Traefik入门

traefik proxy


traefik是一款反向代理工具，称之为边缘路由器（Edge Router）。它可以接收请求，并且找到处理请求的组件。



它具有以下几方面的优势：

• 无须重启即可更新配置
• 自动发现服务与负载均衡
• 与docker的完美集成，基于container label的配置

快速开始

docker启动

我们使用traefik:v2.3镜像启动Traefik服务。配置traefik.yaml

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.3
    # Enables the web UI and tells Traefik to listen to docker
    command: 
      - "--api.insecure=true"
      - "--providers.docker"
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock   

启动Traefik

docker-compose -f traefik.yaml up -d reverse-proxy

在浏览器访问 http://192.168.26.202:8080/api/rawdata 查看Traefik API原始数据

http://192.168.26.202:8080/ 查看Dashboard

配置docker Swarm和部署

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.3
    # Enables the web UI and tells Traefik to listen to docker
    command: 
      - "--api.insecure=true"
      - "--providers.docker.swarmMode=true"
    ports:
      # The HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock 
    networks:
      - traefik-public
    deploy:
      placement:
        constraints:
          - node.role == manager
networks:
  traefik-public:
    external: true

创建swarm管理节点

docker swarm init --advertise-addr 192.168.26.202

创建一个overlay网络 traefik-public

docker network create -d overlay traefik-public

部署traefik

docker stack deploy -c traefik.yaml traefik

启动一个http服务

我么使用tutum/hello-world为例， 创建hello.yaml

version: '3'

services:
  helloworld:
    image: tutum/hello-world:latest
    networks:
      - traefik-public
    deploy:
      labels:
        - "--traefik.http.routers.helloworld.rule=Host(`helloworld.local`) && PathPrefix(`/hello/`)"
        - "--traefik.http.routers.helloworld.middlewares=hello-stripprefix"
        - "--traefik.http.middlewares.hello-stripprefix.stripprefix.prefixes=/hello"
        - "--traefik.http.services.helloworld.loadbalancer.server.port=80"
networks:
  traefik-public:
    external: true

部署hello

docker stack deploy -c hello.yaml hello

浏览器访问 http://helloworld.local/hello/

也可以在dashboard看到请求的过程

路由和负载均衡

启动Traefik，定义了入口点（entrypoints 端口号），连接到入口点的路由会传入请求，并检查是否符合一组规则，将符合规则的请求转发到服务，在转发之前可能会使用中间件转换请求。

• Providers 发现服务
• Entrypoints 监听端口
• Routers 分析请求
• Services 转发服务
• Middlewares 处理请求

EntryPoints

EntryPoints是Traefik的网络入口点。它们定义了将接收数据包的端口

配置

#监听80端口
--entryPoints.web.address=:80
#监听443端口
--entryPoints.websecure.address=:443

Routers

负责将传入的请求连接到可以处理请求的服务。

配置

#yaml
#/foo请求，服务service-foo处理
http:
  routers:
    my-router:
      rule: "Path(`/foo`)"
      service: service-foo

rule

规则是一组配置有值的匹配器，如果请求符合规则，则将请求转发到服务

要设置规则，请使用反引号 ` 或转义的双引号 \"

#主机为helloworld.local
rule = "Host(`helloworld.local`)

#主机为helloworld.local 路径前缀 hello
rule = "Host(`helloworld.local) && PathPrefix(`/hello/`)

下面是所有匹配器

可以使用 && 和 || 组合多个匹配器

tls

当指定tls时，表示当前路由只接受https请求

## Dynamic configuration
http:
  routers:
    Router-1:
      rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
      service: service-id
      # will terminate the TLS request
      tls: {}

Services

负责配置请求到达实际的服务

配置

#yaml
http:
  services:
    my-service:
      loadBalancer:
        servers:
        - url: "http://<private-ip-server-1>:<private-port-server-1>/"
        - url: "http://<private-ip-server-2>:<private-port-server-2>/"

中间件

中间件连接路由器，在请求发送到服务之前，处理请求

配置

#yaml

http:
  routers:
    router1:
      service: myService
      middlewares:
        - "foo-add-prefix"
      rule: "Host(`example.com`)"

  middlewares:
    foo-add-prefix:
      addPrefix:
        prefix: "/foo"

  services:
    service1:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:80"

#docker
whoami:
  #  A container that exposes an API to show its IP address
  image: traefik/whoami
  labels:
    # Create a middleware named `foo-add-prefix`
    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
    # Apply the middleware named `foo-add-prefix` to the router named `router1`
    - "aaa@qq.com"

快速入门中，部署hello服务，使用了中间件 stripprefix

traefik.http.routers.helloworld.middlewares=hello-stripprefix
traefik.http.middlewares.hello-stripprefix.stripprefix.prefixes=/hello

该中间件就是在发送请求到服务前，去掉前缀 /hello

下面是所有的中间件

HTTPS & TLS

Traefik支持HTTPS和TLS。路由器要处理https请求时，使用tls

自定义证书

#toml
[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "path/to/cert.crt"
      keyFile  = "path/to/cert.key"
[[tls.certificates]]
  certFile = "/path/to/domain.cert"
  keyFile = "/path/to/domain.key"
  stores = ["default"]

Traefik代理容器服务

Traefik 优势之一：与 docker 的完美集成，基于 container label 的配置
我们通过docker启动容器服务，配置 label 实现代理

我们以代理nginx为例

docker service create \
--name nginx \
--network portainer_agent_network \
--publish mode=host,target=80,published=9879 \
--label 'traefik.http.routers.router0.rule=Host(`whoami.docker.com`) && PathPrefix(`/nginx/`)' \
--label "traefik.http.routers.router0.middlewares=router0-stripprefix" \
--label "traefik.http.middlewares.router0-stripprefix.stripprefix.prefixes=/nginx" \
--label "traefik.http.services.router0.loadbalancer.server.port=80" \
nginx

docker 创建启动nginx
配置label

#规则rule ，其中的 router0 自定义，唯一即可
traefik.http.routers.router0.rule=Host(`whoami.docker.com`) && PathPrefix(`/nginx/`)
#中间件 router0-stripprefix 名称自定义
traefik.http.routers.router0.middlewares=router0-stripprefix
traefik.http.middlewares.router0-stripprefix.stripprefix.prefixes=/nginx
#容器服务端口
traefik.http.services.router0.loadbalancer.server.port=80

访问 http://whoami.docker.com/nginx/