traefik
## 簡介
traefik是一款開源的反向代理與負載均衡工具。軟件定位是做負載均衡器,提供好用的負載均衡服務,不要老拿它跟nginx對比。它最大的優點是能夠與常見的微服務系統直接整合,可以實現自動化動態配置。
目前支持:Docker, Swarm, Mesos/Marathon, Mesos, Kubernetes, Consul, Etcd, Zookeeper, BoltDB, Rest API等等後端模型。
#### ME爲什麼選擇traefik?
Golang編寫,單文件部署,與系統無關;
熱加載配置文件;
內置Web UI,管理相對方便;
功能特點:
```
It's fast
No dependency hell, single binary made with go
Rest API
Multiple backends supported: Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, and more to come
Watchers for backends, can listen for changes in backends to apply a new configuration automatically
Hot-reloading of configuration. No need to restart the process
Graceful shutdown http connections
Circuit breakers on backends
Round Robin, rebalancer load-balancers
Rest Metrics
Tiny official docker image included
SSL backends support
SSL frontend support (with SNI)
Clean AngularJS Web UI
Websocket support
HTTP/2 support
Retry request if network error
Let's Encrypt support (Automatic HTTPS with renewal)
High Availability with cluster mode
```
### 安裝部署:
#### 規劃服務路徑
#### 服務主路徑
cd /etc/traefik/
#### ssl 證書存放路徑
mkdir -p /etc/traefik/ssl
#### 配置文件存放路徑
mkdir -p /etc/traefik/config
#### 日誌存放路徑
mkdir -p /etc/traefik/log
#### 源碼包安裝:
測試版本:v1.2.3
軟件下載地址:https://github.com/containous/traefik/releases/tag/v1.2.3
軟件下載到服務器後,加壓,修改權限,探後啓動服務;
chmod 755 traefik
#### 啓動服務
traefik go 語言編寫,啓動服務比較簡單,指定一下配置文件即可,
```
./traefik -c ./config/traefik.toml
```
#### 默認沒有配置文件,需要自己根據官網參考文件進行整理,下面我根據官網信息,進行整理優化了一個主配置文件。
```
[root@trarfik-test config]# more traefik.toml
##開啓debug 模式,Default,false
debug = true
##日誌級別, "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
logLevel = "INFO"
##Traefik 服務日誌,如果不配置,日誌將屏幕輸出;
#traefikLogsFile = "/etc/traefik/log/traefik.log"
##成功訪問日誌
accessLogsFile = "/etc/traefik/log/access.log"
##與後端連接保持時間,避免反覆與後端服務建立連接,Default,"2s"
##ProvidersThrottleDuration = "5s"
ProvidersThrottleDuration = 5
###控制最大空閒連接數,使用net/http模塊,試過設置爲0 ,則不限制,如果看到'too many open files' 報錯,建議修改系統層`ulimit`值
,Default: 200
maxIdleConnsPerHost = 60000
###如果設置爲true,將使用後端服務SSL證書。注意:這禁用中間人***的檢測只能用於後端網絡安全。Default: false
#insecureSkipVerify = true
###配置默認監聽端口
###配置服務默認監聽端口,如果想改變監聽端口,可以進行單獨配置
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
###ssl 證書配置
[entryPoints.https.tls]
`entryPoints`.`https`.`tls`.`certificates`
certFile = "/etc/traefik/ssl/www.ptengine.cn.crt"
keyFile = "/etc/traefik/ssl/www.ptengine.cn.key"
## 管理界面監聽端口
[web]
address = ":8800"
##設置 REST API 爲只讀模式
ReadOnly = false
##啓用詳細信息輸出,會在管理界面下方打印一些錯誤信息,提供參考;
[web.statistics]
RecentErrors = 10
## To enable Traefik to export internal metrics to Prometheus
##[web.metrics.prometheus]
### Buckets=[0.1,0.3,1.2,5.0]
### webui基本認證配置
### 密碼可以編碼在MD5、SHA1和BCrypt:您可以使用htpasswd生成
### 用戶可以直接在toml指定文件,或間接通過引用一個外部文件;如果兩個,兩個並存,外部文件內容優先
### 測試配置實例
### 用戶名/密碼: 測試和test2:test2碼:測試:測試和test2:test2
#[web.auth.basic]
#users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
### 指定配置文件
### usersFile = "/path/to/.htpasswd"
### 配置文件擴展,可以加載監視文件內容
[file]
##不支持監聽目錄,監聽文件名要寫死
filename = "/etc/traefik/config/rules.toml"
### 監視文件變更
watch = true
##發送請求重試
[retry]
##默認只向後端請求一次,不重試,
attempts = 3
```
使用上面的配置文件啓動服務,會監聽3個端口, 80:http ,443:https ,8800:api ,上面的配置文件我開啓了debug 模式,實際生產環境不需要。服務啓動後即可訪問,api 管理界面查看一下基礎信息。
#### 瀏覽器訪問地址:
http://localhost:8800
#### 使用curl 訪問api 接口獲取信息
```
/api/providers: GET providers
/api/providers/{provider}: GET or PUT provider
/api/providers/{provider}/backends: GET backends
/api/providers/{provider}/backends/{backend}: GET a backend
/api/providers/{provider}/backends/{backend}/servers: GET servers in a backend
/api/providers/{provider}/backends/{backend}/servers/{server}: GET a server in a backend
/api/providers/{provider}/frontends: GET frontends
/api/providers/{provider}/frontends/{frontend}: GET a frontend
/api/providers/{provider}/frontends/{frontend}/routes: GET routes in a frontend
/api/providers/{provider}/frontends/{frontend}/routes/{route}: GET a route in a frontend
```
#### 查看API接口 信息,可以顯示,
```
[root@trarfik-test ~]# curl -s "http://localhost:8800/health"|jq
{
"pid": 23955,
"uptime": "4m19.415827181s",
"uptime_sec": 259.415827181,
"time": "2017-04-21 10:38:44.925762492 +0800 CST",
"unixtime": 1492742324,
"status_code_count": {},
"total_status_code_count": {
"304": 3,
"404": 2,
"429": 6
},
"count": 0,
"total_count": 11,
"total_response_time": "11.553372ms",
"total_response_time_sec": 0.011553372000000001,
"average_response_time": "1.050306ms",
"average_response_time_sec": 0.001050306,
"recent_errors": [
...............
]
}
```
#### 查看配置信息接口:
```
[root@trarfik-test ~]# curl -s "http://localhost:8800/api"|jq
{
"file": {
"backends": {
"test1": {
"servers": {
"server1": {
"url": "http://172.16.100.70:80",
"weight": 1
},
"server2": {
"url": "http://172.16.100.71:80",
"weight": 1
}
},
"circuitBreaker": {
"expression": "NetworkErrorRatio() > 0.5"
},
"loadBalancer": {
"method": "drr"
},
"maxConn": {
"amount": 10,
"extractorFunc": "request.host"
}
}
},
"frontends": {
"test1": {
"entryPoints": [
"http",
"https"
],
"backend": "test1",
"routes": {
"service1": {
"rule": "Host:test.ptmind.com;"
}
},
"passHostHeader": true,
"priority": 10
}
}
}
}
```
### DOCKER 方式啓動
Docker 啓動需要先準備一下配置文件,將配置文件掛載到容器內部,另外注意下,api 管理端口。
docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
### 域名反向代理配置實例演示
#### 監聽域名
test.ptmind.com
pttest.ptmind.com
#### 後端輪訓站點:
172.16.100.70:80
172.16.100.71:80
#### 安全考慮:
顯示單個客戶端請求鏈接數;
後端不穩定停止轉發輪訓;
配置信息如下:
```
[root@trarfik-test config]# more rules.toml
##後端配置
#[backends]
##發送請求重試
#[retry]
###默認只向後端請求一次,不重試,
attempts = 3
[backends.testptmindcom]
##後端網絡錯誤率>0.5 停止轉發;
[backends.testptmindcom.circuitbreaker]
expression = "NetworkErrorRatio() > 0.5"
##輪訓方式,method=drr(加權輪訓調度)default:wrr(隊列輪轉算法)
[backends.testptmindcom.LoadBalancer]
method = "drr"
##安全限制,單個主機連接數大於指定值,會提示“max connections reached”
[backends.testptmindcom.maxconn]
amount = 10
extractorfunc = "request.host"
##第一臺後端節點
[backends.testptmindcom.servers.server1]
url = "http://172.16.100.70:80"
weight = 1
##第二臺後端節點
[backends.testptmindcom.servers.server2]
url = "http://172.16.100.71:80"
weight = 1
##前端配置
[frontends]
#定義一個接入點的名字
[frontends.testptmindcom]
passHostHeader = true
priority = 10
##定義調用後端名稱
backend = "testptmindcom"
##前端監聽域名,可以監聽多域名
[frontends.testptmindcom.routes.service]
rule = "Host:test.ptmind.com,pttest.ptmind.com;"
```
#### 驗證配置信息:
[root@trarfik-test ~]# curl http://localhost:8800/api|jq
```
{
"file": {
"backends": {
"testptmindcom": {
"servers": {
"server1": {
"url": "http://172.16.100.70:80",
"weight": 1
},
"server2": {
"url": "http://172.16.100.71:80",
"weight": 1
}
},
"circuitBreaker": {
"expression": "NetworkErrorRatio() > 0.5"
},
"loadBalancer": {
"method": "drr"
},
"maxConn": {
"amount": 10,
"extractorFunc": "request.host"
}
}
},
"frontends": {
"testptmindcom": {
"entryPoints": [
"http",
"https"
],
"backend": "testptmindcom",
"routes": {
"service": {
"rule": "Host:test.ptmind.com,pttest.ptmind.com;"
}
},
"passHostHeader": true,
"priority": 10
}
}
}
}
```
### 注意:
1:traefik 可以熱加載配置文件,不用每次都重啓服務,在修改主配置文件選項或着修改域名監聽端口時,需要重啓服務;
2:一組配置內, "backends": "frontends" 名稱要統一;
3:注意觀察實例中的名稱配置;
### 參考文檔
https://docs.traefik.io/toml/
http://docs.traefik.io/toml/#retry-configuration