如何在 Azure Service Fabric 容器中通过 Traefk 启用前端 HTTPS
How to enable frontend HTTPS by Traefk in Azure Service Fabric container
我的后端服务位于 Azure Service Fabric 中托管的 Docker 容器中。而且服务是有状态的。所以我们使用 Traefik 将有状态请求转换为无状态请求。为了实现这一点,Traefik 将请求从前端转发到我们的后端。它在使用 HTTP 时工作正常。现在我们必须在前端启用HTTPS。
我已经为 Azure Service Fabric 配置了 HTTPS。当我登录集群节点时,我可以通过私有 IP 访问我的后端服务。但是我无法从配置的域访问我的服务。 Traefik 日志显示 "backend not found"。
我正在使用自签名证书。这是我的配置:
[traefikLog]
filePath = "log/traefik.log"
format = "json"
logLevel = "DEBUG"
# Enable debug mode
#
# Optional
# Default: false
#
debug = true
# Traefik logs file
# If not defined, logs to stdout
#
# Optional
#
#traefikLogsFile = "log/traefik.log"
# Log level
#
# Optional
# Default: "ERROR"
#logLevel = "DEBUG"
# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]
# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "abc@abc.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "domain1.azure.com"
[[acme.domains]]
main = "domain2.azure.com"
[entryPoints.traefik]
address = ":8080"
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath = "log/log.txt"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# API definition
################################################################
[api]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint = "traefik"
# Enabled Dashboard
#
# Optional
# Default: true
#
dashboard = true
# Enable debug mode.
# This will install HTTP handlers to expose Go expvars under /debug/vars and
# pprof profiling data under /debug/pprof.
# Additionally, the log level will be set to DEBUG.
#
# Optional
# Default: false
#
debug = true
################################################################
# Service Fabric provider
################################################################
# Enable Service Fabric configuration backend
[servicefabric]
filename = "custom_config_template.tmpl"
debugLogGeneratedTemplate = true
# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster
# Service Fabric Management Endpoint API Version
apiversion = "3.0"
refreshSeconds = 10
# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
cert = "certs/servicefabric.crt"
key = "certs/servicefabric.key"
insecureskipverify = true
# Enable REST Provider.
[rest]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint = "traefik"
下面是一些我不明白的问题:
在仪表板中,为什么前端仍然是 HTTP 而不是 HTTPS?
为什么我不能从域 https://domain1.azure.com 访问我的服务?
我是否也必须为我的后端服务启用 https?现在,我已经这样做了,但我认为这可能是不必要的,因为我的后端服务的 https 或 http 仅在 Traefik 调用我的后端时才重要。但是我们只需要在调用 Traefik 前端时启用 https。我说的对吗?
无论如何,既然我也为我的后端服务启用了 https,我是否必须将我的后端服务绑定到我在 [entryPoints.https.tls] 中配置的同一个证书?
问题是由我的部署引起的。更新配置后,我只重新部署了Traefik服务。
- 我必须重新部署 Traefik 和后端服务。
- 问题 1 的一些原因。
- 不需要后端 https。
- 没有
我的后端服务位于 Azure Service Fabric 中托管的 Docker 容器中。而且服务是有状态的。所以我们使用 Traefik 将有状态请求转换为无状态请求。为了实现这一点,Traefik 将请求从前端转发到我们的后端。它在使用 HTTP 时工作正常。现在我们必须在前端启用HTTPS。
我已经为 Azure Service Fabric 配置了 HTTPS。当我登录集群节点时,我可以通过私有 IP 访问我的后端服务。但是我无法从配置的域访问我的服务。 Traefik 日志显示 "backend not found"。 我正在使用自签名证书。这是我的配置:
[traefikLog]
filePath = "log/traefik.log"
format = "json"
logLevel = "DEBUG"
# Enable debug mode
#
# Optional
# Default: false
#
debug = true
# Traefik logs file
# If not defined, logs to stdout
#
# Optional
#
#traefikLogsFile = "log/traefik.log"
# Log level
#
# Optional
# Default: "ERROR"
#logLevel = "DEBUG"
# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]
# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "abc@abc.com"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "domain1.azure.com"
[[acme.domains]]
main = "domain2.azure.com"
[entryPoints.traefik]
address = ":8080"
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath = "log/log.txt"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# API definition
################################################################
[api]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint = "traefik"
# Enabled Dashboard
#
# Optional
# Default: true
#
dashboard = true
# Enable debug mode.
# This will install HTTP handlers to expose Go expvars under /debug/vars and
# pprof profiling data under /debug/pprof.
# Additionally, the log level will be set to DEBUG.
#
# Optional
# Default: false
#
debug = true
################################################################
# Service Fabric provider
################################################################
# Enable Service Fabric configuration backend
[servicefabric]
filename = "custom_config_template.tmpl"
debugLogGeneratedTemplate = true
# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster
# Service Fabric Management Endpoint API Version
apiversion = "3.0"
refreshSeconds = 10
# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
cert = "certs/servicefabric.crt"
key = "certs/servicefabric.key"
insecureskipverify = true
# Enable REST Provider.
[rest]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
entryPoint = "traefik"
下面是一些我不明白的问题:
在仪表板中,为什么前端仍然是 HTTP 而不是 HTTPS?
为什么我不能从域 https://domain1.azure.com 访问我的服务?
我是否也必须为我的后端服务启用 https?现在,我已经这样做了,但我认为这可能是不必要的,因为我的后端服务的 https 或 http 仅在 Traefik 调用我的后端时才重要。但是我们只需要在调用 Traefik 前端时启用 https。我说的对吗?
无论如何,既然我也为我的后端服务启用了 https,我是否必须将我的后端服务绑定到我在 [entryPoints.https.tls] 中配置的同一个证书?
问题是由我的部署引起的。更新配置后,我只重新部署了Traefik服务。
- 我必须重新部署 Traefik 和后端服务。
- 问题 1 的一些原因。
- 不需要后端 https。
- 没有