如何在 Traefik 中代理 WebSockets?
How to proxy WebSockets in Traefik?
我正在尝试设置 Upsource 以支持 Traefik:https://www.jetbrains.com/help/upsource/proxy-configuration.html
traefik 正在监听端口 8008 和 8443(因为 80/443 将用于另一个端口):
--entryPoints='Name:http Address::8008 Redirect.EntryPoint:https' --entryPoints='Name:https Address::8443 TLS'
docker 标签:
labels:
traefik.backend: upsource
traefik.enable: "true"
traefik.port: "8080"
traefik.frontend.rule: "Host:review.domain.com"
在conf/internal/bundle.properties中,base-url配置如下:
base-url=https\://review.domain.com\:8443/
问题:
time="2017-09-20T03:23:59Z" level=error msg="Error getting ACME certificates [review.domain.com] : Cannot obtain certificates map[review.domain.com:acme: Error 400 - urn:acme:error:connection - Connection refused
Error Detail:
Validation for review.domain.com:443
为什么它验证端口 443 而不是 8443?
此外,在 Nginx 中代理 WebSockets:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://upsourcemachine.domain.local:1111;
proxy_pass_header Sec-Websocket-Extensions;
你能确认 Traefik 支持 WebSockets 吗?如果可以,如何配置?
Traefik 处理 websocket,您不需要为此进行任何特定配置。
您的问题似乎与 Let's Encrypt 中的挑战有关。
Let's Encrypt 不处理默认端口以外的其他端口上的 TLS 挑战,Traefik 中的默认挑战是 TLS :(
所以你需要配置Traefik来使用DNS Challenge
https://docs.traefik.io/configuration/acme/
confluence 的工作示例
version: '3.3'
networks:
traefik:
external: true
volumes:
portainer_data:
confluence:
services:
traefik:
image: traefik:1.7.9-alpine
command: >
--docker
--docker.swarmmode
--docker.watch
--docker.exposedbydefault=true
--docker.domain=example.com
--defaultentrypoints=http,https,ws,wss
--entrypoints='Name:http Address::80'
--entrypoints='Name:https Address::443 TLS'
--acme
--acme.email='example@gmail.com'
--acme.storage='/certs/acme.json'
--acme.entryPoint=https
--acme.httpChallenge.entryPoint=http
--acme.onhostrule=true
--acme.acmelogging=true
--logLevel=INFO
--accessLog
--api
ports:
- 80:80
- 443:443
networks:
- manager
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /certs:/certs
deploy:
mode: global
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:traefik.example.com
- traefik.docker.network=traefik
#- traefik.redirectorservice.frontend.entryPoints=http
#- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https
portainer:
image: portainer/portainer:1.20.1
command: -H tcp://tasks.agent:9001 --tlsskipverify
networks:
- manager
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
deploy:
placement:
constraints: [node.role == manager]
labels:
- traefik.enable=true
- traefik.port=9000
- traefik.frontend.rule=Host:portainer.example.com
- traefik.docker.network=traefik
#- traefik.redirectorservice.frontend.entryPoints=http
#- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https
agent:
image: portainer/agent:1.2.1
environment:
AGENT_CLUSTER_ADDR: tasks.agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- manager
deploy:
mode: global
confluence:
image: cptactionhank/atlassian-confluence:6.3.4
networks:
- traefik
volumes:
- confluence:/var/atlassian/confluence
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.port=8090
- traefik.frontend.rule=Host:confluence.example.com
- traefik.docker.network=traefik
# - traefik.redirectorservice.frontend.entryPoints=http
# - traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https,ws,wss
Kubernetes 示例:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: server-route
spec:
entryPoints:
# Defined in the traefik configuration, e.g.
# --entrypoints.websecure.address=:8888
- websecure
routes:
- match: PathPrefix(`/`)
middlewares:
- name: server-headers
kind: Rule
services:
- name: server
port: portname
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: server-headers
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
您必须使用 Traefik 的自定义 IngressRoute 对象,而不是普通的 Ingress。
我正在尝试设置 Upsource 以支持 Traefik:https://www.jetbrains.com/help/upsource/proxy-configuration.html
traefik 正在监听端口 8008 和 8443(因为 80/443 将用于另一个端口):
--entryPoints='Name:http Address::8008 Redirect.EntryPoint:https' --entryPoints='Name:https Address::8443 TLS'
docker 标签:
labels:
traefik.backend: upsource
traefik.enable: "true"
traefik.port: "8080"
traefik.frontend.rule: "Host:review.domain.com"
在conf/internal/bundle.properties中,base-url配置如下:
base-url=https\://review.domain.com\:8443/
问题:
time="2017-09-20T03:23:59Z" level=error msg="Error getting ACME certificates [review.domain.com] : Cannot obtain certificates map[review.domain.com:acme: Error 400 - urn:acme:error:connection - Connection refused
Error Detail:
Validation for review.domain.com:443
为什么它验证端口 443 而不是 8443?
此外,在 Nginx 中代理 WebSockets:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://upsourcemachine.domain.local:1111;
proxy_pass_header Sec-Websocket-Extensions;
你能确认 Traefik 支持 WebSockets 吗?如果可以,如何配置?
Traefik 处理 websocket,您不需要为此进行任何特定配置。
您的问题似乎与 Let's Encrypt 中的挑战有关。 Let's Encrypt 不处理默认端口以外的其他端口上的 TLS 挑战,Traefik 中的默认挑战是 TLS :(
所以你需要配置Traefik来使用DNS Challenge https://docs.traefik.io/configuration/acme/
confluence 的工作示例
version: '3.3'
networks:
traefik:
external: true
volumes:
portainer_data:
confluence:
services:
traefik:
image: traefik:1.7.9-alpine
command: >
--docker
--docker.swarmmode
--docker.watch
--docker.exposedbydefault=true
--docker.domain=example.com
--defaultentrypoints=http,https,ws,wss
--entrypoints='Name:http Address::80'
--entrypoints='Name:https Address::443 TLS'
--acme
--acme.email='example@gmail.com'
--acme.storage='/certs/acme.json'
--acme.entryPoint=https
--acme.httpChallenge.entryPoint=http
--acme.onhostrule=true
--acme.acmelogging=true
--logLevel=INFO
--accessLog
--api
ports:
- 80:80
- 443:443
networks:
- manager
- traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /certs:/certs
deploy:
mode: global
labels:
- traefik.enable=true
- traefik.port=8080
- traefik.frontend.rule=Host:traefik.example.com
- traefik.docker.network=traefik
#- traefik.redirectorservice.frontend.entryPoints=http
#- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https
portainer:
image: portainer/portainer:1.20.1
command: -H tcp://tasks.agent:9001 --tlsskipverify
networks:
- manager
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
deploy:
placement:
constraints: [node.role == manager]
labels:
- traefik.enable=true
- traefik.port=9000
- traefik.frontend.rule=Host:portainer.example.com
- traefik.docker.network=traefik
#- traefik.redirectorservice.frontend.entryPoints=http
#- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https
agent:
image: portainer/agent:1.2.1
environment:
AGENT_CLUSTER_ADDR: tasks.agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- manager
deploy:
mode: global
confluence:
image: cptactionhank/atlassian-confluence:6.3.4
networks:
- traefik
volumes:
- confluence:/var/atlassian/confluence
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.port=8090
- traefik.frontend.rule=Host:confluence.example.com
- traefik.docker.network=traefik
# - traefik.redirectorservice.frontend.entryPoints=http
# - traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=http,https,ws,wss
Kubernetes 示例:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: server-route
spec:
entryPoints:
# Defined in the traefik configuration, e.g.
# --entrypoints.websecure.address=:8888
- websecure
routes:
- match: PathPrefix(`/`)
middlewares:
- name: server-headers
kind: Rule
services:
- name: server
port: portname
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: server-headers
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
您必须使用 Traefik 的自定义 IngressRoute 对象,而不是普通的 Ingress。