stackoom
  简体   繁体   中英

Using traefik to route ssl to different servers on different dockers

 原文  2019-10-28 18:11:24       docker/ ssl/ redirect/ reverse-proxy/ traefik

Question

I am a noob to this, but after reading some good guides I got the following problem...

I have a homeserver set up on Ubuntu with docker running containers for different applications; plex, minecraft, portainer and traefik. I have successfully set up traefik with reverse proxy, https, ssl routing with lets encrypt and duckdns.org.

Since yesterday I have set up a RaspberryPi with hass.io on it for my home automation stuff. To get hass.io to connect to my Alexa account I need it to be https and since I already use traefik to certificate my connection to my server... I think I would be able to use it for this too..

But I cannot get it to work. How do I set traefik up so that it also can handle a server outside the docker on my server?`

From my docker-compose.yaml

 #Portainer - WebUI for Containers
  portainer:
    image: portainer/portainer
    hostname: portainer
    container_name: portainer
    restart: always
    command: -H unix:///var/run/docker.sock
#    ports:
#      - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${USERDIR}/docker/portainer/data:/data
      - ${USERDIR}/docker/shared:/shared
    environment:
      - TZ=${TZ}
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.backend=portainer"
      - "traefik.frontend.rule=Host:portainer.${DOMAINNAME}"
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /portainer"
      - "traefik.port=9000"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"

# Traefik reverse proxy
  traefik:
    hostname: traefik
    image: traefik:v1.7.18
    container_name: traefik
    restart: always
    domainname: ${DOMAINNAME}
    networks:
      - default
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:traefik.${DOMAINNAME}"
#      - "traefik.frontend.rule=Host:${DOMAINNAME}; PathPrefixStrip: /traefik"
      - "traefik.port=8080"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=${DOMAINNAME}"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"
      - "traefik.frontend.auth.basic.users=${HTTP_USERNAME}:${HTTP_PASSWORD}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik:/etc/traefik
      - ${USERDIR}/docker/shared:/shared

#traefik networks block, to set up reverse proxy
networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

and my traefik.toml

#debug = true

logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend an$
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[file]
  watch = true
  filename = "/etc/traefik/rules.toml"

# Let's encrypt configuration
[acme]
email = "john.doe@notreal.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
  provider = "duckdns"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "notmine.duckdns.org"
[[acme.domains]]
   main = "*.notmine.duckdns.org"

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "notmine.duckdns.org"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false

The above is the working code, I just can't figure out how to make adjustments that's not breaking it all...

1 answers

solution1
 0 ACCPTED  2019-11-01 00:08:05

It was tricky, noob as I said, but it was posible to solve by adding another domain to the rules.toml and by that create a frontend wich pointed to a backend at another server. I used this guide to solve the problem: docs.traefik.io/v1.5/configuration/backends/file

So I had to add my "non docker server" to the traefik.toml as a new domain that needs a certificate

# Domain for my server on the Raspberry
[[acme.domains]]
   main = "eklandaresidenset.duckdns.org"

I also had to edit my acme.json file with the key... it sould do it by itself when you restart trefik, but I never got that to happen so I edited it myself and just copied the keys I already had in the file. :-)

Then I set up my rules.toml that I already had referenced in my traefik.toml but not created, so I did that and added this:

# Putting non-docker apps behind traefik proxy.
[backends]
  [backends.backend-anotherserver]
    [backends.backend-anotherserver.servers.anotherserver]
        url = "http://xxx.xxx.xxx.xxx:yyy" #the other servers local IP and port
        weight = 1

[frontends]
  [frontends.frontend-anotherserver]
    backend = "backend-anotherserver"
     passHostHeader = true
     passTLSCert = true
    [frontends.frontend-anotherserver.routes.domain]
        rule = "Host:anotherserver.duckdns.org"  #created another server dns-subdirectory at duckdns.org pointing to the same IP as before... just to get another header!
     [frontends.frontend-anotherserver.headers]
       SSLRedirect = true
       SSLHost = "anotherserver.duckdns.org"
       STSSeconds = 315360000
       STSIncludeSubdomains = true
       STSPreload = true
       forceSTSHeader = true
       frameDeny = true
       browserXSSFilter = true

Problem solved!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using traefik to route to different containers add nodes to dockers swarm from different servers How to connect and encrypt traffic between dockers runnning on different servers? Run different dockers with R start 2 dockers of the same build with different variables Redirect DNS to different port with traefik Traefik different ports for different Docker containers Different servers generate different JWT tokens using the same parameters How to connect multiple Dockers to different bridges in a single host machine? Route Traefik UI with Traefik
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM