通过Traefik远程访问代理的Docker容器

Question

目标:远程访问Docker容器，如Home Assistant、Portainer、Tautulli等。通过个人域(sub.example.com)。

工具: Docker、Docker-compose、Traefik、Cloudflare

问:我需要做什么才能远程访问我的容器？

文件：

Docker-compose.yml

    version: "2"
services:

#Portainer - WebUI for Containers
  portainer:
    image: portainer/portainer
    restart: always
    container_name: portainer
    command: --templates http://templates/templates.json
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /path/to/file/docker/portainer/data:/data
    ports:
      - "9000:9000"
    networks:
      - docker_default
    environment:
      - TZ=America/Phoenix
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.docker.network=docker_default"
      - "traefik.backend=portainer"
      - "traefik.frontend.rule=Host:portainer.example.com"
      - "traefik.default.protocol=http"

#Home Assistant - Smart Home Hub
  homeassistant:
    container_name: homeassistant
    restart: always
    image: homeassistant/home-assistant
#    devices:
#      - /dev/ttyUSB0:/dev/ttyUSB0
#      - /dev/ttyUSB1:/dev/ttyUSB1
#      - /dev/ttyACM0:/dev/ttyACM0
    volumes:
      - /path/to/file/docker/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /path/to/file/docker/certs:/certs
    network_mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - traefik.backend=homeassistant
      - "traefik.frontend.rule=Host:homeassistant.example.com"
    privileged: true
    environment:
      - PUID=1000
      - PGID=999
      - TZ=America/Phoenix

  traefik:
    container_name: traefik
    image: traefik:alpine
    command: --api --docker
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /path/to/file/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /path/to/file/docker/traefik/acme.json:/acme.json

networks:
  docker_default:
    external : true

Traefik.toml

defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "example.com"
watch = true
exposedbydefault = false

[acme]
email = "myEmail.com"
storage = "acme.json"
onDemand = false
OnHostRule = true
entryPoint = "https"
[acme.httpChallenge]
  entryPoint = "http"

[[acme.domains]]
  main = ["portainer.example.com","homeassistant.example.com"]

日志：

Traefik日志

Attaching to traefik
traefik             | time="2018-04-30T23:57:41Z" level=error msg="map[example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://example.com/.well-known/acme-challenge/ImogxzPm6JBw_OrPbnTUa9x3z0R-BbtYoVdYCCI6kC8: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for example.com:80
traefik             |   Resolved to:
traefik             |       104.31.85.180
traefik             |       104.31.84.180
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |   Used: 2400:cb00:2048:1::681f:54b4
traefik             | 
traefik             |  portainer.example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://portainer.example.com/.well-known/acme-challenge/v1VK73VHrmt_jo-NvVliqgH6krgtglhRp4A_dJ9C8ws: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for portainer.example.com:80
traefik             |   Resolved to:
traefik             |       104.31.84.180
traefik             |       104.31.85.180
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |   Used: 2400:cb00:2048:1::681f:55b4
traefik             | 
traefik             | ]" 
traefik             | time="2018-04-30T23:57:41Z" level=error msg="Error getting ACME certificate for domain [example.com portainer.example.com]: cannot obtain certificates map[example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://example.com/.well-known/acme-challenge/ImogxzPm6JBw_OrPbnTUa9x3z0R-BbtYoVdYCCI6kC8: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for example.com:80
traefik             |   Resolved to:
traefik             |       104.31.85.180
traefik             |       104.31.84.180
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |   Used: 2400:cb00:2048:1::681f:54b4
traefik             | 
traefik             |  portainer.example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://portainer.example.com/.well-known/acme-challenge/v1VK73VHrmt_jo-NvVliqgH6krgtglhRp4A_dJ9C8ws: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for portainer.example.com:80
traefik             |   Resolved to:
traefik             |       104.31.84.180
traefik             |       104.31.85.180
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |   Used: 2400:cb00:2048:1::681f:55b4
traefik             | 
traefik             | ]" 
traefik             | time="2018-04-30T23:58:12Z" level=error msg="map[portainer.example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://portainer.example.com/.well-known/acme-challenge/jk1fwHfVd1uupitZqwzr8zp4sce7aebo3lZJHhf4pCw: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for portainer.example.com:80
traefik             |   Resolved to:
traefik             |       104.31.84.180
traefik             |       104.31.85.180
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |   Used: 2400:cb00:2048:1::681f:55b4
traefik             | 
traefik             | ]" 
traefik             | time="2018-04-30T23:58:12Z" level=error msg="Error getting ACME certificates [portainer.example.com] : cannot obtain certificates map[portainer.example.com:acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://portainer.example.com/.well-known/acme-challenge/jk1fwHfVd1uupitZqwzr8zp4sce7aebo3lZJHhf4pCw: "<!DOCTYPE html>
traefik             | <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
traefik             | <!--[if IE 7]>    <html class="no-js "
traefik             | Error Detail:
traefik             |   Validation for portainer.example.com:80
traefik             |   Resolved to:
traefik             |       104.31.84.180
traefik             |       104.31.85.180
traefik             |       2400:cb00:2048:1::681f:55b4
traefik             |       2400:cb00:2048:1::681f:54b4
traefik             |   Used: 2400:cb00:2048:1::681f:55b4
traefik             | 
traefik             | ]" 

Answer 1

看起来您已经将Traefik配置为使用example.com作为主域，这不太可能在您的控制之下。

你需要控制一个域，以便Traefik能够向它公开容器，并通过Let's Encrypt为它颁发证书。