wanx server 2 —— traefik
docker hub
- https://hub.docker.com/_/traefik
- dhi 是强化版,但是调试不方便,目前不考虑
sh
docker network create traefik-networksh
mkdir -p /opt/traefik
cd /opt/traefik
mkdir dynamic
touch acme.json
chmod 600 acme.jsonyml
services:
traefik:
image: traefik:v3.6
container_name: traefik
restart: unless-stopped
command:
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# HTTP 自动跳 HTTPS
- --providers.file.directory=/dynamic
- --providers.file.watch=true
# Let's Encrypt
- --certificatesresolvers.le.acme.email=694666422@qq.com
- --certificatesresolvers.le.acme.storage=/acme.json
- --certificatesresolvers.le.acme.httpchallenge=true
- --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
- ./dynamic:/dynamic
networks:
- traefik-network
networks:
traefik-network:
external: true生产环境可以开启强制 https
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=trueproviders.docker=true 监听 docker socket,即
/var/run/docker.sock:/var/run/docker.sock:roproviders.docker.exposedbydefault 所有容器自动暴露公网访问
certificatesresolvers.le.acme.httpchallenge 证书申请方式
全部http -> https
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=httpsdirectory / 动态路由规则配置
- router 路由规则:什么域名/路径进来
- service 后端服务:转发到哪里
- middleware 中间件:跳转、鉴权、压缩、限流等
- tls HTTPS 证书规则
例 api.yml
yml
http:
routers:
api:
rule: Host(`api.example.com`)
entryPoints:
- websecure
service: api
tls:
certResolver: le
services:
api:
loadBalancer:
servers:
- url: http://api:3000一些调试
docker compose restart traefikdocker logs -f traefik