SSL passthrough with Traefik

泪湿孤枕 提交于 2019-12-11 23:32:05

问题


I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.

I tried the traefik.frontend.passTLSCert=true option but getting "404 page not found" error when I access my web app and also get this error on Traefik container

traefik       | time="2018-09-16T10:47:41Z" level=error msg="Failed to create TLSClientConfig: no TLS provided"
traefik       | time="2018-09-16T10:47:41Z" level=error msg="Failed to create RoundTripper for frontend frontend-Host-dev-mydomain-com-0: no TLS provided"
traefik       | time="2018-09-16T10:47:41Z" level=error msg="Skipping frontend frontend-Host-dev-mydomain-com-0..."

Could you suggest any solution? Thank you.

I'm using Traefik version 1.6.6.

Here is my docker-compose.yml for the app container.

version: '3'
services:
  app:
    image: webdevops/php-nginx-dev:7.2
    networks:
      - proxy
    volumes:
      - ./:/app
      - ../traefik/ssl/*.mydomain.com.crt:/opt/docker/etc/nginx/ssl/server.crt
      - ../traefik/ssl/*.mydomain.com.key:/opt/docker/etc/nginx/ssl/server.key
    environment:
      - WEB_DOCUMENT_ROOT=/app
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:dev.mydomain.com
      - traefik.docker.network=proxy
      - traefik.port=443
networks:
  proxy:
    external: true

The docker-compose.yml of my Traefik container.

version: "3"
services:
  traefik:
    image: traefik
    container_name: traefik
    command:
      - --api
      - --docker
      - --docker.exposedbydefault=false
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
      - ./ssl:/sslcert
networks:
  proxy:
    external: true

Finally, my traefik.toml file.

debug = true
logLevel = "ERROR"
defaultEntryPoints = ["http","https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
      certFile = "/sslcert/*.mydomain.com.crt"
      keyFile = "/sslcert/*.mydomain.com.key"

[retry]

回答1:


passTLSCert forwards the TLS Client certificate to the backend, that is, a client that sends a certificate in the TLS handshake to prove it's identity.

Traefik is an HTTP reverse proxy. To establish the SSL connection directly with the backend, you need to reverse proxy TCP and not HTTP, and traefik doesn't (yet ?) support tcp (but there are issues for that on github).

Traefik won't fit your usecase, there are different alternatives, envoy is one of them.




回答2:


Traefik now has TCP support in its new 2.0 version - which is still in alpha at this time (Apr 2019).

See PR https://github.com/containous/traefik/pull/4587
and the release notes of v2.0.0-alpha1 at https://github.com/containous/traefik/releases/tag/v2.0.0-alpha1 showing this TCP support PR being included

Hence once 2.0 is released (probably within 2-3 months), HTTPS passthrough will become possible.



来源:https://stackoverflow.com/questions/52347059/ssl-passthrough-with-traefik

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!