposed user agent Redis service request based on TCP.
-
HTTP automatically jumps to HTTPS
-
The resolve of myCertResolver will be referenced in the dynamic configuration file. The resolve of myCertResolver will be referenced in the dynamic configuration file.
-
Please replace the email in ACME with your own email address (I filled in a real email address).
2.2 Dynamic Configuration Files
Yml (HTTP request dynamic configuration file), TCP. yml (TCP request dynamic configuration file), and TLS. yml (TLS dynamic configuration file). I don’t quite understand it yet)
2.2.1 HTTP. Yml
http.yml
http:
# Route configuration
routers:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # traefik configuration
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Define traefik's WEB UI route
router-traefik:
# set this parameter to listen on web traffic, otherwise it will listen on all traffic
entryPoints:
- "http"
- "https"
rule: "Host(`traefik.xxx.com`)"
service: "api@internal"
## Use middleware defined user authentication
middlewares:
- user-auth
# Enable ACME and refer to myCertResolver as defined in traefik.yml
tls:
# options: foo
certResolver: "myCertResolver"
# Middleware configuration
middlewares:
Configure login tickets for Dashboard
# UserName : admin
# Password : qwer1234
user-auth:
basicAuth:
users:
- "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
Copy the codeDescription:
rule: “Host(traefik.xxx.com)” configures traefik to access the domain as Traefik.xxx.com. If you want to support the HTTPS certificate, the domain name is not registered. If traefik.xxx.com is automatically renewed through ACME, it needs to be recorded by relevant agencies. Otherwise, the automatic renewal of ACME cannot be done. The debug log of Traefik displays the following error message: TLS Handle error: When ACME automatically generates a certificate, it should check whether the domain name exists on the DNS server of the public network. If the domain name does not exist, an error will be reported.
tcp.yml
This parameter is left blank. This parameter is listed in the following sections when you configure TCP reverse proxyCopy the codetls.yml
Leave it empty and configure it laterCopy the code2.3 Docker-compose configuration file
docker-compose-traefik-demo.yml
version: '3'
services:
traefik-service:
image: Traefik: v2.0
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
The mapping between the container port and the host physical port is exposed to provide services
ports:
- "80:80"
- "443:443"
- "3306:3306"
- "6379:6379"
volumes:
Traefik can listen for Docker events
- /var/run/docker.sock:/var/run/docker.sock
Static configuration file directory mapping
- ./config/static:/etc/traefik
Dynamically configure file directory mapping
- ./config/dynamic:/data/traefik/config
Chmod 600 ACME. Json: this file must have 600 permissions before traefik starts.
- ./letsencrypt/acme.json:/letsencrypt/acme.json
Use proxy as the network name
networks:
- proxy
# Define the network
networks:
proxy:
external: true
Copy the code2.4 Starting the Traefik service
- Example Create a network named proxy
docker network create proxy
Copy the code- Start the Traefik service
docker-compose -f docker-compose-traefik-demo.yml up -d
Copy the code- Check traefik’s log
docker logs -f traefik
Copy the code- Hosts file to configure domain name mapping
If your domain name is registered and your Traefik is installed on the host that resolves the domain name, you do not need to do this.
192.168.64.201 traefik.xxx.com
Copy the code- Browser access:
http://traefik.xxx.com
Copy the codeThe results are shown below:
6. Configure the TCP reverse proxy
7. Configure TLS for TCP
This is not done yet. I’ll add later