前言
Traefik是一款现代化的云原生边缘路由器,原生支持Docker和Kubernetes。与Nginx不同,Traefik可以自动发现服务并动态更新配置,非常适合微服务架构。
一、Traefik vs Nginx
| 特性 | Traefik | Nginx |
|---|---|---|
| 服务发现 | ✅ 自动 | ❌ 需手动配置 |
| 动态配置 | ✅ 热更新 | ❌ 需reload |
| Let’s Encrypt | ✅ 自动 | ❌ 需certbot |
| Dashboard | ✅ 内置 | ❌ 需第三方 |
| 学习曲线 | 中等 | 较低 |
| 性能 | 高 | 极高 |
| 适用场景 | 云原生/容器 | 传统/静态 |
二、Docker快速开始
2.1 基础部署
# docker-compose.ymlversion:'3.8'services:traefik:image:traefik:v3.0container_name:traefikcommand:-"--api.dashboard=true"-"--providers.docker=true"-"--providers.docker.exposedbydefault=false"-"--entrypoints.web.address=:80"-"--entrypoints.websecure.address=:443"ports:-"80:80"-"443:443"volumes:-/var/run/docker.sock:/var/run/docker.sock:ro-./traefik:/etc/traefiknetworks:-traefik-netlabels:# Dashboard-"traefik.enable=true"-"traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"-"traefik.http.routers.dashboard.service=api@internal"-"traefik.http.routers.dashboard.middlewares=auth"-"traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$xxx"networks:traefik-net:external:true2.2 配置文件
# traefik/traefik.ymlapi:dashboard:trueinsecure:falseentryPoints:web:address:":80"http:redirections:entryPoint:to:websecurescheme:httpswebsecure:address:":443"providers:docker:endpoint:"unix:///var/run/docker.sock"exposedByDefault:falsenetwork:traefik-netfile:directory:/etc/traefik/dynamicwatch:truecertificatesResolvers:letsencrypt:acme:email:admin@example.comstorage:/etc/traefik/acme.jsonhttpChallenge:entryPoint:web三、服务代理配置
3.1 Docker Labels方式
# 应用服务services:webapp:image:nginx:alpinelabels:-"traefik.enable=true"# 路由规则-"traefik.http.routers.webapp.rule=Host(`app.example.com`)"-"traefik.http.routers.webapp.entrypoints=websecure"-"traefik.http.routers.webapp.tls.certresolver=letsencrypt"# 服务配置-"traefik.http.services.webapp.loadbalancer.server.port=80"networks:-traefik-netapi:image:my-api:latestlabels:-"traefik.enable=true"# 路径前缀路由-"traefik.http.routers.api.rule=Host(`app.example.com`) && PathPrefix(`/api`)"-"traefik.http.routers.api.entrypoints=websecure"-"traefik.http.routers.api.tls.certresolver=letsencrypt"# 去除路径前缀-"traefik.http.routers.api.middlewares=strip-api"-"traefik.http.middlewares.strip-api.stripprefix.prefixes=/api"-"traefik.http.services.api.loadbalancer.server.port=8080"networks:-traefik-net3.2 文件配置方式
# traefik/dynamic/services.ymlhttp:routers:external-service:rule:"Host(`external.example.com`)"entryPoints:-websecureservice:external-servicetls:certResolver:letsencryptservices:external-service:loadBalancer:servers:-url:"http://192.168.1.100:8080"-url:"http://192.168.1.101:8080"healthCheck:path:/healthinterval:10s四、中间件配置
4.1 常用中间件
# traefik/dynamic/middlewares.ymlhttp:middlewares:# Basic认证auth-basic:basicAuth:users:-"admin:$apr1$xxx"# 速率限制rate-limit:rateLimit:average:100burst:50# 请求头secure-headers:headers:frameDeny:truesslRedirect:truebrowserXssFilter:truecontentTypeNosniff:truestsSeconds:31536000stsIncludeSubdomains:true# IP白名单ip-whitelist:ipWhiteList:sourceRange:-"10.0.0.0/8"-"192.168.0.0/16"# 重试retry:retry:attempts:3initialInterval:100ms# 压缩compress:compress:{}# 熔断circuit-breaker:circuitBreaker:expression:"NetworkErrorRatio() > 0.5 || ResponseCodeRatio(500, 600, 0, 600) > 0.5"4.2 应用中间件
# Docker Labelslabels:-"traefik.http.routers.myapp.middlewares=rate-limit,secure-headers,compress"# 文件配置http:routers:myapp:middlewares:-rate-limit-secure-headers-compress五、负载均衡
5.1 轮询策略
http:services:my-service:loadBalancer:servers:-url:"http://server1:80"-url:"http://server2:80"-url:"http://server3:80"5.2 加权轮询
http:services:my-service:weighted:services:-name:server1weight:3-name:server2weight:15.3 会话保持
http:services:my-service:loadBalancer:sticky:cookie:name:server_idsecure:truehttpOnly:true六、Kubernetes集成
6.1 Helm安装
helm repoaddtraefik https://traefik.github.io/charts helm repo update helminstalltraefik traefik/traefik -n traefik --create-namespace6.2 IngressRoute配置
apiVersion:traefik.io/v1alpha1kind:IngressRoutemetadata:name:webappnamespace:defaultspec:entryPoints:-websecureroutes:-match:Host(`app.example.com`)kind:Ruleservices:-name:webappport:80middlewares:-name:rate-limittls:certResolver:letsencrypt---apiVersion:traefik.io/v1alpha1kind:Middlewaremetadata:name:rate-limitspec:rateLimit:average:100burst:50七、多站点代理
7.1 跨网络服务代理
当需要代理不同网络中的服务时,传统方式需要公网IP或VPN。使用组网软件(如星空组网)可以将多个站点组成虚拟局域网:
# traefik/dynamic/multi-site.ymlhttp:routers:beijing-api:rule:"Host(`api.example.com`) && PathPrefix(`/beijing`)"service:beijing-apishanghai-api:rule:"Host(`api.example.com`) && PathPrefix(`/shanghai`)"service:shanghai-apiservices:# 北京站点服务(通过虚拟内网访问)beijing-api:loadBalancer:servers:-url:"http://10.26.0.10:8080"# 上海站点服务(通过虚拟内网访问)shanghai-api:loadBalancer:servers:-url:"http://10.26.0.20:8080"八、监控与日志
8.1 Prometheus指标
# traefik.ymlmetrics:prometheus:addEntryPointsLabels:trueaddServicesLabels:truebuckets:-0.1-0.3-1.2-5.08.2 访问日志
accessLog:filePath:"/var/log/traefik/access.log"format:jsonfilters:statusCodes:-"400-499"-"500-599"retryAttempts:trueminDuration:"10ms"8.3 Grafana Dashboard
导入Dashboard ID:17346(Traefik官方Dashboard)
九、生产配置示例
# docker-compose-production.ymlversion:'3.8'services:traefik:image:traefik:v3.0container_name:traefikrestart:unless-stoppedsecurity_opt:-no-new-privileges:trueports:-"80:80"-"443:443"volumes:-/var/run/docker.sock:/var/run/docker.sock:ro-./traefik:/etc/traefik-./logs:/var/log/traefikenvironment:-TZ=Asia/Shanghainetworks:-traefik-nethealthcheck:test:["CMD","traefik","healthcheck"]interval:30stimeout:3sretries:3deploy:resources:limits:memory:512Mnetworks:traefik-net:driver:bridge十、总结
Traefik是云原生时代的优秀网关选择:
| 特点 | 优势 |
|---|---|
| 自动发现 | Docker/K8s服务自动注册 |
| 动态配置 | 无需重启,热更新 |
| Let’s Encrypt | 自动申请和续期证书 |
| 中间件 | 认证、限流、熔断开箱即用 |
| Dashboard | 可视化管理界面 |
适用场景:
- 微服务架构
- Docker/Kubernetes环境
- 需要自动SSL的场景
- 频繁变更的服务配置
参考资料
- Traefik官方文档:https://doc.traefik.io/traefik/
- Traefik GitHub:https://github.com/traefik/traefik
- Let’s Encrypt配置:https://doc.traefik.io/traefik/https/acme/
本文首发于CSDN,转载请注明出处。
)
)