堆栈内存溢出
  简体   繁体   English

设置 Traefik 拦截 Docker 容器之间的流量

[英]Setting Traefik to intercept traffic between Docker containers

 原文  2022-09-20 11:38:34       docker/ docker-compose/ traefik

问题描述

I have Traefik container (traefik v. 2.8) running as reverse proxy for local development.我有 Traefik 容器(traefik v. 2.8)作为本地开发的反向代理运行。 I also use docker-compose.yml file to define my services.我还使用 docker-compose.yml 文件来定义我的服务。

Also, I have exposed the services present in docker-compose.yml via host.docker.internal by setting these lines in my /etc/hosts file:此外,我通过在我的/etc/hosts文件中设置这些行,通过host.docker.internal公开了docker-compose.yml中存在的服务:

127.0.0.1       host.docker.internal
localhost       host.docker.internal

My setup is as such:我的设置是这样的:

  • host.docker.internal:8443 used for service_a host.docker.internal:8443 用于 service_a
  • host.docker.internal:8453 used for service_b host.docker.internal:8453 用于 service_b

I have setup Traefik route from a.localhost that goes to host.docker.internal:8443.我已经设置了从 a.localhost 到 host.docker.internal:8443 的 Traefik 路由。 I can access a.localhost from the host outside the containers just fine, and Traefik does really route the traffic to host.docker.internal:8443 as I want.我可以很好地从容器外部的主机访问a.localhost ,并且 Traefik 确实根据我的需要将流量路由到host.docker.internal:8443

Problem is that I have a reason to have service B (host.docker.internal:8453) call service A via the a.localhost hostname.问题是我有理由让服务 B (host.docker.internal:8453) 通过a.localhost主机名调用服务 A。 This does not work, as in service B, I get unknown host when trying to access a.localhost这不起作用,因为在服务 B 中,我在尝试访问a.localhost时得到未知主机

Here is extract from my docker-compose.yml file:这是我的docker-compose.yml文件的摘录:

version: '3'
services:
  reverse_proxy:
  image: traefik:v2.8
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "9000:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dev-traefik/traefik.yml:/etc/traefik/traefik.yml
      - ./dev-traefik:/configurations
  
  service_a:
    ports:
      - "8443:8443"

  service_b:
    ports:
      - "8453:8453"

Also I'm using a yml-based configuration for Traefik, present in dynamic-config.yml :我还在为 Traefik 使用基于 yml 的配置,存在于dynamic-config.yml

http:
  routers:
    service-a-router:
      service: service-a
      rule: "Host(`a.localhost`)"
      tls: "true" # using tls
  services:
    service-a:
      loadBalancer:
        servers:
          - url: "https://host.docker.internal:8443" # service A

tls:
  certificates:
    - certFile: "/etc/https/tls.crt"
      keyFile: "/etc/https/tls.key"
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/https/tls.crt"
        keyFile: "/etc/https/tls.key"

It seems like Traefik is able to listen to requests made from host network, as accessing https://a.localhost from browser outside the container network works just fine. Traefik 似乎能够监听来自主机网络的请求,因为从容器网络外部的浏览器访问https://a.localhost工作正常。 On the other hand, requests made by service_a container don't seem to be caught by Traefik.另一方面,service_a 容器发出的请求似乎没有被 Traefik 捕获。

What I have also tried is to add a.localhost to /etc/hosts in the host machine running the containers like this:我还尝试将a.localhost添加到运行容器的主机中的/etc/hosts中,如下所示:

127.0.0.1   a.localhost
localhost   a.localhost

And then using curl inside service B container to access service A.然后在服务B容器内使用curl访问服务A。

This resulted in getting connection refused as opposed to Could not resolve host: a.localhost .这导致connection refused ,而不是Could not resolve host: a.localhost This leads me to suggest that traefik couldn't intercept traffic from service b container这导致我建议traefik无法拦截来自服务 b 容器的流量

What am I doing wrong?我究竟做错了什么? Is there a way to make such setup work?有没有办法使这样的设置工作? I do have a legit reason for it, which relates to having as close setup as possible in local development as on other environments which are deployed to cloud.我确实有一个正当的理由,这与在本地开发中尽可能接近部署到云的其他环境中的设置有关。

1 个解决方案

解决方案1
 0  2022-09-26 10:47:38

I wasn't able to have Traefik intercept container -> container traffic the way I originally specified I'd want, but was able to actually nevertheless get similar setup working.我无法按照我最初指定的方式让 Traefik 拦截容器 -> 容器流量,但实际上仍然能够使类似的设置正常工作。

Here's the scenario:这是场景:

I have two services that are accessed via HTTP & TLS:我有两个通过 HTTP 和 TLS 访问的服务:

  • service_a服务_a
  • service_b服务_b

I want to be able to use host.docker.internal special DNS name to my advantage and actually have Traefik to proxy traffic from https://host.docker.internal/service_a to service_a port 8443 both outside Docker container network (from the host machine running Docker) AND from service_b via the fact that both the host machine running Docker can access host.docker.internal and also hosts inside the Docker network. I want to be able to use host.docker.internal special DNS name to my advantage and actually have Traefik to proxy traffic from https://host.docker.internal/service_a to service_a port 8443 both outside Docker container network (from the host运行 Docker 的机器)和来自service_b的事实是,运行 Docker 的主机都可以访问host.docker.internal以及 Docker 网络内的主机。 Using this fact to my advantage, I just defined a path for service_a as such in Traefik's YML configuration file:利用这一事实,我刚刚在 Traefik 的 YML 配置文件中定义了service_a的路径:

http:
  routers:
    service-a-router:
      service: service-a
      rule: "Host(`host.docker.internal`) && PathPrefix(`/service_a`)"
      tls: "true" # using tls
  services:
    service-a:
      loadBalancer:
        servers:
          - url: "https://host.docker.internal:8443" # service A

tls:
  certificates:
    - certFile: "/etc/https/tls.crt"
      keyFile: "/etc/https/tls.key"
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/https/tls.crt"
        keyFile: "/etc/https/tls.key"

And docker-compose.yml was made to look like this: docker-compose.yml看起来像这样:

version: '3'
services:
  reverse_proxy:
  image: traefik:v2.8
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
      - "80:80"
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "9000:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dev-traefik/traefik.yml:/etc/traefik/traefik.yml
      - ./dev-traefik:/configurations
  
  service_a:
    ports:
      - "8443:8443"

  service_b:
    ports:
      - "8453:8453"

Now as I use host.docker.internal in Host rule in my Traefik YML config, Traefik is in fact able to intercept both traffic from the Docker host machine and from the Docker container service_b .现在,当我在我的 Traefik YML 配置的Host规则中使用host.docker.internal时,Traefik 实际上能够拦截来自 Docker 主机和来自service_b容器服务_b 02 的流量。

service_b just need to configure URL of https://host.docker.internal/service_a to access service_a through Traefik. service_b只需要配置 https https://host.docker.internal/service_a的 URL 即可通过 Traefik 访问service_a

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Docker:将流量重定向到容器 - Docker: redirect traffic to containers 通过 websockets 将 traefik 用于 docker 内部流量 - Using traefik for docker internal traffic via websockets 将 TCP 流量从 Traefik 转发到 Docker 容器 - Forwarding TCP traffic from Traefik to a Docker container 通过Traefik远程访问Docker容器 - Remotely access Docker containers proxied through Traefik Traefik 不同的端口用于不同的 Docker 容器 - Traefik different ports for different Docker containers 一台主机上带有Traefik的两个Docker容器 - Two docker containers with Traefik on one host Docker 使用 Traefik 的 Swarm:容器已启动但收到 404 - Docker Swarm with Traefik: containers are up but getting 404 将 Traefik 反向代理到 Docker 容器中的 Nginx - Reverse proxy Traefik to Nginx in Docker containers 用 Traefik 运行两个 wordpress Docker 容器? - Run two wordpress Docker containers with Traefik? 如何用 Burp 拦截 Docker 的容器流量? - How to intercept Docker's container traffic with Burp?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM