С внешки во внутрянную инфраструктуру подключаемся через HAProxy а уже внутри использую Traefik Открываю нужный сервер ```sh wsl ``` Открывает traefik на 192.168.200.85: ```sh ssh igor@192.168.200.85 -p 22 ``` # Установка Traefik на Linux Mint / Ubuntu ## 📥 Шаг 1. Установка зависимостей Убедитесь, что установлены `wget` и `systemd`: ```sh sudo apt update && sudo apt install wget ``` --- ## 📥 Шаг 2. Скачать последнюю версию Traefik Проверь актуальную версию на: [Traefik Releases](https://github.com/traefik/traefik/releases) Пример для версии `v3.0.0`: ```sh cd ~ && wget https://github.com/traefik/traefik/releases/download/v3.3.4/traefik_v3.3.4_linux_amd64.tar.gz ``` --- ## 📥 Шаг 3. Распаковка и установка ```sh cd ~ && tar -xvzf traefik_v3.3.4_linux_amd64.tar.gz && sudo mv traefik /usr/local/bin/ ``` Проверь версию: ```sh traefik version ``` --- ## 📁 Шаг 4. Создание директории и базового конфига ```sh sudo mkdir -p /etc/traefik && cd /etc/traefik ``` ### Пример `traefik.yml` ```sh cd /etc/traefik && sudo tee /etc/traefik/traefik.yml > /dev/null <<'EOF' entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: ":443" traefik: address: ":8989" api: dashboard: true insecure: true providers: file: filename: "/etc/traefik/dynamic.yml" watch: true # Настройка сертификатов (пример с Let's Encrypt) certificatesResolvers: myresolver: acme: email: "irigm@mail.ru" storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: web log: level: DEBUG EOF ``` ### Пример `dynamic.yml` ```sh cd /etc/traefik && sudo tee /etc/traefik/dynamic.yml > /dev/null <<'EOF' http: routers: dashboard: entryPoints: - traefik rule: "Host(`localhost`)" service: api@internal ccalm-api-auth: entryPoints: - websecure rule: "(Host(`ccalm.test`) || Host(`almaty.ccalm.test`)) && PathPrefix(`/api/authorization/v02/`)" service: org_ccalm_api_authorization_v02 tls: certresolver: myresolver middlewares: - strip-auth-prefix ccalm-dbms: entryPoints: - websecure rule: "(Host(`ccalm.test`) || Host(`almaty.ccalm.test`)) && PathPrefix(`/api/dbms/v09/`)" service: org_ccalm_dbms_v09 tls: certresolver: myresolver middlewares: - strip-dbms-prefix ccalm-translation: entryPoints: - websecure rule: "(Host(`ccalm.test`) || Host(`almaty.ccalm.test`)) && PathPrefix(`/api/translation/v01/`)" service: org_ccalm_translation_v01 tls: certresolver: myresolver #middlewares: # - strip-translation-prefix ccalm-login: entryPoints: - websecure rule: "(Host(`ccalm.test`) || Host(`almaty.ccalm.test`)) && PathPrefix(`/login/`)" service: org_ccalm_login_v01 tls: certresolver: myresolver ccalm-default: entryPoints: - websecure rule: "(Host(`ccalm.test`) || Host(`almaty.ccalm.test`))" service: org_ccalm tls: certresolver: myresolver powerdns: entryPoints: - websecure rule: "Host(`powerdns.local`)" service: local_powerdns tls: {} gotify: entryPoints: - websecure rule: "Host(`gotify.local`)" service: local_gotify tls: {} vault: entryPoints: - websecure rule: "Host(`vault.local`)" service: local_vault tls: {} middlewares: strip-auth-prefix: stripPrefix: prefixes: - "/api/authorization/v02" strip-dbms-prefix: stripPrefix: prefixes: - "/api/dbms/v09" strip-translation-prefix: stripPrefix: prefixes: - "/api/translation/v01" services: # Бэкенд для local_powerdns local_powerdns: loadBalancer: servers: - url: "http://192.168.200.85:9191" healthCheck: path: "/" interval: "5s" # Бэкенд для local_gotify local_gotify: loadBalancer: servers: - url: "https://192.168.200.84:8080" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # Бэкенд для local_vault local_vault: loadBalancer: servers: - url: "https://192.168.200.85:8200" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # Бэкенд для org_ccalm_api_authorization_v02 (HTTPS с отключенной проверкой SSL) org_ccalm_api_authorization_v02: loadBalancer: servers: - url: "https://192.168.200.184:8082" serversTransport: insecureTransport # Ссылка на транспорт с отключенной проверкой healthCheck: path: "/" interval: "5s" # Бэкенд для org_ccalm_dbms_v09 (HTTPS с отключенной проверкой SSL) org_ccalm_dbms_v09: loadBalancer: servers: - url: "https://192.168.200.184:8084" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # Бэкенд для org_ccalm_translation_v01 (HTTPS с отключенной проверкой SSL) org_ccalm_translation_v01: loadBalancer: servers: #- url: "https://192.168.200.184:8085" - url: "https://ccalm.org" passHostHeader: false serversTransport: insecureTransport healthCheck: path: "" interval: "5s" # Бэкенд для org_ccalm_login_v01 (HTTP, без SSL) org_ccalm_login_v01: loadBalancer: servers: - url: "http://192.168.200.184:3000" healthCheck: path: "/" interval: "5s" # Бэкенд по умолчанию org_ccalm (HTTPS с отключенной проверкой SSL) org_ccalm: loadBalancer: servers: - url: "https://192.168.200.184:8083" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # Определяем транспорт для отключения проверки SSL serversTransports: insecureTransport: insecureSkipVerify: true # Добавляем сертификаты tls: certificates: - certFile: "/etc/traefik/certs/ccalm.test.crt" keyFile: "/etc/traefik/certs/ccalm.test.key" - certFile: "/etc/traefik/certs/powerdns.local.crt" keyFile: "/etc/traefik/certs/powerdns.local.key" - certFile: "/etc/traefik/certs/gotify.local.crt" keyFile: "/etc/traefik/certs/gotify.local.key" - certFile: "/etc/traefik/certs/vault.local.crt" keyFile: "/etc/traefik/certs/vault.local.key" - certFile: "/etc/traefik/certs/wildcard.local.crt" keyFile: "/etc/traefik/certs/wildcard.local.key" - certFile: "/etc/traefik/certs/wildcard.test.crt" keyFile: "/etc/traefik/certs/wildcard.test.key" EOF ``` Для хранения сертификатов файл: ```sh sudo touch /etc/traefik/acme.json && sudo chmod 600 /etc/traefik/acme.json ``` --- ## ⚙️ Шаг 5. Настройка systemd для автозапуска Создайте файл сервиса: ```sh cd /etc/systemd/system && sudo tee /etc/systemd/system/traefik.service > /dev/null <<'EOF' [Unit] Description=Traefik After=network.target [Service] ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml Restart=always [Install] WantedBy=multi-user.target EOF ``` Примените: ```sh sudo systemctl daemon-reload && sudo systemctl enable traefik && sudo systemctl start traefik && sudo systemctl status traefik ``` ```sh sudo systemctl restart traefik ``` --- ## 🔎 Шаг 6. Проверка работы Откройте в браузере: ```sh open http://192.168.200.85:8080/dashboard/ ``` > ⚠️ Доступ к дашборду открыт только с localhost. Для удалённого доступа настройте правила. --- ## ✅ Готово! Traefik установлен, запущен как сервис и готов к работе. Проверяем какие порты слушает: ```sh sudo lsof -i -P -n | grep traefik ``` ```sh sudo journalctl -u traefik -f ``` --- ## 🐳 Как вариант можно установить через Docker Если Docker не установлен, установим его: ```sh sudo apt update && sudo apt upgrade -y sudo apt install -y docker.io docker-compose sudo systemctl enable --now docker ``` Проверим версию: ```sh docker --version docker-compose --version ``` ```sh sudo mkdir -p /opt/traefik cd /opt/traefik ``` ```sh cd /opt/traefik && sudo tee docker-compose.yml > /dev/null <<'EOF' services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped ports: - "80:80" # HTTP - "443:443" # HTTPS - "8080:8080" # Dashboard volumes: - /etc/traefik:/etc/traefik - /var/run/docker.sock:/var/run/docker.sock:ro command: - "--configFile=/etc/traefik/traefik.yml" networks: - traefik-net networks: traefik-net: driver: bridge EOF ``` ## Запуск контейнера ```sh cd /opt/traefik && sudo docker-compose up -d ``` ```sh cd /opt/traefik && sudo docker-compose down ``` Откройте в браузере: ```sh open http://192.168.200.85:8080/dashboard/ ``` ```sh sudo docker logs traefik ```