【发布时间】:2022-11-05 01:23:43
【问题描述】:
我在 docker 中设置了 traefik 并使用让我们在域 example.tld 上加密一些
services:
traefik:
image: "traefik:2.8.2"
container_name: "traefik"
hostname: "traefik"
restart: always
command:
- "--serverstransport.insecureskipverify=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=mail@example.tld"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--providers.file.filename=/etc/traefik/rules.yml"
- "--providers.file.watch=true"
ports:
- "443:443"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./volumes/traefik/log:/etc/traefik/log"
- "./volumes/traefik/rules.yml:/etc/traefik/rules.yml"
- "./volumes/traefik/letsencrypt/:/letsencrypt/"
whoami:
image: "traefik/whoami"
container_name: "simple-service"
restart: always
labels:
- "traefik.enable=true"
- 'traefik.http.routers.whoami.tls.certresolver=letsencrypt'
- "traefik.http.routers.whoami.rule=Host(`whoami.example.tld`)"
这一切功能,但现在我想在同一个端口上添加一个 OpenConnect VPN。 所以在文件提供者中:
http:
routers:
router-vpn:
entryPoints:
- websecure
rule: Host(`vpn.example.tld`) # (same domain)
service: service-vpn
store: default
services:
service-vpn:
loadBalancer:
servers:
- url: "https://ocserver:3334"
tls:
stores:
default:
defaultCertificate:
certFile: /etc/traefik/log/certs/cert.pem
keyFile: /etc/traefik/log/certs/key.pem
certificates:
- certFile: /etc/traefik/log/certs/cert.pem
keyFile: /etc/traefik/log/certs/key.pem
证书是从 OpenConnect 服务器复制的。问题是 OCC(OpenConnect 客户端)和 OCS(OpenConnect 服务器)通过 http CONNECT 连接(OCS 接收请求)并使用公共显示的证书进行加密,但是因为 traefik show 的 let encrypt 证书服务器不能解密客户端的答案,因此失败。
所以现在我的问题是我如何(在同一个域上)强制 traefik 为 vpn.example.tld 使用证书文件(无论是否有效),而其他域使用 LE 证书?
【问题讨论】:
标签: traefik cacerts openconnect