更简单的 Traefik 2 使用方式
经过一年多的实践,对于使用 Traefik 有了一些更深入的体会,本篇先来介绍如何简化使用,后续会逐步展开聊聊如何在云上使用这款“云原生”工具,以及结合它做一些提升业务效率和开发效率的实践。
在 Traefik 2 使用指南,愉悦的开发体验、配置基于Traefik v2的 Web 服务器 文章中,使用 Traefik 的方案引入了比较多的配置,如果你并不是在一个复杂场景使用,这样的配置是可以简化的。
简化程序配置文件
一般情况下将参数变为配置,更利于在版本控制软件中进行版本管理。在 v2 版本中,因为有了动态配置的概念,传统的固定配置,使用简写的参数来替换,并记录在容器启动配置中,可以在减少分发文件数量的情况下,达到相同的效果。
使用参数取代 traefik.toml
在之前的文章中,我提供了一般情况下,使用的默认配置内容:
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "WARN"
format = "common"
[api]
dashboard = true
insecure = true
[ping]
[accessLog]
[providers]
[providers.docker]
watch = true
exposedByDefault = false
endpoint = "unix:///var/run/docker.sock"
swarmMode = false
useBindPortIP = false
network = "traefik"
[providers.file]
watch = true
directory = "/etc/traefik/config"
debugLogGeneratedTemplate = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
想要达到相同的效果,只需要在 command 字段内添加下面的内容即可:
version: '3'
services:
traefik:
...
command:
- "--global.sendanonymoususage=false"
- "--global.checknewversion=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=false"
- "--ping=true"
- "--log.level=warn"
- "--log.format=common"
- "--accesslog=false"
- "--providers.docker=true"
- "--providers.docker.watch=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.swarmMode=false"
- "--providers.docker.useBindPortIP=false"
- "--providers.docker.network=traefik"
- "--providers.file=true"
- "--providers.file.watch=true"
- "--providers.file.directory=/etc/traefik/config"
- "--providers.file.debugloggeneratedtemplate=true"
...
现在,你就可以将 traefik.toml 配置文件删除掉了。
简化 dashboard.toml
前文中,我们将 Traefik 的内置 dashboard 等路由通过配置文件来定义,像下面这样。
[http.middlewares.dash-compress.compress]
[http.middlewares.dash-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
]
[http.routers.dashboard-redirect-https]
rule = "Host(`dashboard.lab.io`, `dashboard.lab.com`)"
entryPoints = ["http"]
service = "noop"
middlewares = ["https-redirect"]
priority = 100
[http.routers.dashboard]
rule = "Host(`dashboard.lab.io`, `dashboard.lab.com`)"
entrypoints = ["https"]
service = "dashboard@internal"
middlewares = ["dash-compress"]
[http.routers.dashboard.tls]
[http.routers.api]
rule = "Host(`dashboard.lab.io`, `dashboard.lab.com`) && PathPrefix(`/api`)"
entrypoints = ["https"]
service = "api@internal"
middlewares = ["dash-compress"]
[http.routers.api.tls]
[http.routers.ping]
rule = "Host(`dashboard.lab.io`, `dashboard.lab.com`) && PathPrefix(`/ping`)"
entrypoints = ["https"]
service = "ping@internal"
middlewares = ["dash-compress"]
[http.routers.ping.tls]
其实,只需要将配置保留剩下这两条需要被预先定义的“中间件”即可,如果你不需要页面压缩,或者不需要访问密码,那么也可以不对下面的内容进行保存:
[http.middlewares.dash-compress.compress]
[http.middlewares.dash-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
]
接着在容器配置中添加一些 traefik 能够解析处理的规则在 labels 字段中即可:
version: '3'
services:
traefik:
...
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# 默认请求转发 https 端口
- "traefik.http.routers.traefik-dash-default.middlewares=https-redirect@file"
- "traefik.http.routers.traefik-dash-default.entrypoints=http"
- "traefik.http.routers.traefik-dash-default.rule=Host(`dashboard.guava.lab.com`)"
- "traefik.http.routers.traefik-dash-default.service=dashboard@internal"
# 处理网页
- "traefik.http.routers.traefik-dash-web.entrypoints=https"
- "traefik.http.routers.traefik-dash-web.rule=Host(`dashboard.guava.lab.com`) && PathPrefix(`/`)"
- "traefik.http.routers.traefik-dash-web.tls=true"
- "traefik.http.routers.traefik-dash-web.service=dashboard@internal"
# 处理接口
- "traefik.http.routers.traefik-dash-api.entrypoints=https"
- "traefik.http.routers.traefik-dash-api.rule=Host(`dashboard.guava.lab.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dash-api.tls=true"
- "traefik.http.routers.traefik-dash-api.service=api@internal"
...
单独抽象保存的 default.toml 配置
虽然我们将 90% 的内容都迁移到了 compose 配置文件中,但是还是有一些内容暂时是不好进行重写的,比如下面提到的“内容Gzip压缩”和“HTTP转发HTTPS”:
# 提供 Gzip 压缩
[http.middlewares.gzip.compress]
# tricks 实现,提供 HTTP 默认转发 HTTPS
# https://github.com/containous/traefik/issues/4863#issuecomment-491093096
[http.services]
[http.services.noop.LoadBalancer]
[[http.services.noop.LoadBalancer.servers]]
url = "" # or url = "localhost"
[http.routers]
[http.routers.https-redirect]
entryPoints = ["http"]
rule = "HostRegexp(`{any:.*}`)"
middlewares = ["https-redirect"]
service = "noop"
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
这里倒不是说不能够在应用内配置,而是如果这两个中间件在应用内配置,会出现每个应用都需要配置重复配置的问题。尽管独立的配置会让应用的可迁移性更好,然而这份配置可以提供不论是在本地、私有云,还是公有云 SLB 环境下的一致行为,维护一份配置,总比维护几份要来的方便,不是吗?
完整的容器配置
一如既往,这里给出完整的 compose 配置:
version: '3'
services:
traefik:
container_name: traefik
image: traefik:v2.3.4
restart: always
ports:
- 80:80
- 443:443
networks:
- traefik
command:
- "--global.sendanonymoususage=false"
- "--global.checknewversion=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--api=true"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=false"
- "--ping=true"
- "--log.level=warn"
- "--log.format=common"
- "--accesslog=false"
- "--providers.docker=true"
- "--providers.docker.watch=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.swarmMode=false"
- "--providers.docker.useBindPortIP=false"
- "--providers.docker.network=traefik"
- "--providers.file=true"
- "--providers.file.watch=true"
- "--providers.file.directory=/etc/traefik/config"
- "--providers.file.debugloggeneratedtemplate=true"
volumes:
# 仅限标准的 Linux 环境
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/:/etc/traefik/config/:ro
- ./ssl/:/data/ssl/:ro
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
# 默认请求转发 https 端口
- "traefik.http.routers.traefik-dash-default.middlewares=https-redirect@file"
- "traefik.http.routers.traefik-dash-default.entrypoints=http"
- "traefik.http.routers.traefik-dash-default.rule=Host(`dashboard.guava.lab.com`)"
- "traefik.http.routers.traefik-dash-default.service=dashboard@internal"
# 处理网页
- "traefik.http.routers.traefik-dash-web.entrypoints=https"
- "traefik.http.routers.traefik-dash-web.rule=Host(`dashboard.guava.lab.com`) && PathPrefix(`/`)"
- "traefik.http.routers.traefik-dash-web.tls=true"
- "traefik.http.routers.traefik-dash-web.service=dashboard@internal"
# 处理接口
- "traefik.http.routers.traefik-dash-api.entrypoints=https"
- "traefik.http.routers.traefik-dash-api.rule=Host(`dashboard.guava.lab.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.traefik-dash-api.tls=true"
- "traefik.http.routers.traefik-dash-api.service=api@internal"
healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy off localhost:8080/ping || exit 1"]
interval: 3s
retries: 12
logging:
driver: "json-file"
options:
max-size: "1m"
networks:
traefik:
external: true
最后
官方在前一阵推出了 https://traefik.io/traefik-pilot/,除了作为统一的管理中心之外,还提供了许多有用的中间件,比如请求/响应头改写、IP 禁止名单、IP地址转换、fail2ban 等等。
因为暂时官方无意将 pilot 开源(可能也会是长期状况),如果你不介意“联公网”使用,可以试试注册 pilot 使用。
--EOF