「Traefik」一脚踢开Nginx啦
目录
记录反向代理Traefik使用技巧。
简介
Traefik 是一个开源的边缘路由器,常用于反向代理、负载均衡等。因为其优秀的服务发现能力,非常适合于在集群中作为大量微服务的代理。
用例
Docker Compose
家庭服务代理
配置参考苏洋博客
以 Docker Compose 方式启动 Traefik 服务,并配置自动管理 Let's Encrypt 证书。
version: '3.8'
services:
traefik:
image: traefik:v3
container_name: traefik
restart: unless-stopped
ports:
# - "8080:8080"
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /path/to/your/certs:/certs
environment:
- CF_API_EMAIL=${CF_DNS_EMAIL}
- CLOUDFLARE_DNS_API_TOKEN=${CF_API_TOKEN}
- CLOUDFLARE_ZONE_API_TOKEN=${CF_API_TOKEN}
command:
#
- "--api=true"
- "--api.dashboard=true"
# 允许不安全地访问仪表板(建议仅开发环境)
- "--api.insecure=true" # 关闭该配置无法访问仪表板,原因未知,因此停止相关端口映射来替代
# 绑定 Dashboard 入口点端口
- "--entryPoints.http.address=:80"
- "--entryPoints.https.address=:443"
# 启用 Docker 中的服务发现
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
# 限制 Docker 中服务发现的能力
- "--providers.docker.exposedByDefault=false"
# 设置 Let's Encrypt ACME
- "--certificatesresolvers.le.acme.email=${CF_DNS_EMAIL}"
- "--certificatesresolvers.le.acme.storage=/certs/acme.json"
- "--certificatesresolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
- "--certificatesresolvers.le.acme.dnsChallenge.provider=cloudflare"
- "--certificatesresolvers.le.acme.dnsChallenge.delayBeforeCheck=30"
# 禁止上报数据
- "--global.sendanonymoususage=false"
- "--global.checknewversion=false"
labels:
- "traefik.enable=true"
# HTTP(非加密)访问 Dashboard,绑定 dashboard@internal 服务
- "traefik.http.routers.traefik-dashboard.entrypoints=http"
- "traefik.http.routers.traefik-dashboard.rule=Host(`aio.traefik.yirami.xyz`)"
- "traefik.http.routers.traefik-dashboard.service=dashboard@internal"
# HTTP(非加密)访问 Traefik API(主要用于前端 dashboard 与 Traefik API 的交互)
- "traefik.http.routers.traefik-dashboard-api.entrypoints=http"
- "traefik.http.routers.traefik-dashboard-api.rule=Host(`aio.traefik.yirami.xyz`) && PathPrefix(`/api`)"
- "traefik.http.routers.traefik-dashboard-api.service=api@internal"
# HTTPS(加密)访问 Dashboard,绑定 dashboard@internal 服务
- "traefik.http.routers.traefik-dashboard-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-secure.rule=Host(`traefik.aio.yirami.xyz`)"
- "traefik.http.routers.traefik-dashboard-secure.service=dashboard@internal"
# HTTPS(加密)访问 Traefik API(主要用于前端 dashboard 与 Traefik API 的交互)
- "traefik.http.routers.traefik-dashboard-api-secure.entrypoints=https"
- "traefik.http.routers.traefik-dashboard-api-secure.tls=true"
- "traefik.http.routers.traefik-dashboard-api-secure.rule=Host(`traefik.aio.yirami.xyz`) && PathPrefix(`/api`)"
- "traefik.http.routers.traefik-dashboard-api-secure.service=api@internal"
# 绑定证书求解器
- "traefik.http.routers.traefik-dashboard-secure.tls.certresolver=le"
- "traefik.http.routers.traefik-dashboard-secure.tls.domains[0].main=${CF_DNS_DOMAIN}"
- "traefik.http.routers.traefik-dashboard-secure.tls.domains[0].sans=${CF_DNS_DOMAIN_LIST}"
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
healthcheck:
test: ["CMD-SHELL", "wget -qO- http://localhost:8080/api/rawdata"]
interval: 3s
retries: 10