本文最后更新于 2024年5月16日。
1. 创建文件夹和文件
mkdir ~/traefik
cd ~/traefik
mkdir -p data/configurations
touch docker-compose.yml
touch data/traefik.yml
touch data/acme.json
touch data/configurations/dynamic.yml
chmod 600 data/acme.json
2. 配置 docker-compose.yml
文件路径为 ~/traefik/docker-compose.yml
version: '3.7'
services:
traefik:
image: traefik:v2.4
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
# 如果宿主机是标准 linux 系统,可以设置一下localtime
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro # 映射静态配置文件
- ./data/acme.json:/acme.json # 映射证书文件,SSL 证书申请成功后,就会存在这个文件中
- ./data/configurations:/configurations # 映射动态配置文件
networks:
- traefik
labels:
# 下面这些标签,可以帮助 traefik 正确处理该服务
- 'traefik.enable=true'
- 'traefik.docker.network=traefik' # 指定 docker network
# 指定服务入口为 websecure,websecure 会在静态配置文件traefik.yml中定义
- 'traefik.http.routers.traefik-secure.entrypoints=websecure'
# 定义访问域名,需要做 DNS 解析
- 'traefik.http.routers.traefik-secure.rule=Host(`traefik.yourdomain.com`)'
- 'traefik.http.routers.traefik-secure.middlewares=user-auth@file'
- 'traefik.http.routers.traefik-secure.service=api@internal'
networks:
traefik:
external: true
创建 docker-compose.yml 内需要的 network
docker network create traefik
3. 修改静态配置文件
文件路径为 ~/traefik/data/traefik.yml
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
websecure:
address: :443
http:
middlewares:
- secureHeaders@file
- nofloc@file
tls:
certResolver: lets-encr
pilot:
dashboard: false
providers:
docker:
endpoint: 'unix:///var/run/docker.sock'
exposedByDefault: false
file:
filename: /configurations/dynamic.yml # 动态配置文件位置
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: xxxxxx
httpChallenge:
entryPoint: web
4. 修改动态配置文件
文件路径为 ~/traefik/data/configurations/dynamic.yml
# Dynamic configuration
http:
middlewares:
nofloc:
headers:
customResponseHeaders:
Permissions-Policy: 'interest-cohort=()'
secureHeaders:
headers:
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
# UserName : admin
# Password : qwer1234
user-auth:
basicAuth:
# users 选项是认证用户的列表
# 使用 echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
# 来创建 user:password 键值对
users:
- 'admin:$apr1$tm53ra6x$FntXd6jcvxYM/YH0P2hcc1'
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
5. 解析域名
在 docker-compose.yml 中,我们指定了使用 traefik.yourdomain.com 作为访问域名。因此,我们需要将 traefik.yourdomain.com 解析至 traefik 服务入口 IP 地址。
若使用单个云服务器部署 traefik,就需要将域名解析到服务器 IP 地址上
6. 启动服务
cd ~/traefik # 确保位于 docker-compose.yml 所在目录
docker-compose up -d
7. 访问 Traefik Dashboard
在浏览器中访问 traefik.yourdomain.com,会发现自动加上了 SSL。
输入静态配置文件 dynamic.yml 中的用户名和密码,即可进入 Traefik Dashboard。
新建`whoami-docker-compose.yml
version: "3.7"
services:
whoami:
image: "containous/whoami"
container_name: "whoami"
hostname: "whoami"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.rule=Host(`whoami.weiyoun.com`)"
- "traefik.http.routers.whoami.tls.certresolver=lets-encr"
networks:
default:
external:
name: traefik
新建`cloudreve-docker-compose.yml
version: "3.7"
services:
cloudreve:
container_name: cloudreve
image: cloudreve/cloudreve:latest
restart: unless-stopped
# ports:
# - "5212:5212"
# - "443:443"
volumes:
- cloudrevedata:/data
- cloudreve:/cloudreve
- cloudreveuploads:/cloudreve/uploads
- cloudreveavatar:/cloudreve/avatar
# - ./cloudreve:/cloudreve # 221018 add ,error
# - ./cloudreve/uploads:/cloudreve/uploads
# - ./cloudreve/conf.ini:/cloudreve/conf.ini
# - ./cloudreve/cloudreve.db:/cloudreve/cloudreve.db
# - ./cloudreve/avatar:/cloudreve/avatar
# depends_on:
# - aria2
# aria2:
# container_name: aria2
# image: p3terx/aria2-pro
# restart: unless-stopped
# environment:
# - RPC_SECRET=your_aria_rpc_token
# - RPC_PORT=6800
# volumes:
# - aria2Config:/config
# - tempData:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.cloudreve.entrypoints=websecure"
# - "traefik.http.routers.cloudreve.entrypoints=web"
- "traefik.http.routers.cloudreve.rule=Host(`yun.weiyoun.com`)"
- "traefik.http.routers.cloudreve.tls.certresolver=lets-encr"
networks:
default:
external:
name: traefik
volumes:
cloudreve:
cloudreveuploads:
cloudrevedata:
cloudreveavatar:
新建`kodcloud-docker-compose.yml
version: "3.7"
services:
kodcloud:
container_name: kodcloud
image: kodcloud/kodbox
restart: always
# ports:
# - 1111:80
volumes:
- kodcloud:/var/www/html
labels:
- "traefik.enable=true"
- "traefik.http.routers.kodcloud.entrypoints=websecure"
# - "traefik.http.routers.kodcloud.entrypoints=web"
- "traefik.http.routers.kodcloud.rule=Host(`cloud.weiyoun.com`)"
- "traefik.http.routers.kodcloud.tls.certresolver=lets-encr"
networks:
default:
external:
name: traefik
volumes:
kodcloud:
新建`lnmp-docker-compose.yml
version: "3.4"
volumes:
# nextcloud:
lnmpmariadb:
lnmpphpConfig:
lnmpnginxConf:
lnmpnginxLog:
lnmpnginxHtml:
services:
mariadb:
image: mariadb:10.5
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
ports:
- "3306:3306"
volumes:
- lnmpmariadb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=xxxxxx
- MYSQL_PASSWORD=xxxxxx
- MYSQL_DATABASE=user
- MYSQL_USER=user
# redis:
# image: redis
# restart: unless-stopped
# expose:
# - "6379"
# volumes:
# - redis:/data
# command: redis-server --requirepass 'redis_password' # 这里的redis_password换成你要配置的redis密码
# # command指的是启动容器后代替默认启动指令来启动服务的指令
php:
hostname: php
restart: always
image: php:8.1-new
container_name: php
build:
context: ./php
dockerfile: Dockerfile
ports:
- "9000:9000"
links:
- mariadb:mariadb
volumes:
- lnmpnginxHtml:/var/www/html
- lnmpphpConfig:/usr/local/etc
depends_on:
# 依赖的容器列表,只有这些容器都成功启动了,才会启动当前容器
- mariadb
# - redis
nginx:
hostname: nginx
restart: always
container_name: nginx
image: nginx:1.17.0
ports:
- "8080:80"
# - "8443:8443"
links:
- "php:php"
# - nextcloud:nextcloud
volumes:
- lnmpnginxConf:/etc/nginx
# - ./nginx_config/conf.d:/etc/nginx/conf.d:ro
# - ./nginx_config/ssl_certs:/etc/nginx/ssl_certs:ro
- lnmpnginxLog:/var/log/nginx
- lnmpnginxHtml:/usr/share/nginx/html
# - ./nextcloud/html:/var/www/html
labels:
- "traefik.enable=true"
- "traefik.http.routers.nginx.entrypoints=websecure"
- "traefik.http.routers.nginx.rule=Host(`www.weiyoun.com`)"
- "traefik.http.routers.nginx.tls.certresolver=lets-encr"
depends_on:
- php
networks:
default:
external:
name: traefik
其中需要的php的dockerfile
FROM php:8.1.0RC5-fpm-buster
#buster是基于Debian Linux发行的一个版本,像PHP、Python之类的语言都会使用这个版本的Debian搭建Docker基础镜像。
#docker中php扩展安装方式
#1、PHP源码文件目录自带扩展 docker-php-ext-install直接安装
#2、pecl扩展 因为一些扩展不包含在PHP源码文件中,PHP 的扩展库仓库中存在。用 pecl install 安装扩展,再用 docker-php-ext-enable 命令 启用扩展
#3、其他扩展 一些既不在 PHP 源码包,也不再 PECL 扩展仓库中的扩展,可以通过下载扩展程序源码,编译安装的方式安装
#redis扩展 仓库地址 https://pecl.php.net/package/redis
ENV PHPREDIS_VERSION 5.3.4
#memcached扩展 仓库地址 https://pecl.php.net/package/memcached
ENV MEMCACHED_VERSION 3.1.5
#mongodb扩展 https://pecl.php.net/package/mongodb
ENV MONGODB_VERSION 1.11.1
# 设置时间
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& echo 'Asia/Shanghai' > /etc/timezone
# 221020 add 安装ImageMagick扩展 安装imagick扩展
# ENV IMAGICK_VERSION=3.4.4
# ENV IMAGEMAGICK_VERSION=7.0.10-39
# RUN apt-get update && apt-get install -y wget
# # 安装ImageMagick扩展
# RUN wget http://www.imagemagick.org/download/ImageMagick.tar.gz
# COPY extend/ImageMagick-${IMAGEMAGICK_VERSION}.tar.gz /opt/ImageMagick.tar.gz
# RUN cd /opt/ && tar -zxvf ImageMagick.tar.gz \
# && cd ImageMagick-${IMAGEMAGICK_VERSION} \
# && ./configure --prefix=/usr/local/ImageMagick \
# && make && make install
# 安装imagick扩展
# RUN wget http://pecl.php.net/get/imagick-3.4.4.tgz
# COPY extend/imagick-${IMAGICK_VERSION}.tgz /opt/imagick.tgz
# RUN docker-php-source extract \
# && cd /opt/ && tar zxvf imagick.tgz && mv imagick-${IMAGICK_VERSION} /usr/src/php/ext/imagick \
# && docker-php-ext-configure imagick --with-php-config=/usr/local/bin/php-config --with-imagick=/usr/local/ImageMagick \
# && docker-php-ext-install imagick
# RUN rm -rf /opt/*.tgz && rm -rf /opt/*.tar.gz
RUN apt-get update && apt-get install -y \
# 221020 add libmagickwand-dev for imagick
# libmagickwand-dev \
# pecl install imagick \
# docker-php-ext-enable imagick \
# # Success
# true \
vim \
wget \
git \
bzip2 \
zip \
libz-dev \
libssl-dev \
libnghttp2-dev \
libpcre3-dev \
libmemcached-dev \
libzip-dev \
libbz2-dev \
libjpeg-dev \
libpng-dev \
curl \
libcurl4-openssl-dev \
libonig-dev \
libxml2-dev \
supervisor \
libfreetype6-dev \
libjpeg62-turbo-dev \
zlib1g-dev \
# 221020 add libicu-dev g++ intl
# libicu-dev g++ \
# 221020 add libicu-dev g++ intl
libmagickwand-dev \
&& docker-php-ext-configure intl \
&& docker-php-ext-install intl \
# 如果安装的扩展需要自定义配置时,# 添加GD库相关的设置
&& docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
# --with-gd 报错
# --with-png=/usr 报错\
# --with-xpm=/usr 报错\
# --enable-gd-jis-conv \
# 重新编译后,还是报错,后来又添加了一项
## --enable-gd-native-ttf #报错
# 221020 add imagick-beta as imagick
&& pecl install imagick-beta \
&& echo "extension=imagick.so" > /usr/local/etc/php/conf.d/imagick.ini \
&& pecl clear-cache \
&& docker-php-ext-install -j$(nproc) gd \
&& docker-php-ext-install zip \
&& docker-php-ext-install pdo_mysql \
&& docker-php-ext-install opcache \
&& docker-php-ext-install mysqli \
&& docker-php-ext-install mbstring \
&& docker-php-ext-install bz2 \
&& docker-php-ext-install soap \
# 221020 add imagick
# && docker-php-ext-install imagick
&& rm -r /var/lib/apt/lists/*\
&& usermod -u 1000 www-data\
&& groupmod -g 1000 www-data
# Composer安装
RUN curl -sS https://getcomposer.org/installer | php \
&& mv composer.phar /usr/local/bin/composer \
&& composer self-update --clean-backups
# Mysqli 扩展 自带 直接安装即可(当前数据库使用的mysqli查询的)
RUN docker-php-ext-install mysqli
# PDO 扩展 自带 直接安装即可
RUN docker-php-ext-install pdo_mysql
# Bcmath 扩展 自带 直接安装即可
RUN docker-php-ext-install bcmath
# Redis 扩展下载 pecl本地安装 开启扩展
RUN wget http://pecl.php.net/get/redis-${PHPREDIS_VERSION}.tgz -O /tmp/redis.tgz \
&& pecl install /tmp/redis.tgz \
&& rm -rf /tmp/redis.tgz \
&& docker-php-ext-enable redis
# memcached 扩展下载 pecl本地安装 开启扩展 前面已经通过 apt-get安装了libmemcached-dev依赖
RUN wget http://pecl.php.net/get/memcached-${MEMCACHED_VERSION}.tgz -O /tmp/memcached.tgz \
&& pecl install /tmp/memcached.tgz \
&& rm -rf /tmp/memcached.tgz \
&& docker-php-ext-enable memcached
# mongodb 扩展下载 pecl本地安装 开启扩展 前面已经通过
RUN wget http://pecl.php.net/get/mongodb-${MONGODB_VERSION}.tgz -O /tmp/mongodb.tgz \
&& pecl install /tmp/mongodb.tgz \
&& rm -rf /tmp/mongodb.tgz \
&& docker-php-ext-enable mongodb
# 开启php-fpm
# RUN php-fpm
CMD ["php-fpm", "-F"]
这里涉及traefik给nginx转发的问题,需要这么配置:/var/lib/docker/volumes/dc1_lnmpnginxConf/_data/conf.d/default.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
# root /usr/share/nginx/html;
root /usr/share/nginx/html/weiyoun.com;
index index.html index.htm index.php;
#伪静态
if (!-e $request_filename)
{
rewrite (.*) /index.php;
}
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
fastcgi_pass php:9000;#这里php就是php容器的名字
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html/weiyoun.com$fastcgi_script_name;#此处配置要注意,有坑
include fastcgi_params;
}
traefik域名前后缀配置
http:
routers:
api:
entryPoints:
- "web"
rule: "Host(`traefik.pbeta.cn`)"
service: api@internal
whoami:
entryPoints:
- "web"
rule: "Host(`traefik.pbeta.cn`) && Path(`/whoami`)"
service: whoami@docker
ghost:
entryPoints:
- "web"
rule: "Host(`ghost.pbeta.cn`) "
service: ghost
services:
ghost:
loadBalancer:
servers:
- url: "http://47.74.154.202:2368/"