Traefik：同一域上的 http、https、ws、wss（docker swarm）

Question

我正在尝试将 traefik 配置为在同一域上提供 http、https、ws、wss。这是我的 traefik 初始化（docker-compose.yml）：

    command:
      - "storeconfig"
      - "--api"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--entrypoints=Name:ws Address::8081 Redirect.EntryPoint:wss"
      - "--entrypoints=Name:wss Address::8083 TLS"
      - "--defaultentrypoints=http,https"
      - "--acme"
      - "--acme.entryPoint=https"
      - "--acme.httpChallenge.entryPoint=http"
      - "--acme.onHostRule=true"
      - "--acme.onDemand=false"
      - "--acme.email=${EMAIL}"
      - "--acme.storage=etc/traefik/acme/acme.json"
      - "--docker"
      - "--docker.swarmMode"
      - "--docker.watch"

并为 ws/wss 服务部署标签：

    deploy:
      labels:
        - traefik.enable=true
        - traefik.backend=ws-container-name
        - traefik.frontend.rule=Host:myhost
        - traefik.frontend.entryPoints=ws,wss
        - traefik.docker.network=traefik
        - traefik.port=9001

结果：ws 有效，wss 无效。

 % wscat -c ws://myhost:8081 
connected (press CTRL+C to quit)

 % wscat -c wss://myhost:8083
error: unable to verify the first certificate

http、https（另一个容器）运行良好

为什么 traefik 不为 wss 提供证书？

Answer 1

解决办法是将traefik更新到版本2

配置示例：

services:
  traefik:
    image: traefik:v2.0
    command:
      - "--accesslog=true"
      - "--log.level=ERROR"
      - "--api.insecure=true"
      - "--providers.docker"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik"
      - "--providers.docker.watch=true"
      - "--entryPoints.http.address=:80"
      - "--entryPoints.https.address=:443"
      - "--entryPoints.ws.address=:8081"
      - "--entryPoints.wss.address=:8083"
      - "--certificatesResolvers.dns.acme.email=mail@example.com"
      - "--certificatesResolvers.dns.acme.storage=/letsencrypt/acme.json"
      # Using DNS challenge is important to support a service without http protocol
      - "--certificatesResolvers.dns.acme.dnsChallenge=true"
      - "--certificatesResolvers.dns.acme.dnsChallenge.provider=godaddy"
      # ...
  http-service:
    # ...
    deploy:
      labels:
        - traefik.enable=true
        # important to tell traefik that swarm is load balancer
        - traefik.docker.lbswarm=true
        # redirect http
        - traefik.http.middlewares.http-redirect.redirectregex.regex=^http://(.*)
        - traefik.http.middlewares.http-redirect.redirectregex.replacement=https://$${1}
        # backend port
        - traefik.http.services.http.loadbalancer.server.port=80
        # http
        - traefik.http.routers.http.middlewares=http-redirect
        - traefik.http.routers.http.rule=Host(`example.com`)
        - traefik.http.routers.http.entrypoints=http
        # https
        - traefik.http.routers.https.rule=Host(`example.com`)
        - traefik.http.routers.https.entrypoints=https
        - traefik.http.routers.https.tls=true
        - traefik.http.routers.https.tls.certresolver=dns
  ws-service:
    # ...
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.lbswarm=true
        # backend port
        - traefik.http.services.ws-service.loadbalancer.server.port=9001
        # ws
        - traefik.http.routers.ws-service-ws.rule=Host(`example.com`)
        - traefik.http.routers.ws-service-ws.entrypoints=ws
        # wss
        - traefik.http.routers.ws-service-wss.rule=Host(`example.com`)
        - traefik.http.routers.ws-service-wss.entrypoints=wss
        - traefik.http.routers.ws-service-wss.tls=true
        - traefik.http.routers.ws-service-wss.tls.certresolver=dns