preface

The server does not expose many ports to the outside world for service exposure, but usually only opens a limited number of ports for service exposure. To achieve this effect, we use reverse proxy.

Since our Java application is distributed based on docker container, and Traefik automatically integrates Docker and related components, it is more suitable for me to build a reverse proxy based on Traefik. Recently, I have studied. The worst part is when the HTTPS certificate is automatically renewed for TLS.

Skills required:

  1. Docker, docker – compose

1. Introduction to Traefik (please visit the official website for more details)

1.1 website

English document

Chinese document

1.2 Creating a Directory and Configuration File

Document Description:

  1. Docker-comement-traefik-demo. yml Docker-compose file for traefik

  2. Traefik. Yml Static configuration file of Traefik (The modification takes effect only after the Traefik service is restarted)

  3. Yml, tcp.yml, tls.yml traefik dynamic configuration files (the modification takes effect without restarting the service)

The file directory is as follows:

2. Install traefik

Traefik has a dashboard dashboard and is configured with a reverse proxy to access the dashboard in the form of a domain name. We use this console configuration to illustrate the installation of Traefik.

Several things are done here:

  1. Configure the HTTP and HTTPS reverse proxy

  2. Configure automatic skip HTTPS for HTTP

  3. TLS Configures ACME to automatically generate HTTPS certificates and renew certificates

2.1 Static Configuration file traefik.yml

traefik.yml

api:
  # Start the WEB UI
  dashboard: true
  # Safe mode
  insecure: true


Discover services defined in docker or file
providers:
  # on the file
  file:
    # define the directory where the dynamic configuration file resides.
    directory: /data/traefik/config
    Listen for dynamic configuration file changes
    watch: true


  # listening docker
  docker:
    # If set to false, docker containers need to declare traefik.enable=true in labels, otherwise containers will be ignored
    exposedByDefault: false


Docker-comemage.yml (docker-comemage.yml)
entryPoints:
  HTTP: / / HTTP: / / HTTP: / / HTTP: / / HTTP: / / port 80
  http:
    address: ": 80"
    HTTP requests automatically redirect to HTTPS
    http:
      redirections:
        entryPoint:
          to: https

  Port 443 is used to proxy traffic coming through port 80
  https:
    address: ": 443"

  Mysql TCP proxy entry
  mysql:
    address: ": 3306"

  TCP proxy entry for redis
  redis:
    address: ": 6379"


Enable ACME to automatically generate HTTPS certificates
certificatesResolvers:
  myCertResolver:
    acme:
      # email address
      email: "[email protected]"
      # Store the issued HTTPS certificate
      storage: "/letsencrypt/acme.json"
      TlsChallent, dnsChallenge, tlschallenge, tlschallenge
      httpChallenge:
        entryPoint: http
Copy the code

Configuration file description:

  1. Four ports are exposed: 80, 443, 3306, and 6379

80: external exposure, used to proxy HTTP requests;

443: HTTPS request made by the user agent.

3306: exposed, used to proxy TCP-based mysql service requests;

6379: Exposed user agent Redis service request based on TCP.

  1. HTTP automatically jumps to HTTPS

  2. The resolve of myCertResolver will be referenced in the dynamic configuration file. The resolve of myCertResolver will be referenced in the dynamic configuration file.

  3. Please replace the email in ACME with your own email address (I filled in a real email address).

2.2 Dynamic Configuration Files

Yml (HTTP request dynamic configuration file), TCP. yml (TCP request dynamic configuration file), and TLS. yml (TLS dynamic configuration file). I don’t quite understand it yet)

2.2.1 HTTP. Yml

http.yml

http:

  # Route configuration
  routers:

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    # # traefik configuration
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

    # Define traefik's WEB UI route
    router-traefik:
      # set this parameter to listen on web traffic, otherwise it will listen on all traffic
      entryPoints:
        - "http"
        - "https"
      rule: "Host(`traefik.xxx.com`)"
      service: "api@internal"
      ## Use middleware defined user authentication
      middlewares:
        - user-auth
      # Enable ACME and refer to myCertResolver as defined in traefik.yml
      tls:
# options: foo
        certResolver: "myCertResolver"


  # Middleware configuration
  middlewares:
    Configure login tickets for Dashboard
    # UserName : admin
    # Password : qwer1234
    user-auth:
      basicAuth:
        users:
          - "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
Copy the code

Description:

rule: “Host(traefik.xxx.com)” configures traefik to access the domain as Traefik.xxx.com. If you want to support the HTTPS certificate, the domain name is not registered. If traefik.xxx.com is automatically renewed through ACME, it needs to be recorded by relevant agencies. Otherwise, the automatic renewal of ACME cannot be done. The debug log of Traefik displays the following error message: TLS Handle error: When ACME automatically generates a certificate, it should check whether the domain name exists on the DNS server of the public network. If the domain name does not exist, an error will be reported.

tcp.yml

This parameter is left blank. This parameter is listed in the following sections when you configure TCP reverse proxyCopy the code

tls.yml

Leave it empty and configure it laterCopy the code

2.3 Docker-compose configuration file

docker-compose-traefik-demo.yml

version: '3'

services:
  traefik-service:
    image: Traefik: v2.0
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    The mapping between the container port and the host physical port is exposed to provide services
    ports:
      - "80:80"
      - "443:443"
      - "3306:3306"
      - "6379:6379"
    volumes:
      Traefik can listen for Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      Static configuration file directory mapping
      - ./config/static:/etc/traefik
      Dynamically configure file directory mapping
      - ./config/dynamic:/data/traefik/config
      Chmod 600 ACME. Json: this file must have 600 permissions before traefik starts.
      - ./letsencrypt/acme.json:/letsencrypt/acme.json

    Use proxy as the network name
    networks:
      - proxy

# Define the network
networks:
  proxy:
    external: true
Copy the code

2.4 Starting the Traefik service

  1. Example Create a network named proxy
docker network create proxy
Copy the code
  1. Start the Traefik service
docker-compose -f docker-compose-traefik-demo.yml up -d
Copy the code
  1. Check traefik’s log
docker logs -f traefik
Copy the code
  1. Hosts file to configure domain name mapping

If your domain name is registered and your Traefik is installed on the host that resolves the domain name, you do not need to do this.

192.168.64.201  traefik.xxx.com
Copy the code
  1. Browser access:
http://traefik.xxx.com
Copy the code

The results are shown below:

6. Configure the TCP reverse proxy

7. Configure TLS for TCP

This is not done yet. I’ll add later