[英]How to redirect http to https with Traefik 2.0 and Docker Compose labels?
請注意,這是一個 Traefik V2 問題。 我在 V1 上有一個解決方案,但 V2 是一個徹底的改造。
上面的內容應該將http://whoami.mysite.com重定向到 http s ://whoami.mysite.com。
沒有其他文件。 目前所有內容都在這個 Docker-compose.yml 中,因為它是准備進一步部署的測試。
version: "3.3"
services:
traefik:
image: "traefik:v2.0"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web-secure.address=:443"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web-secure"
#- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myhttpchallenge.acme.email=me@mail.com"
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
labels:
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "containous/whoami"
container_name: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.mysite.com`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoami.middlewares=redirect-to-https@docker"
- "traefik.http.routers.whoami-secured.rule=Host(`whoami.mysite.com`)"
- "traefik.http.routers.whoami-secured.entrypoints=web-secure"
- "traefik.http.routers.whoami-secured.tls=true"
- "traefik.http.routers.whoami-secured.tls.certresolver=myhttpchallenge"
我建議在這里查看文檔 入口點重定向 80 > 443
這對我有用,如果您希望所有流量從端口 80 重定向到 443,這是最好的解決方案。
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entryPoint.to=websecure
--entrypoints.web.http.redirections.entryPoint.scheme=https
--entrypoints.web.http.redirections.entrypoint.permanent=true
--entrypoints.websecure.address=:443
筆記:
周圍有很多例子。 看看websecure。
有時它是寫成網絡安全的。
希望有幫助;o)
現在在 Gérald Croës 的教程中有一個可行的解決方案:
https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d
services:
traefik:
image: "traefik:v2.0.0"
# ...
labels:
# ...
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global redirect to https
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
您不需要配置 Traefik 服務本身。 在 Traefik 上,您只需要有以下入口點:443(網絡安全)和:80(網絡)
因為 Traefik 只作為入口點,不會做重定向,所以目標服務上的中間件會做。
現在將您的目標服務配置如下:
version: '2'
services:
mywebserver:
image: 'httpd:alpine'
container_name: mywebserver
labels:
- traefik.enable=true
- traefik.http.middlewares.mywebserver-redirect-web-secure.redirectscheme.scheme=https
- traefik.http.routers.mywebserver-web.middlewares=mywebserver-redirect-web-secure
- traefik.http.routers.mywebserver-web.rule=Host(`sub.domain.com`)
- traefik.http.routers.mywebserver-web.entrypoints=web
- traefik.http.routers.mywebserver-web-secure.rule=Host(`sub.domain.com`)
- traefik.http.routers.mywebserver-web-secure.tls.certresolver=mytlschallenge
- traefik.http.routers.mywebserver-web-secure.tls=true
- traefik.http.routers.mywebserver-web-secure.entrypoints=web-secure
# if you have multiple ports exposed on the service, specify port in the web-secure service
- traefik.http.services.mywebserver-web-secure.loadbalancer.server.port=9000
所以基本上流程是這樣的:
請求: http://sub.domain.com:80 --> traefik (service) --> mywebserver-web (router, http rule) --> -> mywebserver-web-secure(路由器,https 規則)--> mywebserver(服務)
您只需要將以下內容添加到 traefik 配置中,而不是應用程序;
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
這是 traefik 的完整 yaml 配置
version: "3.3"
services:
traefik:
image: "traefik:v2.5"
container_name: "traefik"
command:
# - "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=user@domain.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "80:80"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
示例應用
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`subdomain.domain.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=myresolver"
當我在尋找如何通過 Traefik v2.2 將所有內容重定向到 HTTPS 時,我正在尋找這個答案,對我來說最好的選擇是將此 ENV 變量添加到 Traefik,它會自動將所有流量重定向到 HTTPS。
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=:443
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure
有了這個,我不需要向中間件添加任何東西。 有關該功能的更多信息可以在 官方文檔中找到。
好的,找到了……我假設中間件可以在 Traefik 級別聲明,但這些必須在服務級別聲明。
這一行:
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
必須在 whoami 服務的標簽中。
與所描述的問題無關的另一點是 http 挑戰必須在端口 80 上完成。
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web-secure"
刪除“web-secure”中的“secure”。
似乎全局設置不是使用標簽完成的,而是使用 traefik 命令 arguments 完成的。 您的問題是關於標簽的,但也許這個解決方案也適用於您?
根據以下官方文檔,這是要做的事情: https://docs.traefik.io/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers
以前在 v1 中的內容:
# static configuration
defaultEntryPoints = ["web", "websecure"]
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.redirect]
entryPoint = "websecure"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
現在看來是:
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entrypoint.to=websecure
--entrypoints.web.http.redirections.entrypoint.scheme=https
--entrypoints.websecure.address=:443
--providers.docker=true
有兩種選擇:
您可以通過將以下內容添加到 Traefik 容器的靜態配置來將所有傳入流量重定向到 HTTPS:
command:
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
或者,您可以通過將以下內容添加到應用程序容器的動態配置中,將流量重定向到單個容器的 HTTPS:
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.myapp-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.myapp-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.myapp.middlewares=myapp-redirect"
- "traefik.http.routers.myapp.rule=Host(`myapp.localhost`)"
- "traefik.http.routers.myapp.entrypoints=web"
- "traefik.http.routers.myapp-secure.rule=Host(`myapp.localhost`)"
- "traefik.http.routers.myapp-secure.entrypoints=websecure"
- "traefik.http.routers.myapp-secure.tls=true"
- "traefik.http.routers.myapp-secure.tls.certresolver=le"
對於最新版本的 traefik 上的 kubernetes helm 圖表用戶,您可以在您的 traefik 值文件中使用它(在圖表版本 10.3.2 / traefik 2.5 上測試)將所有流量重定向到 httpS
# values.yaml
ports:
web:
redirectTo: websecure
如果您需要 CRD 更新(traefik 2.4 -> 2.5),請使用此要點
我的 nginx docker-compose 模板
nginx:
image: nginx:alpine
container_name: nginx
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.services.nginx-service.loadbalancer.server.port=80"
# http
- "traefik.http.routers.nginx-http.entrypoints=web"
- "traefik.http.routers.nginx-http.rule=Host(`example.com`)"
# https
- "traefik.http.routers.nginx-https.entrypoints=websecure"
- "traefik.http.routers.nginx-https.rule=Host(`example.com`)"
- "traefik.http.routers.nginx-https.tls.certresolver=production"
# http to https
- "traefik.http.middlewares.nginx-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.nginx-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.nginx-http.middlewares=nginx-redirect"
networks:
- web
networks:
web:
external: true
我的 traefik ssl 部分
# LET'S ENCRYPT:
# ---
#
staging:
acme:
email: example@mail.com # TODO: Change this to your email
storage: /ssl-certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: exam@gmail.com # TODO: Change this to your email
storage: /ssl-certs/acme.json
httpChallenge:
entryPoint: web
在 traefik 服務中,我有一個 label 定義中間件:
traefik.http.middlewares.https-only.redirectscheme.scheme=https
在應用服務中我有一個標簽:
traefik.http.routers.myapp.rule=Host(`${APP_HOST}`)
traefik.http.routers.myapp.entrypoints=web
traefik.http.routers.myapp.middlewares=https-only
我有同樣的問題,但我沒有得到它的工作。
@Thib:
好的,找到了……我假設中間件可以在 Traefik 級別聲明,但這些必須在服務級別聲明。
我無法重現這一點。
我的設置
我在我的 swarm 中配置了 Traefik,如下所示:
global:
checkNewVersion: false
sendAnonymousUsage: false
api:
dashboard: true
entryPoints:
web:
address: :80
websecure:
address: :443
providers:
providersThrottleDuration: 2s
docker:
watch: true
endpoint: unix:///var/run/docker.sock
swarmMode: true
swarmModeRefreshSeconds: 15s
exposedByDefault: false
network: webgateway
log:
level: DEBUG
accessLog: {}
certificatesResolvers:
default:
acme:
email: {email}
storage: /etc/traefik/acme/acme.json
httpChallenge:
entryPoint: web
並使用以下 docker-compose 文件啟動 Traefik
version: '3'
services:
proxy:
image: traefik:latest
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /data/docker_data/traefik/traefik-2.yml:/etc/traefik/traefik.yml
- /data/docker_data/traefik/acme-2.json:/etc/traefik/acme/acme.json
labels:
# redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
我的服務配置有以下標簽:
traefik.http.routers.myapp.rule=Host(`myapp.ch`)
traefik.http.routers.myapp.service=myapp
traefik.http.routers.myapp.entrypoints=websecure
# I don't think that the following one is required here...
# traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
traefik.http.routers.myapp.tls.certresolver=default
traefik.http.services.myapp.loadbalancer.server.port=3000
traefik.http.routers.myapp.tls=true
traefik.enable=true
任何想法為什么這不起作用? 我在這里關注了博客條目: https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.