快速构建安全的(HTTPS)本地开发环境(DNS Challenge版本)

发表于 更新于 分类于

上文使用了dev.localhost域名来进行本地开发的https配置,这次我们换用自购域名解析到127.0.0.1的形式来进行配置。

首先我们需要购买一个域名并且添加解析到127.0.0.1:

因为我们的域名指向本地而不是公网可访问的IP,所以我们需要使用DNS challenge的形式来获取tls证书。各大厂商的DNS challenge的配置方式和需要的环境变量在这里:dnsChallenge 可以找到。下面使用alidns来进行配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
version: "3.3"

services:
  traefik:
    container_name: traefik
    image: "traefik:latest"
    command:
      - "--api.dashboard=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--providers.docker"
      - "--log.level=ERROR"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=alidns"
      # 检查之前延迟900s保证解析已经刷新
      - "--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=900"
      # 手动指定阿里DNS优化解析
      - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=223.5.5.5:53"
      - "--certificatesresolvers.myresolver.acme.email=xxx@xxx.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    networks:      
      - traefik-public
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    labels:
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"    
      - "traefik.http.routers.dashboard.rule=Host(`traefik.bilibill.site`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
    environment:
      - "ALICLOUD_ACCESS_KEY=xxxxxxxxx"
      - "ALICLOUD_SECRET_KEY=xxxxxxxxx"

  portainer:
    image: portainer/portainer-ce:latest
    command: -H unix:///var/run/docker.sock
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    networks:      
      - traefik-public
    labels:
      # Frontend
      - "traefik.enable=true"
      - "traefik.http.routers.frontend.rule=Host(`portainer.bilibill.site`)"
      - "traefik.http.routers.frontend.entrypoints=websecure"
      - "traefik.http.services.frontend.loadbalancer.server.port=9000"
      - "traefik.http.routers.frontend.service=frontend"
      - "traefik.http.routers.frontend.tls.certresolver=myresolver"

      # Edge
      - "traefik.http.routers.edge.rule=Host(`edge.bilibill.site`)"
      - "traefik.http.routers.edge.entrypoints=websecure"
      - "traefik.http.services.edge.loadbalancer.server.port=8000"
      - "traefik.http.routers.edge.service=edge"
      - "traefik.http.routers.edge.tls.certresolver=myresolver"


volumes:
  portainer_data:
networks:
  traefik-public:
    external: true

使用docker network create traefik-public创建外部网络后使用docker-compose up便可以启动服务,访问https://traefik.bilibill.site/dashboard/#/可以看到traefik自带的webUI。