sudo mkdir -p /opt/traefik/etc/conf.d /opt/traefik/bin /srv/traefik
curl -sL https://github.com/traefik/traefik/releases/download/v2.5.3/traefik_v2.5.3_linux_amd64.tar.gz | sudo tar -zxv -C /opt/traefik/bin traefik
sudo useradd -d /srv/traefik -r traefik
sudo touch /opt/traefik/etc/traefik.env
sudo chown -R traefik:traefik /srv/traefik
sudo chmod 600 /opt/traefik/etc/traefik.env
/etc/systemd/system/traefik.service:
[Unit]
Description=The Cloud Native Application Proxy
Wants=network.target
After=network-online.target
# Since it is a critical service, restart it indefinitely until success
StartLimitIntervalSec=0
[Service]
Restart=always
Type=simple
EnvironmentFile=/opt/traefik/etc/traefik.env
ExecStart=/opt/traefik/bin/traefik
WorkingDirectory=/opt/traefik/etc
User=traefik
Group=traefik
RestartSec=5
# Allow traefik to bind to <1024 ports
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target default.target
Redémarrage de systemd:
sudo systemctl daemon-reload
/opt/traefik/etc/traefik.yaml:
log:
level: "INFO"
accesslog: true
providers:
file:
directory: /opt/traefik/etc/conf.d/
watch: true
global:
sendanonymoususage: false
checknewversion: false
entryPoints:
http:
address: ":80"
https:
address: ":443"
certificatesResolvers:
le:
acme:
email: "nicolas.masse@itix.fr"
keyType: "EC384"
httpChallenge:
# used during the challenge
entryPoint: http
storage: "/srv/traefik/acme.json"
sudo systemctl start traefik
sudo systemctl status traefik
sudo journalctl -u traefik
/opt/traefik/etc/conf.d/sample-http.yaml:
http:
routers:
lip6:
rule: "Host(`lip6.itix.lab`)"
entryPoints:
- http
middlewares:
service: "lip6"
services:
lip6:
loadBalancer:
servers:
- url: "http://ftp.lip6.fr"
Pour tester:
curl http://localhost/ -H 'Host: lip6.itix.lab'
http:
routers:
lip6_https:
rule: "Host(`lip6.itix.lab`)"
entryPoints:
- https
middlewares:
service: "lip6_https"
tls:
certResolver: le
services:
lip6_https:
loadBalancer:
servers:
- url: "http://ftp.lip6.fr"
Pour tester:
curl -k https://localhost/ -H 'Host: lip6.itix.lab'
tcp:
routers:
lip6_https_sni:
rule: "HostSNI(`lip6.itix.lab`)"
entryPoints:
- https
middlewares:
service: "lip6_https_sni"
tls:
certResolver: le
passthrough: true
services:
lip6_https_sni:
loadBalancer:
servers:
- address: "ftp.lip6.fr:443"
Dans /opt/traefik/etc/traefik.yaml:
api:
dashboard: true
ping:
manualRouting: true
Ajouter un service /opt/traefik/etc/conf.d/ping.yaml:
http:
routers:
traefik-ping:
rule: "Host(`localhost`)"
entryPoints:
- http
service: "ping@internal"
Ajouter un service /opt/traefik/etc/conf.d/dashboard.yaml:
http:
middlewares:
isAdmin:
basicAuth:
users:
- "admin:$2y$05$7uTST6fYwX1uJ1JygPnJKuUjeX6N.b2E.RXNFIq9rNt8l7r6r19Ge" # htpasswd -Bbn admin s3cr3t
routers:
traefik-dashboard:
rule: "Host(`dashboard.itix.lab`)"
entryPoints:
- http
middlewares:
- isAdmin
service: "api@internal"
Dans /opt/traefik/etc/traefik.yaml:
serversTransport:
insecureSkipVerify: true
Ou bien récupérer le certificat auto-signé du service cible:
openssl s_client -host ftp.lip6.fr -port 443 -showcerts
Copier/coller le certificat PEM et le placer dans un fichier /opt/traefik/etc/root-ca-lip6.pem.
Ajouter dans /opt/traefik/etc/traefik.yaml:
serversTransport:
rootCAs:
- /opt/traefik/etc/root-ca-lip6.pem
openssl req \
-x509 \
-newkey rsa:2048 \
-sha256 \
-days 3560 \
-nodes \
-keyout example.key \
-out example.crt \
-subj '/CN=lip6.itix.lab' \
-extensions san \
-config <( \
echo '[req]'; \
echo 'distinguished_name=req'; \
echo '[san]'; \
echo 'subjectAltName=DNS:lip6.itix.lab')