# Устанавливаю Traefik cервер в Астане ```sh ssh ubuntu@194.32.140.11 -p 22 ``` # Установка Traefik на Linux Mint / Ubuntu ## 📥 Шаг 1. Установка зависимостей Убедитесь, что установлены `wget` и `systemd`: ```sh sudo apt update && sudo apt install wget ``` --- ## 📥 Шаг 2. Скачать последнюю версию Traefik Проверь актуальную версию на: [Traefik Releases](https://github.com/traefik/traefik/releases) Пример для версии `v3.0.0`:sudo mc ```sh cd ~ && wget https://github.com/traefik/traefik/releases/download/v3.3.4/traefik_v3.3.4_linux_amd64.tar.gz ``` ## 📥 Создаём группу и пользователя под которым будет запускаться traefik Создаём домашнюю директорию, группу и пользователя: ```sh sudo mkdir -p /etc/traefik && cd /etc/traefik && sudo groupadd traefik && sudo useradd -s /bin/false -g traefik -d /etc/traefik traefik ``` --- ## 📥 Шаг 3. Распаковка и установка ```sh cd ~ && tar -xvzf traefik_v3.3.4_linux_amd64.tar.gz && sudo mv traefik /usr/local/bin/ ``` Проверь версию: ```sh traefik version ``` Разрешаем занимать порты с номером меньше 1024 ```sh sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik ``` ```conf Version: 3.3.4 Codename: saintnectaire Go version: go1.23.6 Built: 2025-02-25T10:11:01Z OS/Arch: linux/amd64 ``` --- ### Пример `traefik.yml` ```sh cd /etc/traefik && sudo tee /etc/traefik/traefik.yml > /dev/null <<'EOF' entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: ":443" traefik: address: ":8070" api: dashboard: true #insecure: true # Настройка сертификатов (пример с Let's Encrypt) certificatesResolvers: myresolver: acme: email: "irigm@mail.ru" storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: web providers: file: filename: "/etc/traefik/dynamic.yml" watch: true log: level: DEBUG EOF ``` ### Пример `dynamic.yml` ```sh cd /etc/traefik && sudo tee /etc/traefik/dynamic.yml > /dev/null <<'EOF' --- http: routers: dashboard: entryPoints: - traefik rule: "Host(`194.32.140.11`)" service: api@internal middlewares: - dashboard-auth ccalm-api-auth: entryPoints: - websecure rule: "(Host(`locust.ge`) || Host(`almaty.ccalm.org`) || Host(`ccalm.org`)) && PathPrefix(`/api/authorization/v02/`)" service: org_ccalm_api_authorization_v02 tls: certresolver: myresolver middlewares: - strip-auth-prefix ccalm-dbms: entryPoints: - websecure rule: "(Host(`locust.ge`) || Host(`almaty.ccalm.org`) || Host(`ccalm.org`)) && PathPrefix(`/api/dbms/v09/`)" service: org_ccalm_dbms_v09 tls: certresolver: myresolver middlewares: - strip-dbms-prefix ccalm-translation: entryPoints: - websecure rule: "(Host(`locust.ge`) || Host(`almaty.ccalm.org`) || Host(`ccalm.org`)) && PathPrefix(`/api/translation/v01/`)" service: org_ccalm_translation_v01 tls: certresolver: myresolver middlewares: - strip-translation-prefix ccalm-login: entryPoints: - websecure rule: "(Host(`locust.ge`) || Host(`almaty.ccalm.org`) || Host(`ccalm.org`)) && PathPrefix(`/login/`)" service: org_ccalm_login_v01 tls: certresolver: myresolver org-ccalm-main: entryPoints: - websecure rule: "Host(`locust.ge`) || Host(`almaty.ccalm.org`) || Host(`ccalm.org`)" service: org_ccalm_main tls: certresolver: myresolver acme-http: rule: "PathPrefix(`/.well-known/acme-challenge/`)" entryPoints: - web middlewares: [] service: noop priority: 1000 services: # backend org_ccalm_api_authorization_v02 org_ccalm_api_authorization_v02: loadBalancer: servers: - url: "https://127.0.0.1:8082" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # org_ccalm_dbms_v09 backend org_ccalm_dbms_v09: loadBalancer: servers: - url: "https://127.0.0.1:8084" serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" # Translation backend org_ccalm_translation_v01: loadBalancer: servers: - url: "https://127.0.0.1:8085" passHostHeader: false serversTransport: insecureTransport healthCheck: path: "" interval: "5s" # Backend for org_ccalm_login_v01 (HTTP, without SSL) org_ccalm_login_v01: loadBalancer: servers: - url: "https://127.0.0.1:8081" healthCheck: path: "/" interval: "5s" serversTransport: insecureTransport # Default backend for ccalm.org org_ccalm_main: loadBalancer: servers: - url: "https://127.0.0.1:8083" healthCheck: path: "/" interval: "5s" serversTransport: insecureTransport # Fake noop secvices noop: loadBalancer: servers: - url: "http://127.0.0.1" # Определяем транспорт для отключения проверки SSL serversTransports: insecureTransport: insecureSkipVerify: true middlewares: strip-dbms-prefix: stripPrefix: prefixes: - "/api/dbms/v09" strip-auth-prefix: stripPrefix: prefixes: - "/api/authorization/v02" strip-translation-prefix: stripPrefix: prefixes: - "/api/translation/v01" dashboard-auth: basicAuth: users: - "admin:$apr1$NUoqcU3I$O6VxeuGhsA6RSIyh6rNbo." # htpasswd -nb admin t745632746573t EOF ``` For checking syntactic: ```sh yamllint -d "{extends: default, rules: {line-length: disable}}" /etc/traefik/dynamic.yml ``` Для хранения сертификатов файл: ```sh sudo touch /etc/traefik/acme.json && sudo chmod 600 /etc/traefik/acme.json ``` --- ## ⚙️ Шаг 5. Настройка systemd для автозапуска Создайте файл сервиса: ```sh cd /etc/systemd/system && sudo tee /etc/systemd/system/traefik.service > /dev/null <<'EOF' [Unit] Description=Reverse proxy Traefik After=network.target [Service] User=traefik Group=traefik ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml Restart=always [Install] WantedBy=multi-user.target EOF ``` Примените: ```sh sudo systemctl daemon-reload && sudo systemctl enable traefik && sudo systemctl start traefik && sudo systemctl status traefik ``` ```sh sudo systemctl restart traefik ``` --- ыгвщ куищще ## 🔎 Шаг 6. Проверка работы Откройте в браузере cпаролем что быше "": ```sh open http://194.32.140.11:8070/dashboard ``` --- ## ✅ Готово! Traefik установлен, запущен как сервис и готов к работе. Проверяем какие порты слушает: ```sh sudo lsof -i -P -n | grep traefik ``` ```sh sudo journalctl -u traefik -f ``` --- ## 🐳 Как вариант можно установить через Docker Если Docker не установлен, установим его: ```sh sudo apt update && sudo apt upgrade -y sudo apt install -y docker.io docker-compose sudo systemctl enable --now docker ``` Проверим версию: ```sh docker --version docker-compose --version ``` ```sh sudo mkdir -p /opt/traefik cd /opt/traefik ``` ```sh cd /opt/traefik && sudo tee docker-compose.yml > /dev/null <<'EOF' services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped ports: - "80:80" # HTTP - "443:443" # HTTPS - "8070:8070" # Dashboard volumes: - /etc/traefik:/etc/traefik - /var/run/docker.sock:/var/run/docker.sock:ro command: - "--configFile=/etc/traefik/traefik.yml" networks: - traefik-net networks: traefik-net: driver: bridge EOF ``` ## Запуск контейнера ```sh cd /opt/traefik && sudo docker-compose up -d ``` ```sh cd /opt/traefik && sudo docker-compose down ``` Откройте в браузере: ```sh open http://192.168.200.85:8070/dashboard/ ``` ```sh sudo docker logs traefik ```