Traefik为服务增加HTTPS反对

背景

  • 紧接着Traefik学习这篇文章,尝试应用Let's Encrypt为Traefik的服务增加HTTPS反对

Let's Encrypt

  • Let’s Encrypt 是一家收费、凋谢、自动化的证书颁发机构(CA),为公众的利益而运行。它是一项由 Internet Security Research Group(ISRG)提供的服务。以尽可能对用户敌对的形式收费提供为网站启用 HTTPS(SSL/TLS)所需的数字证书。

Traefik的反对

  • 创立acme.json文件用来存储证书信息

    touch acme.jsonchmod 600 acme.json
    • 留神务必设置权限为600,否则会报错

  • traefik Docker Compose配置文件 traefik.yaml:

    version: '3'services:  reverse-proxy:    image: traefik    restart: always    ports:      - "80:80"      - "443:443"    networks:      - traefik    volumes:      - ./traefik.toml:/etc/traefik/traefik.toml      - /var/run/docker.sock:/var/run/docker.sock      - ./config/:/etc/traefik/config/:ro      - ./acme.json:/letsencrypt/acme.json    container_name: traefik    # 网关健康检查    healthcheck:      test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]      interval: 3s      timeout: 5s# 创立内部网卡 docker network create traefiknetworks:  traefik:    external: true
    • 要害局部是应用volume向容器引入acme.json

  • traefik动态配置文件 traefik.toml

    # Let's Encrypt[certificatesResolvers.myresolver.acme]  email = "example.com"  storage="/letsencrypt/acme.json"  [certificatesResolvers.myresolver.acme.tlsChallenge]
    • 这里应用TLSChallenge的形式申请,其余形式参考traefik的文档

  • 为服务增加HTTPS反对,这里还是以Halo博客为例

    version: '3.1'services:  halo:    image: halohub/halo    container_name: halo    restart: unless-stopped    volumes:      - /root/blog/halo:/root/.halo     labels:      - traefik.http.routers.halo.rule=Host(`blog.demoli.xyz`)      - traefik.http.routers.halo.tls=true      - traefik.http.routers.halo.tls.certResolver=myresolver      - traefik.http.routers.halo.entrypoints=https      - traefik.http.services.halo.loadbalancer.server.port=8090      - traefik.http.routers.halo-redirect-https.rule=Host(`blog.demoli.xyz`)      - traefik.http.routers.halo-redirect-https.entrypoints=http      - traefik.http.routers.halo-redirect-https.service=noop@file      - traefik.http.routers.halo-redirect-https.middlewares=https-redirect@file      - traefik.http.routers.halo-redirect-https.priority=100networks:  default:    external:      name: traefik
    • 要害配置是traefik.http.routers.halo.tls=truetraefik.http.routers.halo.tls.certResolver=myresolver

注意事项

  • Let's Encrypt证书的有效期是90天,Traefik官网文档说能够反对证书的自动更新,然而查问材料的过程中,发现有博主说并没有自动更新,这里临时记录,若90天后呈现问题,则再尝试解决
  • 实际上应用letsencrypt申请失去acem.json格局的负数能够应用traefik-certs-dumper镜像转换为个别的pem格局,具体应用形式参考Blog CDN减速

参考

  • 对于Let‘s Encrypt的具体介绍
  • Let's Encrypt 的运作形式- Let's Encrypt - 收费的SSL/TLS证书https://letsencrypt.org › zh-cn › how-it-works
  • Traefik Let's Encrypt
  • Docker-compose with let's encrypt: TLS Challenge
  • 在 traefik 中为服务开明 https
  • 如何白piao一个收费的泛域名SSL证书 - 掘金