Предоставление действительных и динамических сертификатов с экземпляром Traefik за другим
Контекст
У меня "особая" установка, где у меня есть первый интерфейсный сервер (server0), которые получают весь общедоступный веб-трафик и по крайней мере еще один хост (server1) только в частной сети.
Я не знаю, как включить HTTPS для служб, размещенных на узлах частной сети (server1).
Вот схема моей архитектуры:
[ Internet ] --- [ Server 0 ] --- [ Server 1]
+-----------------------+ +-----------------------+
| Docker | | Docker |
| +-------------------+ | | +-------------------+ |
| | Traefik | | | | Traefik | |
| | Service A | | | | Service B | |
| +-------------------+ | | +-------------------+ |
+-----------------------+ +-----------------------+
Я в основном использую DNS с подстановочными знаками (все указывают на server0) выставить службы на каждом хосте. Например:
traefik.server0.mydomainservicea.server0.mydomaintraefik.server1.mydomainserviceb.server1.mydomain
Мои попытки:
server0(http,https), server1(http)
На server0:
- точки входа http, https и traefik
- докер включен
- статические правила для
server1- http, https точки входа
- передать заголовок
- правило:
HostRegexp:{subdomain:.*}.server1.mydomain - цель:
http://server1
На server1:
- http, traefik точки входа
- докер включен
# server0:/etc/traefik/traefik.toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address=":8080"
[api]
[ping]
[file]
directory = "/etc/traefik/config.d"
[docker]
watch = true
exposedByDefault = false
network = "traefik"
[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
# server0:/etc/traefik/config.d/server1.toml
[frontends]
[frontends.server1]
entryPoints = ["http", "https"]
backend = "server1"
passHostHeader = true
[frontends.server1.routes]
[frontends.server1.routes.main]
rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
[backends.server1]
[backends.server1.servers]
[backends.server1.servers.main]
url = "http://server1.local"
# server1:/etc/traefik/traefik.toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.traefik]
address=":8080"
[api]
[ping]
[docker]
watch = true
exposedByDefault = false
network = "traefik"
Результат:
traefik.server0.mydomain: ОК, действующий сертификат (Let's Encrypt)serviceA.server0.mydomain: ОК, действующий сертификат (Let's Encrypt)traefik.server1.mydomain: ОК, недействительный сертификат (сертификат Traefik по умолчанию)
server0 (http,https), server1(http,https)
На server0:
- точки входа http, https и traefik
- докер включен
- статические правила для
server1- http, https точки входа
- передать заголовок
- правило:
HostRegexp:{subdomain:.*}.server1.mydomain - цель:
https://server1
На server1:
- http,https, точки входа traefik
- докер включен
# server0:/etc/traefik/traefik.toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address=":8080"
[api]
[ping]
[file]
directory = "/etc/traefik/config.d"
[docker]
watch = true
exposedByDefault = false
network = "traefik"
[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
# server0:/etc/traefik/config.d/server1.toml
[frontends]
[frontends.server1]
entryPoints = ["http", "https"]
backend = "server1"
passHostHeader = true
[frontends.server1.routes]
[frontends.server1.routes.main]
rule = "HostRegexp:{subdomain:.*}.server1.mydomain"
[backends]
[backends.server1]
[backends.server1.servers]
[backends.server1.servers.main]
url = "https://server1.local"
# server1:/etc/traefik/traefik.toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address=":8080"
[api]
[ping]
[docker]
watch = true
exposedByDefault = false
network = "traefik"
[acme]
email = "foo@bar.com"
storage = "/data/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
Result:
* `traefik.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `serviceA.server0.mydomain`: OK, valid certificate (Let's Encrypt)
* `traefik.server1.mydomain`: internal server error (no log), invalid certificate (Traefik default cert)
I don't know which options to use to have correct behavior ...