/ tech

Traefik 2.1 et SSLLabs

On va dans un premier temps porter notre configuration traefik 1.7 en 2.
A noter que désormais traefik se comporte comme un routeur.

On reçoit la requête via un service appellé routeur qui passer la main (ou non) à un service middleware (capable de transformation sur le flux) qui lui même fera la passe à un service.

Soit entre la v1.7 et la 2 un frontend devient un routeur et le backend devient service.

ça c'est la théorie mettons en pratique.

Etude des docker_compose.yml

docker compose 1.7 :

gano@gano-vm:~/docker/Traefik/tls$ cat ../../traefik/docker-compose.yml
version: "3"

services:
  traefik:
    image: traefik:1.7
    container_name: traefik
    domainname: toto.duckdns.org
    hostname: traefik
    restart: always
    ports:
      - "20080:80"
      - "20443:443"
      - "8080:8080"
    environment:
      - DUCKDNS_TOKEN=<VOTRE TOKEN>
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/gano/docker/traefik/traefik:/etc/traefik"
      - "/home/gano/docker/traefik/shared:/shared"
    networks:
      - default
      - traefik-network
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:toto.duckdns.org"
      - "traefik.port=8080"
      - "traefik.docker.network=traefik-network"
      - "docker.network=traefik-network"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"

networks:
  traefik-network:
    external: true
  default:
    driver: bridge

docker compose en 2 :

version: '3'
services:
  traefik:
    image: traefik:2.1
    restart: always
    ports:
      - 20080:80
      - 20443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./conf/traefik.toml:/traefik.toml
      - ./conf/acme.json:/acme.json
      - ./tls:/tls
    networks:
      - traefik-network
      - default
    labels:
      - traefik.enable=true
      - "traefik.http.routers.nas.entrypoints=https,http"
      - "traefik.http.routers.nas.rule=Host(`toto.duckdns.org`)"
      - "traefik.http.routers.nas.service=nas@file"
      - "traefik.http.routers.nas.tls=true"
      - "traefik.http.routers.nas.tls.certresolver=letsencrypt"
      - "traefik.http.routers.plex.entrypoints=https,http"
      - "traefik.http.routers.plex.rule=Host(`plex.duckdns.org`)"
      - "traefik.http.routers.plex.service=plex@file"
      - "traefik.http.routers.plex.tls=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"

networks:
  traefik-network:
    external: true

D'emblé on voit qu'il nous fauit déclarer les labels pour nos sites non containerisés, soit le nas et le serveur Plex.
"traefik.http.routers.nas.service=nas@file" signifie que la configuration du Virtual Host du nas sera décrite dans un fichier.

Dans les volumes montés nous avons :
traefik.toml : la configuration globale traefik
acme.json : le ficheir acme pour les certificats

et surtout le repertoire "tls" que l'on montera sur le container.

Pourquoi un repertoire de plus

la configuration globale se fait donc sur le fichier traefik.toml mais certaines options comme la partie tls est desormais dynamic.

Si on décrit les options dans le fichier global, les valeurs ne seront pas prises en compte.
Il faut donc passer par un format dynamic.
On créera donc le fichier dynamic-conf.toml dans le repertoire tls.

Traefik.toml

en 1.7 :

debug = false

logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8888"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    ]

# Let's encrypt configuration
[acme]
email = "monsupermail@gmail.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created

# Use this for subdomains
[acme.dnsChallenge]
  provider = "duckdns"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "docker1.duckdns.org"
[[acme.domains]]
   main = "*.docker1.duckdns.org"
[[acme.domains]]
   main = "monnas.duckdns.org"
[[acme.domains]]
   main = "*.monnas.duckdns.org"
[[acme.domains]]
   main = "plex.duckdns.org"
[[acme.domains]]
   main = "*.plex.duckdns.org"
[[acme.domains]]
   main = "back2tech.duckdns.org"
[[acme.domains]]
   main = "*.back2tech.duckdns.org"

[file]
  watch = true
  filename = "/etc/traefik/servers.toml"

# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "traefik.duckdns.org"
watch = true
exposedbydefault = false

en 2.1

[global]
  sendAnonymousUsage = false

[log]
  level = "INFO"
  format = "common"

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    watch = true
    exposedByDefault = true
    swarmMode = false
  [providers.file]
    directory = "/tls"

[api]
  dashboard = true
  debug = false
  insecure = true

[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"

[certificatesResolvers.letsencrypt.acme]
  email = "monsupermail@gmail.com"
  storage = "acme.json"
  caServer = "https://acme-v02.api.letsencrypt.org/directory"
  keyType = "EC256"
  [certificatesResolvers.letsencrypt.acme.httpChallenge]
    entryPoint = "http"
  [certificatesResolvers.letsencrypt.acme.tlsChallenge]

# Use this for subdomains
[acme.dnsChallenge]
  provider = "duckdns"
  delayBeforeCheck = 300
[[acme.domains]]
   main = "docker1.duckdns.org"
[[acme.domains]]
   main = "*.docker1.duckdns.org"
[[acme.domains]]
   main = "monnas.duckdns.org"
[[acme.domains]]
   main = "*.monnas.duckdns.org"
[[acme.domains]]
   main = "plex.duckdns.org"
[[acme.domains]]
   main = "*.plex.duckdns.org"
[[acme.domains]]
   main = "back2tech.duckdns.org"
[[acme.domains]]
   main = "*.back2tech.duckdns.org"

dynamic-conf.toml

pour la version 2 de Traefik

[tls]
  [tls.options]
    [tls.options.default]
      minVersion = "VersionTLS12"
      sniStrict = true
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256"
    ]

[http]
    [http.routers]
       [http.routers.nas-router]
          rule = "Host(`monnas.duckdns.org`)"
          service = "nas"
          entrypoint=["https"]

       [http.middlewares]
         [http.middlewares.test-user.basicauth]

       [http.services]
         [http.services.nas.loadbalancer]
           [[http.services.nas.loadbalancer.servers]]
             url = "http://192.168.2.210:5000"
         [http.services.plex.loadbalancer]
           [[http.services.ganocloud.loadbalancer.servers]]
             url = "http://192.168.2.25:32400"

Mode static en 1.7

server.toml

[frontends]
    [frontends.nasgano]
        backend = "nas"
        [frontends.nas.routes.domain]
            rule = "Host:monnas.duckdns.org"
    [frontends.ganocloud]
        backend = "docker1"
        [frontends.docker1.routes.domain]
            rule = "Host:toto.duckdns.org"

[backends]
    [backends.nas]
        [backends.nas.servers.nas]
            url = "http://192.168.2.210:5000"

    [backends.plex]
        [backends.plex.servers.plex]
            url = "http://192.168.2.25:32400"

Ajout des labels aux containers pour les signer via Traefik

il suffit d'ajouter à notre container que l'on souhaite exposé à Traefik les lables suivants :

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.home.rule=Host(`toto.duckdns.org`)"
      - "traefik.http.routers.home.entrypoints=https,http"
      - "traefik.http.routers.home.tls=true"
      - "traefik.http.routers.home.tls.certresolver=letsencrypt"
      - "traefik.http.services.home.loadbalancer.server.port=[PortEcouteDuService]"

Traefik 2.1 et SSLLabs
Share this