[英]Setting Traefik to intercept traffic between Docker containers
I have Traefik container (traefik v. 2.8) running as reverse proxy for local development.我有 Traefik 容器(traefik v. 2.8)作为本地开发的反向代理运行。 I also use docker-compose.yml file to define my services.我还使用 docker-compose.yml 文件来定义我的服务。
Also, I have exposed the services present in docker-compose.yml
via host.docker.internal
by setting these lines in my /etc/hosts
file:此外,我通过在我的/etc/hosts
文件中设置这些行,通过host.docker.internal
公开了docker-compose.yml
中存在的服务:
127.0.0.1 host.docker.internal
localhost host.docker.internal
My setup is as such:我的设置是这样的:
I have setup Traefik route from a.localhost that goes to host.docker.internal:8443.我已经设置了从 a.localhost 到 host.docker.internal:8443 的 Traefik 路由。 I can access a.localhost
from the host outside the containers just fine, and Traefik does really route the traffic to host.docker.internal:8443
as I want.我可以很好地从容器外部的主机访问a.localhost
,并且 Traefik 确实根据我的需要将流量路由到host.docker.internal:8443
。
Problem is that I have a reason to have service B (host.docker.internal:8453) call service A via the a.localhost
hostname.问题是我有理由让服务 B (host.docker.internal:8453) 通过a.localhost
主机名调用服务 A。 This does not work, as in service B, I get unknown host when trying to access a.localhost
这不起作用,因为在服务 B 中,我在尝试访问a.localhost
时得到未知主机
Here is extract from my docker-compose.yml
file:这是我的docker-compose.yml
文件的摘录:
version: '3'
services:
reverse_proxy:
image: traefik:v2.8
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "9000:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- ./dev-traefik/traefik.yml:/etc/traefik/traefik.yml
- ./dev-traefik:/configurations
service_a:
ports:
- "8443:8443"
service_b:
ports:
- "8453:8453"
Also I'm using a yml-based configuration for Traefik, present in dynamic-config.yml
:我还在为 Traefik 使用基于 yml 的配置,存在于dynamic-config.yml
:
http:
routers:
service-a-router:
service: service-a
rule: "Host(`a.localhost`)"
tls: "true" # using tls
services:
service-a:
loadBalancer:
servers:
- url: "https://host.docker.internal:8443" # service A
tls:
certificates:
- certFile: "/etc/https/tls.crt"
keyFile: "/etc/https/tls.key"
stores:
default:
defaultCertificate:
certFile: "/etc/https/tls.crt"
keyFile: "/etc/https/tls.key"
It seems like Traefik is able to listen to requests made from host network, as accessing https://a.localhost
from browser outside the container network works just fine. Traefik 似乎能够监听来自主机网络的请求,因为从容器网络外部的浏览器访问https://a.localhost
工作正常。 On the other hand, requests made by service_a container don't seem to be caught by Traefik.另一方面,service_a 容器发出的请求似乎没有被 Traefik 捕获。
What I have also tried is to add a.localhost
to /etc/hosts
in the host machine running the containers like this:我还尝试将a.localhost
添加到运行容器的主机中的/etc/hosts
中,如下所示:
127.0.0.1 a.localhost
localhost a.localhost
And then using curl
inside service B container to access service A.然后在服务B容器内使用curl
访问服务A。
This resulted in getting connection refused
as opposed to Could not resolve host: a.localhost
.这导致connection refused
,而不是Could not resolve host: a.localhost
。 This leads me to suggest that traefik
couldn't intercept traffic from service b container这导致我建议traefik
无法拦截来自服务 b 容器的流量
What am I doing wrong?我究竟做错了什么? Is there a way to make such setup work?有没有办法使这样的设置工作? I do have a legit reason for it, which relates to having as close setup as possible in local development as on other environments which are deployed to cloud.我确实有一个正当的理由,这与在本地开发中尽可能接近部署到云的其他环境中的设置有关。
I wasn't able to have Traefik intercept container -> container traffic the way I originally specified I'd want, but was able to actually nevertheless get similar setup working.我无法按照我最初指定的方式让 Traefik 拦截容器 -> 容器流量,但实际上仍然能够使类似的设置正常工作。
Here's the scenario:这是场景:
I have two services that are accessed via HTTP & TLS:我有两个通过 HTTP 和 TLS 访问的服务:
I want to be able to use host.docker.internal
special DNS name to my advantage and actually have Traefik to proxy traffic from https://host.docker.internal/service_a
to service_a
port 8443 both outside Docker container network (from the host machine running Docker) AND from service_b
via the fact that both the host machine running Docker can access host.docker.internal
and also hosts inside the Docker network. I want to be able to use host.docker.internal
special DNS name to my advantage and actually have Traefik to proxy traffic from https://host.docker.internal/service_a
to service_a
port 8443 both outside Docker container network (from the host运行 Docker 的机器)和来自service_b
的事实是,运行 Docker 的主机都可以访问host.docker.internal
以及 Docker 网络内的主机。 Using this fact to my advantage, I just defined a path for service_a
as such in Traefik's YML configuration file:利用这一事实,我刚刚在 Traefik 的 YML 配置文件中定义了service_a
的路径:
http:
routers:
service-a-router:
service: service-a
rule: "Host(`host.docker.internal`) && PathPrefix(`/service_a`)"
tls: "true" # using tls
services:
service-a:
loadBalancer:
servers:
- url: "https://host.docker.internal:8443" # service A
tls:
certificates:
- certFile: "/etc/https/tls.crt"
keyFile: "/etc/https/tls.key"
stores:
default:
defaultCertificate:
certFile: "/etc/https/tls.crt"
keyFile: "/etc/https/tls.key"
And docker-compose.yml
was made to look like this: docker-compose.yml
看起来像这样:
version: '3'
services:
reverse_proxy:
image: traefik:v2.8
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "9000:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- ./dev-traefik/traefik.yml:/etc/traefik/traefik.yml
- ./dev-traefik:/configurations
service_a:
ports:
- "8443:8443"
service_b:
ports:
- "8453:8453"
Now as I use host.docker.internal
in Host
rule in my Traefik YML config, Traefik is in fact able to intercept both traffic from the Docker host machine and from the Docker container service_b
.现在,当我在我的 Traefik YML 配置的Host
规则中使用host.docker.internal
时,Traefik 实际上能够拦截来自 Docker 主机和来自service_b
容器服务_b 02 的流量。
service_b
just need to configure URL of https://host.docker.internal/service_a
to access service_a
through Traefik. service_b
只需要配置 https https://host.docker.internal/service_a
的 URL 即可通过 Traefik 访问service_a
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.