我有一个运行着 traefik 的 docker swarm,我希望能够在 https 中为 Grafana 提供服务,而目前在 http 中。
我尝试使用以下 traefik compose 配置:
version: "3.6"
services:
traefik:
image: traefik
command:
- --defaultentrypoints=http,https
- --docker
- --docker.swarmMode
- --docker.exposedByDefault=false
- --docker.domain=sdb.it
- --docker.watch
- --entryPoints=Name:http Address::80
- --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt TLS:/etc/ssl/certs/sonarqube.crt,/etc/ssl/certs/sonarqube.key;/etc/ssl/certs/sdbit-grafana.pem,/etc/ssl/certs/sdbit-grafana.key
- --rootcas=/etc/ssl/certs/rootca.crt
- --insecureskipverify
- --logLevel=DEBUG
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
- 443:443
networks:
- traefik
secrets:
- source: sdbit-sonarqube-docker.sdb.it.crt
target: /etc/ssl/certs/sonarqube.crt
mode: 644
- source: sdbit-sonarqube-docker.sdb.it.key
target: /etc/ssl/certs/sonarqube.key
mode: 644
- source: sdbit-grafana.sdb.it.pem
target: /etc/ssl/certs/sdbit-grafana.pem
mode: 644
- source: sdbit-grafana.sdb.it.key
target: /etc/ssl/certs/sdbit-grafana.key
mode: 644
- source: sdb-root-ca.crt
target: /etc/ssl/certs/rootca.crt
mode: 644
deploy:
placement:
constraints:
- node.role == manager
volumes:
certificates:
external: true
networks:
traefik:
external: true
secrets:
sdbit-sonarqube-docker.sdb.it.crt:
external: true
sdbit-sonarqube-docker.sdb.it.key:
external: true
sdbit-grafana.sdb.it.pem:
external: true
sdbit-grafana.sdb.it.key:
external: true
sdb-root-ca.crt:
external: true
以及 grafana 上的这些标签:
grafana:
image: maven-repo.sdb.it:18080/grafana/grafana:6.0.1
user: "104"
depends_on:
- prometheus
ports:
- 3000:3000
volumes:
- grafana_data:/var/lib/grafana
configs:
- source: grafana_custom_ldap
target: /etc/grafana/custom_ldap.toml
environment:
.....
labels:
traefik.docker.network: traefik
traefik.enable: "true"
traefik.frontend.rule: Host:sdbit-grafana.sdb.it
traefik.frontend.redirect.entryPoint: https
traefik.domain: sdb.it
traefik.port: 3000
networks:
- back-tier
- front-tier
- traefik
restart: always
deploy:
placement:
constraints:
- node.role==worker
当 traefik 启动时,它在日志中没有显示任何错误,但是一旦我尝试将浏览器指向sdbit-grafana.sdb.ittraefik 日志,我就可以看到:
time="2019-03-27T14:11:35Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:45240: remote error: tls: unknown certificate authority",
我尝试制作的证书来自公司 CA,并且 pem 文件包含根证书。
正如您从撰写文件中看到的那样,我尝试使用rootcas、clientCAinhttps端点和insecureskipverify.
有任何想法吗?
我不知道您在哪里找到了 traefik ( - --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt) 中定义入口点的行,但入口点文档另有说明。我个人使用
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.metrics.address=:8080
- --entrypoints.web.http.redirections.entrypoint.to=:443
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
关于证书,根据此文档,应该有一个动态配置文件,我使用卷和以下内容进行设置:
- --providers.file.directory=/etc/traefik/conf.d/
- --providers.file.watch=true
并在此 conf.d 目录中添加一个 tls.yml 文件,其中包含以下内容:
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
您的用例还可以使用默认证书定义的功能:
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
我还建议您尝试使用自动续订来加密证书,因为它更简单且至少同样安全。作为旁注,我建议您使用http://example.com/隐藏问题中的域希望有所帮助
| 归档时间: |
|
| 查看次数: |
1014 次 |
| 最近记录: |