使用 Traefik 进行 SSL 直通 [英] SSL passthrough with Traefik

问题描述

我需要将 SSL 连接直接发送到后端，而不是在我的 Traefik 上解密.后端需要接收 https 请求.

I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.

我尝试了 traefik.frontend.passTLSCert=true 选项，但在访问我的 Web 应用程序时出现404 页面未找到"错误，并且在 Traefik 容器上也出现此错误

I tried the traefik.frontend.passTLSCert=true option but getting "404 page not found" error when I access my web app and also get this error on Traefik container

traefik       | time="2018-09-16T10:47:41Z" level=error msg="Failed to create TLSClientConfig: no TLS provided"
traefik       | time="2018-09-16T10:47:41Z" level=error msg="Failed to create RoundTripper for frontend frontend-Host-dev-mydomain-com-0: no TLS provided"
traefik       | time="2018-09-16T10:47:41Z" level=error msg="Skipping frontend frontend-Host-dev-mydomain-com-0..."

你能提出任何解决方案吗?谢谢.

Could you suggest any solution? Thank you.

我使用的是 Traefik 1.6.6 版.

I'm using Traefik version 1.6.6.

这是我的应用容器的 docker-compose.yml.

Here is my docker-compose.yml for the app container.

version: '3'
services:
  app:
    image: webdevops/php-nginx-dev:7.2
    networks:
      - proxy
    volumes:
      - ./:/app
      - ../traefik/ssl/*.mydomain.com.crt:/opt/docker/etc/nginx/ssl/server.crt
      - ../traefik/ssl/*.mydomain.com.key:/opt/docker/etc/nginx/ssl/server.key
    environment:
      - WEB_DOCUMENT_ROOT=/app
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:dev.mydomain.com
      - traefik.docker.network=proxy
      - traefik.port=443
networks:
  proxy:
    external: true

我的 Traefik 容器的 docker-compose.yml.

The docker-compose.yml of my Traefik container.

version: "3"
services:
  traefik:
    image: traefik
    container_name: traefik
    command:
      - --api
      - --docker
      - --docker.exposedbydefault=false
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
      - ./ssl:/sslcert
networks:
  proxy:
    external: true

最后是我的 traefik.toml 文件.

Finally, my traefik.toml file.

debug = true
logLevel = "ERROR"
defaultEntryPoints = ["http","https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
      certFile = "/sslcert/*.mydomain.com.crt"
      keyFile = "/sslcert/*.mydomain.com.key"

[retry]

推荐答案

traefik 1.0 的答案(过时)

passTLSCert 将 TLS Client 证书转发到后端，即客户端在 TLS 握手中发送证书以证明其身份.

passTLSCert forwards the TLS Client certificate to the backend, that is, a client that sends a certificate in the TLS handshake to prove it's identity.

Traefik 是一个 HTTP 反向代理.要直接与后端建立 SSL 连接，您需要反向代理 TCP 而不是 HTTP，而 traefik(还?)不支持 tcp(但在 github 上存在问题).

Traefik is an HTTP reverse proxy. To establish the SSL connection directly with the backend, you need to reverse proxy TCP and not HTTP, and traefik doesn't (yet ?) support tcp (but there are issues for that on github).

Traefik 不适合您的用例，有多种替代方案，envoy 就是其中之一.

Traefik won't fit your usecase, there are different alternatives, envoy is one of them.

这篇关于使用 Traefik 进行 SSL 直通的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！