【问题标题】:Traefik does not use cert file provided for OpenConnect VPNTraefik 不使用为 OpenConnect VPN 提供的证书文件
【发布时间】:2022-11-05 01:23:43
【问题描述】:

我在 docker 中设置了 traefik 并使用让我们在域 example.tld 上加密一些

services:
  traefik:
    image: "traefik:2.8.2"
    container_name: "traefik"
    hostname: "traefik"
    restart: always
    command:
      - "--serverstransport.insecureskipverify=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.email=mail@example.tld" 
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--providers.file.filename=/etc/traefik/rules.yml"
      - "--providers.file.watch=true"      
    ports:
      - "443:443"
    - "80:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./volumes/traefik/log:/etc/traefik/log"
      - "./volumes/traefik/rules.yml:/etc/traefik/rules.yml"
      - "./volumes/traefik/letsencrypt/:/letsencrypt/"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    restart: always
    labels:
      - "traefik.enable=true"
      - 'traefik.http.routers.whoami.tls.certresolver=letsencrypt'
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.tld`)"

这一切功能,但现在我想在同一个端口上添加一个 OpenConnect VPN。 所以在文件提供者中:

http:
  routers:
    router-vpn:
      entryPoints:
        - websecure
      rule: Host(`vpn.example.tld`) # (same domain)
      service: service-vpn
      store: default

  services:
    service-vpn:
      loadBalancer:
        servers:
        - url: "https://ocserver:3334"

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/log/certs/cert.pem
        keyFile: /etc/traefik/log/certs/key.pem
  certificates:
    - certFile: /etc/traefik/log/certs/cert.pem
      keyFile: /etc/traefik/log/certs/key.pem

证书是从 OpenConnect 服务器复制的。问题是 OCC(OpenConnect 客户端)和 OCS(OpenConnect 服务器)通过 http CONNECT 连接(OCS 接收请求)并使用公共显示的证书进行加密,但是因为 traefik show 的 let encrypt 证书服务器不能解密客户端的答案,因此失败。

所以现在我的问题是我如何(在同一个域上)强制 traefik 为 vpn.example.tld 使用证书文件(无论是否有效),而其他域使用 LE 证书?

【问题讨论】:

    标签: traefik cacerts openconnect


    【解决方案1】:

    Traefik 目前仅在证书有效时才支持基于 SNI 的证书匹配,即使此实现也不可靠。我建议按照文档使用tls-passthrough

    【讨论】:

      猜你喜欢
      • 2022-07-26
      • 1970-01-01
      • 2022-08-09
      • 2023-03-23
      • 2021-12-17
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多