High-performance seven-layer reverse proxy (achieving 80-90% efficiency of NGINX), supports hot update, and connects to various back-end services including container orchestration framework
Overall structure
Because it is a seven-layer reverse proxy, it receives and forwards domain name requests through open http and https ports, and does not support direct forwarding through ip and port.
configure
Configuration loading priority: KV Store (including Consul, etcd, ZK) > Arguments command parameters > ConfigFile configuration file > Default
configuration file
#entrypoints配置
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
#frontends配置
[frontends]
[frontends.myfront]
backend = "mybackend"
passHostHeader = true
passTLSCert = true
priority = 10
entrypoints = ["https"]
[frontends.myfront.headers.customresponseheaders] #自定义头部
X-MY-Response-Header = "xxx"
[frontends.myfront.headers.customrequestheaders]
X-MY-Request-Herder = "xxx"
[frontends.myfront.routes.test_1]
rule = "Host:my.com"
#backends配置
[backends]
[backends.mybackend]
[backends.mybackend.circuitbreaker]
expression = "NetworkErrorRatio() > 0.5"
[backends.mybackend.LoadBalancer]
method = "drr" #或者使用静态值wrr
[backends.mybackend.loadbalancer.stickiness] #基于cookie的会话黏性配置
cookieName = "my_cookie" #自定义植入的黏性cookie名
[backends.mybackend.healthcheck]
path = "/health"
interval = "10s"
port = 8080
[backends.mybackend.maxconn]
amount = 1000 #并发上限
extractorfunc = "request.host" #其他候选值:client.ip、request.header.字段名
[backends.mybackend.servers.server1]
url = "http://172.17.0.2:80"
weight = 1
[backends.mybackend.servers.server2]
url = "http://172.17.0.3:80"
weight = 2
[acme]
email = "[email protected]"
storage = "acme.json"
onHostRule = true #自动为acme.entryPoint下的新域名申请证书
onDemand = true #在新域名接受第一次https请求时申请证书
caServer = "https://acme-staging.api.letsencrypt.org/directory" #默认是申请生产证书,这里改为申请staging证书进行测试
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2.local2.com"]
#ping健康检查配置(健康时:traefik healthcheck命令退出码为0,/ping接口返回200状态)
[ping]
entryPoint = "traefik" #指定是哪个entrypoint
Label
Traefik supports automatic parsing of service object labels (refer to https://docs.traefik.io/configuration/backends/rancher/#labels-overriding-default-behaviour )
* traefik.enable=true
* traefik.frontend.rule=Host:test.traefik.io
* traefik.backend=someservice
docker-compose deployment
version: '2'
services:
reverse-proxy:
image: traefik
command: --api --docker #启用WebUI,监听docker
ports:
- "80:80" #http端口
- "8080:8080" #WebUI(--api选项)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/traefik.toml:/etc/traefik/traefik.toml #自定义配置(可选)
K8S deployment
RBAC authorization
If the cluster is configured with RBAC, you need to authorize access to traefik
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
DaemonSet deployment
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
securityContext:
privileged: true
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
Create TraefikUI entry
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.example.com
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
Http Basic
Access authentication protection for TraefikUI
htpasswd -c ./auth 用户名 #根据提示输入密码
kubectl create secret generic mysecret --from-file auth --namespace=monitoring
#在traefik ui ingress对象上注册如下annotations
ingress.kubernetes.io/auth-type: "basic"
ingress.kubernetes.io/auth-secret: "mysecret"