traefik基于版本v2.3的使用配置

创建网络

docker network create -d overlay apps_backends

创建访问点应用

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --replicas 1  \
        traefik:v2.3  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \

上述命令创建了一个名为app-traefik服务，并绑定了两个访问点http(–entrypoints.http.address=:80),https(–entrypoints.https.address=:443)

配置ssh证书支持

以http访问鉴权为例

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --replicas 1  \
        traefik:v2.3  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \
        --entrypoints.https.http.tls.certResolver=qs \
        --certificatesresolvers.qs.acme.email=name@yourdomain.com  \
        --certificatesresolvers.qs.acme.storage=acme.json  \
        --certificatesresolvers.qs.acme.httpchallenge.entrypoint=http \

增加了qs(–entrypoints.https.http.tls.certResolver)项作为默认ssh认证配置名称，并增加(–certificatesresolvers.qs)相关的参数，其中(–certificatesresolvers.qs.acme.email)为自定义的邮箱，其余可保持默认

以阿里云dns为例

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        -e ALICLOUD_ACCESS_KEY=L*********V1 \
        -e ALICLOUD_SECRET_KEY=V*********lw \
        -e ALICLOUD_REGION_ID=cn-shenzhen \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --replicas 1  \
        traefik:v2.3  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \
        --entrypoints.https.http.tls.certResolver=ali \
        --certificatesresolvers.ali.acme.storage=acme.json  \
        --certificatesresolvers.ali.acme.email=name@yourdomain.com  \
        --certificatesresolvers.ali.acme.dnschallenge.provider=alidns

增加了ali(–entrypoints.https.http.tls.certResolver)项作为默认ssh认证配置名称，并增加(–certificatesresolvers.ali)相关的参数，其中(–certificatesresolvers.ali.acme.email)为自定义的邮箱，provider参数为alidns，需要配置ALICLOUD_ACCESS_KEY、 ALICLOUD_SECRET_KEY、ALICLOUD_REGION_ID环境变量，其余可保持默认

为traefik服务启用admin面板(api@internal，ip:port方式)

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        --publish 8080:8080 \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --replicas 1  \
        traefik:v2.3  \
        --api.insecure=true  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443

使用地址http://ip:8080即可访问admin面板

为traefik服务启用admin面板(api@internal，http方式)

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        -e ALICLOUD_ACCESS_KEY=L*********V1 \
        -e ALICLOUD_SECRET_KEY=V*********lw \
        -e ALICLOUD_REGION_ID=cn-shenzhen \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --container-label 'traefik.enable=true' \
        --container-label 'traefik.http.routers.api.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.api.entryPoints=http' \ \
        --container-label 'traefik.http.routers.api.service=api@internal' \
        --container-label 'traefik.http.services.api@internal.loadbalancer.server.port=8080' \
        --replicas 1  \
        traefik:v2.3  \
        --api.insecure=true  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443

使用地址http://tfk.yourdomain.com(需要改为自己的)即可访问admin面板

为traefik服务启用admin面板(api@internal，https方式)

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        -e ALICLOUD_ACCESS_KEY=L*********V1 \
        -e ALICLOUD_SECRET_KEY=V*********lw \
        -e ALICLOUD_REGION_ID=cn-shenzhen \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --container-label 'traefik.enable=true' \
        --container-label 'traefik.http.routers.apis.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.apis.entryPoints=https' \
        --container-label 'traefik.http.routers.apis.tls=true' \
        --container-label 'traefik.http.routers.apis.tls.certresolver=ali' \
        --container-label 'traefik.http.routers.apis.service=api@internal' \
        --container-label 'traefik.http.services.api@internal.loadbalancer.server.port=8080' \
        --replicas 1  \
        traefik:v2.3  \
        --api.insecure=true  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \
        --entrypoints.https.http.tls.certResolver=ali \
        --certificatesresolvers.ali.acme.storage=acme.json  \
        --certificatesresolvers.ali.acme.email=name@yourdomain.com  \
        --certificatesresolvers.ali.acme.dnschallenge.provider=alidns

使用地址https://tfk.yourdomain.com(需要改为自己的)即可访问admin面板

为traefik服务启用admin面板(api@internal，http重定向https)

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        -e ALICLOUD_ACCESS_KEY=L*********V1 \
        -e ALICLOUD_SECRET_KEY=V*********lw \
        -e ALICLOUD_REGION_ID=cn-shenzhen \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --container-label 'traefik.enable=true' \
        --container-label 'traefik.http.routers.apis.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.apis.entryPoints=https' \
        --container-label 'traefik.http.routers.apis.tls=true' \
        --container-label 'traefik.http.routers.apis.tls.certresolver=ali' \
        --container-label 'traefik.http.routers.apis.service=api@internal' \
        --container-label 'traefik.http.routers.api.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.api.entryPoints=http' \
        --container-label 'traefik.http.routers.api.middlewares=https_redirect' \
        --container-label 'traefik.http.routers.api.service=api@internal' \
        --container-label 'traefik.http.services.api@internal.loadbalancer.server.port=8080' \
        --container-label 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https' \
        --container-label 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true' \
        --replicas 1  \
        traefik:v2.3  \
        --api.insecure=true  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \
        --entrypoints.https.http.tls.certResolver=ali \
        --certificatesresolvers.ali.acme.storage=acme.json  \
        --certificatesresolvers.ali.acme.email=name@yourdomain.com  \
        --certificatesresolvers.ali.acme.dnschallenge.provider=alidns

使用https_redirect的middlewares中间件配置，访问地址http://tfk.yourdomain.com可自动重定向到https://tfk.yourdomain.com

为traefik服务启用admin面板，增加加base auth鉴权(api@internal，http重定向https)

docker service create \
        --name="app-traefik"  \
        --network apps_backends \
        --publish 80:80 \
        --publish 443:443 \
        -e ALICLOUD_ACCESS_KEY=L*********V1 \
        -e ALICLOUD_SECRET_KEY=V*********lw \
        -e ALICLOUD_REGION_ID=cn-shenzhen \
        --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
        --mount type=bind,source=/data/traefik/acme,target=/etc/traefik/acme \
        --container-label 'traefik.enable=true' \
        --container-label 'traefik.http.routers.apis.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.apis.entryPoints=https' \
        --container-label 'traefik.http.routers.apis.tls=true' \
        --container-label 'traefik.http.routers.apis.tls.certresolver=ali' \
        --container-label 'traefik.http.routers.apis.service=api@internal' \
        --container-label "traefik.http.routers.apis.middlewares=myAuth" \
        --container-label 'traefik.http.routers.api.rule=Host(`tfk.yourdomain.com`)' \
        --container-label 'traefik.http.routers.api.entryPoints=http' \
        --container-label 'traefik.http.routers.api.middlewares=https_redirect' \
        --container-label 'traefik.http.routers.api.service=api@internal' \
        --container-label 'traefik.http.services.api@internal.loadbalancer.server.port=8080' \
        --container-label 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https' \
        --container-label 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true' \
        --container-label 'traefik.http.middlewares.myAuth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/' \
        --replicas 1  \
        traefik:v2.3  \
        --api.insecure=true  \
        --providers.docker  \
        --providers.docker.network=apps_backends  \
        --providers.docker.watch=true  \
        --entrypoints.http.address=:80  \
        --entrypoints.https.address=:443  \
        --entrypoints.https.http.tls.certResolver=qs \
        --certificatesresolvers.qs.acme.email=name@yourdomain.com  \
        --certificatesresolvers.qs.acme.storage=acme.json  \
        --certificatesresolvers.qs.acme.httpchallenge.entrypoint=http \
        --certificatesresolvers.ali.acme.storage=acme.json  \
        --certificatesresolvers.ali.acme.email=name@yourdomain.com  \
        --certificatesresolvers.ali.acme.dnschallenge.provider=alidns

增加名为myAuth的自定义的middlewares配置项，使用--traefik.http.middlewares.myAuth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/配置登录账户信息，其中test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/（明文 test:test）使用htpasswd生成的user:password 键值对,可使用命令echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g，访问时输入相应的用户密码即可访问。