本文介绍家庭宽带环境下,使用traefik部署反向代理,实现自动申请证书、自动续签、反代局域网内服务等功能
注:1.目前traefik仅能通过docker部署 2. 后附unraid使用的traefik模板
以下教程以在pve的lxc中安装为例
(一)lxc环境准备
- pve中以ubuntu22.04或debian12为模板,创建lxc
- 修改/etc/ssh/sshd_config,找到并改为 PermitRootLogin yes ,允许root登录
- ssh登录lxc,更换国内源(有科学环境可不用换源)
1
2
3
4
5
6
| bash <(curl -sSL https://linuxmirrors.cn/main.sh) \
--source mirrors.tuna.tsinghua.edu.cn \
--web-protocol https \
--backup true \
--ignore-backup-tips \
--updata-software false
|
- 更新软件包,安装必要依赖(若弹出选择框直接回车即可)
1
| apt update && apt upgrade -y && apt install curl nano -y
|
- 使用官方脚本一键安装docker和docker-compose
1
| curl -fsSL https://get.docker.com -o get-docker.sh
|
(二)部署traefik
- 创建traefik所需文件及文件夹,默认traefik配置文件安装于/root/docker/traefik
1
2
3
4
5
6
7
| mkdir -p /root/docker/traefik/configurations
cd /root/docker/traefik
touch docker-compose.yaml
touch traefik.yml
touch acme.json
touch configurations/dynamic.yml
chmod 600 acme.json
|
1
| nano /root/docker/traefik/docker-compose.yaml
|
- 粘贴以下代码至docker-compose.yaml,注意修改cloudflare dns api以及域名(域名格式参考traefik.abc.com)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| version: '3.8'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
- 8080:8080
environment:
- "CF_DNS_API_TOKEN=修改为你的cloudflare DNS api"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
- ./configurations:/configurations
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=bridge"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`修改为你的域名,例如traefik.abc.com`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
|
- 若要使用traefik的服务发现功能,需将traefik和其他容器加入共同的bridge网络,例如先创建名为“docker_bridge”的桥接网络,traefik和其他容器均使用此bridge才可实现服务发现功能,traefik加入已有桥接网络的compose格式如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| version: '3.8'
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
environment:
- "CF_DNS_API_TOKEN=修改为你的cloudflare DNS api"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
- ./configurations:/configurations
networks:
- docker_bridge
labels:
- "traefik.enable=true"
- "traefik.docker.network=bridge"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`修改为你的域名,例如traefik.abc.com`)"
- "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
docker_bridge:
external: true
|
1
| nano /root/docker/traefik/traefik.yml
|
- 粘贴以下代码,注意修改“你的域名.com”及“*.你的域名.com”为自己的二级域名及三级泛域名,需先通过ddns完成二级域名及泛域名的解析
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| api:
dashboard: true
insecure: true
entryPoints:
web:
address: :80
proxyProtocol:
insecure: true
http:
redirections:
entryPoint:
to: websecure
websecure:
address: :443
proxyProtocol:
insecure: true
http:
middlewares:
- secureHeaders@file
tls:
certResolver: myssl
domains:
- main: "你的域名.com"
sans:
- "*.你的域名.com"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configurations/dynamic.yml
certificatesResolvers:
myssl:
acme:
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 0
resolvers:
- "119.29.29.29:53"
- "8.8.8.8:53"
|
1
| nano /root/docker/traefik/
|
- 自行修改添加域名及内网ip对应关系,注意routers中service名称与services内名称需对应一致
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
http:
routers:
pve:
service: pve
middlewares:
rule: "Host(`pve.你的域名.com`)"
unraid:
service: unraid
middlewares:
rule: "Host(`unraid.你的域名.com`)"
services:
pve:
loadBalancer:
servers:
- url: "https://10.0.0.254:8006"
unraid:
loadBalancer:
servers:
- url: "http://10.0.0.8"
middlewares:
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
cors:
headers:
customResponseHeaders:
Access-Control-Allow-Origin: "*"
user-auth:
basicAuth:
users:
- "admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1"
|
- traefik面板为ip:8080,默认用户名admin,密码qwer1234(面板仅有显示作用,无法部署反代)
(三)使用traefik的服务发现功能
- 以部署frps为例,在下述compose文件中,添加 “labels”部分内容,修改域名及端口,加入traefik使用的”docker_bridge“网络,即可使用traefik的服务发现,frps容器部署成功后,访问”frps.你的域名.com“即可使用反代,无需到traefik中配置
注意:“labels”中“port”需填容器内端口,如例子中所示,实际运行无需映射 - 9000:9527 ,即可反代访问9527端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| version: '3.3'
services:
frps:
restart: unless-stopped
volumes:
- '/root/docker/frps/frps.toml:/etc/frp/frps.toml'
container_name: frps
image: snowdreamtech/frps
ports:
- 5443:5443
- 9000:9527
networks:
- docker_bridge
labels:
- "traefik.enable=true"
- "traefik.http.routers.frps.rule=Host(`frps.你的域名.com`)"
- "traefik.http.services.frps.loadbalancer.server.port=9527"
networks:
docker_bridge:
external: true
|
(四)unraid模板下载
https://raw.githubusercontent.com/jasonxtt/file/refs/heads/main/unraid-templates/my-traefik.xml
