nginx和traefik都可以做ingress,在入口处做证书的卸载,并转发tcp、udp、https、http流量
nginx是比较通常的做法,traefik配置比较简单,尤其是配置自动续签的证书
1wget https://github.com/traefik/traefik/releases/download/v2.4.8/traefik_v2.4.8_linux_amd64.tar.gz
解压释放出来traefik文件,建立目录/export/servers/traefik
结构如下:
traefik.yml
1log:
2 level: DEBUG
3
4api:
5 insecure: false
6 dashboard: true
7
8entryPoints:
9 http:
10 address: ":80"
11 #http:
12 # redirections:
13 # entryPoint:
14 # to: https
15 # scheme: https
16
17 https:
18 address: ":443"
19
20
21
22certificatesResolvers:
23 letsEncrypt:
24 acme:
25 storage: /export/servers/traefik/acme.json
26 email: zhangranrui@rendoumi.com
27 tlsChallenge: {}
28 httpChallenge:
29 entryPoint: http
30
31providers:
32 file:
33 directory: /export/servers/traefik/dynamic
34 watch: true
上面我们定义了log的level为DEBUG,并且开放了dashboard
定义了2个入口,http和https,可以直接用中间件强制http跳转https
然后定义了letsEncrypt的证书机构
最后定义了动态监控 /export/servers/traefik/dynamic 目录,如果下面有增加文件会自动更新配置。
然后再dynamic目录下定义转发routes
注意命名文件,test7是域名,01是序列号,文件内容中svc的序列号最好跟文件名一致,如果多文件重复会导致配置不可用!!!
test7-01.yml
1http:
2 routers:
3 https_01:
4 rule: "Host(`test7.ddky.com`)"
5 service: svc_01
6 tls:
7 certresolver: letsEncrypt
8
9 http:
10 rule: "Host(`test7.ddky.com`)"
11 service: svc_01
12 entryPoints:
13 - http
14
15 services:
16 svc_01:
17 loadBalancer:
18 servers:
19 - url: "http://172.16.8.1:80"
test8-02.yml
1http:
2 routers:
3 https_02:
4 rule: "Host(`test8.ddky.com`)"
5 service: svc_02
6 tls:
7 certresolver: letsEncrypt
8
9 http_02:
10 rule: "Host(`test8.ddky.com`)"
11 service: svc_02
12 entryPoints:
13 - http
14
15 services:
16 svc_02:
17 loadBalancer:
18 servers:
19 - url: "http://172.18.31.33:80"
dashboard.yml
1http:
2 routers:
3 api-router:
4 rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
5 service: api@internal
6 entryPoints:
7 - http
8 middlewares:
9 - dashboard-login
10
11 middlewares:
12 dashboard-login:
13 basicAuth:
14 users:
15 - "admin:$apr1$u1xEoYqW$V5O5t4rmdly58WqS4nTVq1"
打开http://192.168.85.202/dashboard/#/
user: admin pass: xxxxxxxx
这样就可以了
