我有一个运行traefik的docker s群,我希望能够在https中为Grafana提供服务,而https目前在http中。
我尝试过使用以下 traefik 撰写配置:
version: "3.6"
services:
traefik:
image: traefik
command:
- --defaultentrypoints=http,https
- --docker
- --docker.swarmMode
- --docker.exposedByDefault=false
- --docker.domain=sdb.it
- --docker.watch
- --entryPoints=Name:http Address::80
- --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt TLS:/etc/ssl/certs/sonarqube.crt,/etc/ssl/certs/sonarqube.key;/etc/ssl/certs/sdbit-grafana.pem,/etc/ssl/certs/sdbit-grafana.key
- --rootcas=/etc/ssl/certs/rootca.crt
- --insecureskipverify
- --logLevel=DEBUG
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
- 443:443
networks:
- traefik
secrets:
- source: sdbit-sonarqube-docker.sdb.it.crt
target: /etc/ssl/certs/sonarqube.crt
mode: 644
- source: sdbit-sonarqube-docker.sdb.it.key
target: /etc/ssl/certs/sonarqube.key
mode: 644
- source: sdbit-grafana.sdb.it.pem
target: /etc/ssl/certs/sdbit-grafana.pem
mode: 644
- source: sdbit-grafana.sdb.it.key
target: /etc/ssl/certs/sdbit-grafana.key
mode: 644
- source: sdb-root-ca.crt
target: /etc/ssl/certs/rootca.crt
mode: 644
deploy:
placement:
constraints:
- node.role == manager
volumes:
certificates:
external: true
networks:
traefik:
external: true
secrets:
sdbit-sonarqube-docker.sdb.it.crt:
external: true
sdbit-sonarqube-docker.sdb.it.key:
external: true
sdbit-grafana.sdb.it.pem:
external: true
sdbit-grafana.sdb.it.key:
external: true
sdb-root-ca.crt:
external: true
格拉法纳上的这些标签:
grafana:
image: maven-repo.sdb.it:18080/grafana/grafana:6.0.1
user: "104"
depends_on:
- prometheus
ports:
- 3000:3000
volumes:
- grafana_data:/var/lib/grafana
configs:
- source: grafana_custom_ldap
target: /etc/grafana/custom_ldap.toml
environment:
.....
labels:
traefik.docker.network: traefik
traefik.enable: "true"
traefik.frontend.rule: Host:sdbit-grafana.sdb.it
traefik.frontend.redirect.entryPoint: https
traefik.domain: sdb.it
traefik.port: 3000
networks:
- back-tier
- front-tier
- traefik
restart: always
deploy:
placement:
constraints:
- node.role==worker
启动时,它在日志中没有显示任何错误,但是一旦我尝试将浏览器指向 traefik 日志中的sdbit-grafana.sdb.it,我可以看到:
time="2019-03-27T14:11:35Z" level=debug msg="http2: server: error reading preface from client 10.255.0.2:45240: remote error: tls: unknown certificate authority",
我尝试工作的证书取自公司 CA,并且 pem 文件包含根证书。
正如您从撰写文件中所看到的,我尝试使用rootcas,https端点中的clientCA以及insecureskipverify。
有什么想法吗?
我不知道
你在哪里找到在traefik(- --entryPoints=Name:https Address::443 clientCA:/etc/ssl/certs/rootca.crt(中定义入口点的行,但入口点文档另有说明。我个人使用
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.metrics.address=:8080
- --entrypoints.web.http.redirections.entrypoint.to=:443
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
关于证书,根据本文档,应该有一个动态配置文件,我使用卷和以下内容进行设置:
- --providers.file.directory=/etc/traefik/conf.d/
- --providers.file.watch=true
并在此 conf.d 目录中添加一个 tls.yml 文件,其中包含以下内容:
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
您的用例还可以使用默认证书定义的强大功能:
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
我还建议您尝试使用自动续订来加密证书,因为它更简单且至少同样安全。作为旁注,我建议您使用 http://example.com/将域隐藏在问题中 希望这有所帮助