反向代理
方便 SSL 证书的统一管理和分发、服务的扩容及接入现成的网关服务,文档提供几种给网关配置反向代理服务的配置。
准备工作
配置反向代理需要准备好如下数据:
名称 | 范例值 | 备注 |
---|---|---|
域名 | zealot.example.com | |
反向代理 IP 地址 | 172.16.56.1 | |
Zealot IP 地址 | 172.16.56.100 | 反向代理服务可访问 同一台服务可改为 127.0.0.1 |
Zealot 外部映射端口号 | 8901 | 反向代理服务可访问 |
Zealot 内部端口号 | 80 | 无需修改 |
Let's Encrypt 邮箱 | your-email@example.com |
Traefik
Traefik 是一款开源的反向代理与负载均衡工具,它自身提供多种 Providers 可以实现接入反向代理并配置 SSL 的方式。
配置解释
无论使用那种 Provider 核心的配置项是相同的,构成反向代理服务配置主要有三部分组成:发现端口号、路由规则(包含访问端口号、域名绑定和SSL)
Traefik 服务
- yaml
- toml
- cli
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: acme.json
httpChallenge:
entryPoint: web
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.letsencrypt.acme]
email = "your-email@example.com"
storage = "acme.json"
[certificatesResolvers.letsencrypt.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
--certificatesresolvers.letsencrypt.acme.email=your-email@example.com
--certificatesresolvers.letsencrypt.acme.storage=acme.json
--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
Docker
首先需要开启 Docker provider 后在修改 zealot 的 Docker Compose 配置:
docker-compose.yml
version: '3'
services:
zealot:
<<: *defaults
labels:
- "traefik.enable=true"
- "traefik.http.services.zealot.loadbalancer.server.port=80"
- "traefik.http.routers.zealot.service=zealot"
- "traefik.http.routers.zealot.rule=Host(`zealot.example.com`)"
- "traefik.http.routers.zealot.tls=true"
- "traefik.http.routers.zealot.tls.certresolver=letsencrypt"
- "traefik.http.routers.zealot.tls.domains[0].main=icyleaf.dev"
- "traefik.http.routers.zealot.tls.domains[0].sans=zealot.example.com"
# 由 Treafik 接管无需在对外暴露端 口号
# ports:
# - "8901:80"
network:
# 根据 traefik 服务的 network 按需调整
- traefik-services
networks:
# 根据 traefik 服务的 network 按需调整
traefik-services:
external: true
Docker 部署的局限于 Traefik 和 Zealot 服务通常在同一个机器的同一个 OS 系统中,跨机器就没法实现通讯,对于跨机器就需要参考下面两种配置方案:
Consul
首先需要开启 Consul provider 或 Consul Catalog provider,我们只需要利用它的 Key-Value 存储:
consul kv put traefik/http/services/zealot/loadbalancer/server/port 5
consul kv put traefik/http/routers/zealot/service zealot
consul kv put traefik/http/routers/zealot/rule 'Host(`zealot.example.com`)'
consul kv put traefik/http/routers/zealot/tls/certresolver letsencrypt
consul kv put traefik/http/routers/zealot/tls/domains/0/main icyleaf.dev
consul kv put traefik/http/routers/zealot/tls/domains/0/sans zealot.example.com
Nomad
首先需要开启 Nomad provider 且 Nomad 版本要大于等于 1.3 才可以哟:
zealot.nomad
job "zealot" {
datacenters = ["dc1"]
type = "service"
group "zealot" {
count = 1
network {
port "http"{
static = 80
}
}
service {
name = "zealot-http"
provider = "nomad"
port = "http"
}
task "server" {
driver = "docker"
config {
image = "ghcr.io/tryzealot/zealot:nightly"
ports = ["http"]
args = [
- "traefik.http.routers.zealot.rule=Host(`zealot.example.com`)",
- "traefik.http.routers.zealot.tls=true",
- "traefik.http.routers.zealot.tls.certresolver=letsencrypt",
- "traefik.http.routers.zealot.tls.domains[0].main=icyleaf.dev",
- "traefik.http.routers.zealot.tls.domains[0].sans=zealot.example.com"
]
}
}
}
}
Caddy 2 配置
Caddyfile
:443
log
# 使用 Let's Encrypt 服务
tls your-email@example.com
reverse_proxy 172.16.56.100:8901
配置只需配置 tls
和 proxy
后面 IP 地址和端口部分即可。
Nginx
如下是通用配置,如果不可用欢迎提问题。
conf.d/zealot.conf
upstream zealot {
zone upstreams 64K;
server 172.16.56.100:8901;
keepalive 32;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name zealot.example.com;
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2; # 可选:http2 可能需要安装额外扩展,不需要可移除
listen [::]:443 ssl http2; # 可选:http2 可能需要安装额外扩展,不需要可移除
server_name zealot.example.com;
ssl_certificate /etc/certs/zealot-cert.pem;
ssl_certificate_key /etc/certs/zealot.pem;
# Optional
# ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:1m;
# ssl_prefer_server_ciphers on;
location / {
proxy_pass http://zealot;
proxy_redirect off;
proxy_pass_header Authorization;
proxy_set_header Host $host;
# proxy_set_header X-Forwarded-Ssl on; # 可选
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 0;
proxy_read_timeout 36000s;
}
}
Nginx 还需要在 http
中配置 最大上传文件上传大小,普通应用建议是在 200MB 左右,如果是游戏可根据实际文件大小再多出 50% 打出富余。
nginx.conf
http {
[...]
client_max_body_size 200M;
}