In the previous article, we briefly introduced about Traefik For related concepts and component principle mechanism, please refer to: Why traifik ingress?
As an innovative edge router, it means that Traefik is the guardian of the whole application platform, intercepting and routing each access request: determining which services handle the corresponding requests based on the set logic and rules. For the model portrait of Traefik, please refer to the following:
Of course, in addition to the service agent characteristics, Traefik At the same time, it also has a "service discovery" function mechanism, which dynamically detects the back-end service status information and updates the routing rules in real time, so as to achieve the effect of service governance.
We take The Docker Provider scenario is used as a reference model to briefly analyze the Traefik ecology, so that we can deeply understand the relevant characteristics of Traefik.
In the following scenarios, we take the latest version of Traefik v2.5.2 image as an example to deploy and run relevant instances, as shown below:
[administrator@JavaLangOutOfMemory ~] % vi docker-compose.yaml
version: '3'
services:
reverse-proxy:
image: traefik:latest
# Open the web UI and traifik listens to Docker
command: --api.insecure=true --providers.docker
ports:
# HTTP port
- "80:80"
# Web UI port (enabled by -- api.insecure=true)
- "8080:8080"
volumes:
# Traifik listens for Docker events
- /var/run/docker.sock:/var/run/docker.sockThen, we run this instance as follows:
[administrator@JavaLangOutOfMemory ~] % docker-compose up -d reverse-proxy
[administrator@JavaLangOutOfMemory ~] % curl -i http://192.168.56.114:8080/api/rawdata?jsonHTTP/1.1 200 OKContent-Type: application/jsonDate: Thu, 09 Sep 2021 02:05:08 GMTContent-Length: 1361
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:05:08 GMT
Content-Length: 1361
{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}}}}At this time, we can also access it through the browser http://192.168.56.114:8080/api/rawdata Interface to view the raw data of Traefik's API.
Next, we deploy a Demo service to create a route based on traifik, as shown below:
version: '3'
services:
reverse-proxy:
# Official traifik 2.0 docker image
image: traefik:latest
# Open the web UI and tell traifik to listen to Docker
command: --api.insecure=true --providers.docker
ports:
# HTTP port
- "80:80"
# Web UI port (enabled by -- api.insecure=true)
- "8080:8080"
volumes:
# This allows traifik to listen for Docker events
- /var/run/docker.sock:/var/run/docker.sock
whoami:
# A container that exposes its IP address through the API
image: containous/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"Based on the Yaml file above, we defined a simple web service named whoami, which will print the relevant information of the deployed machine (IP address, host, etc.). Then we start the whoami service with the following command:
[administrator@JavaLangOutOfMemory ~] % docker-compose up -d whoami
At this point, we request the Api interface again, and the results are as follows:
[administrator@JavaLangOutOfMemory ~] % curl -i http://192.168.56.114:8080/api/rawdata?jsonHTTP/1.1 200 OKContent-Type: application/jsonDate: Thu, 09 Sep 2021 02:09:25 GMTContent-Length: 1705
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:09:25 GMT
Content-Length: 1705
{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]},"whoami@docker":{"entryPoints":["http"],"service":"whoami-traefik","rule":"Host(`whoami.docker.localhost`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}},"whoami-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.3:80"}],"passHostHeader":true},"status":"enabled","usedBy":["whoami@docker"],"serverStatus":{"http://172.20.0.3:80":"UP"}}}}By viewing / api/rawdata From the data returned by the interface, we found that Traefik has automatically detected the new container and updated the corresponding configuration. When introducing Traefik earlier, we said that when Traefik detects a new service, it will automatically create the corresponding route, and then we can access the corresponding route. At this time, we use the Curl tool to verify, as shown below:
[administrator@JavaLangOutOfMemory ~] % curl -H Host:whoami.docker.localhost http://127.0.0.1 Hostname: d1078dbb0332 IP: 127.0.0.1 IP: 172.20.0.3 RemoteAddr: 172.20.0.2:37580 GET / HTTP/1.1 Host: whoami.docker.localhost User-Agent: curl/7.29.0 Accept: */* Accept-Encoding: gzip X-Forwarded-For: 172.20.0.1 X-Forwarded-Host: whoami.docker.localhost X-Forwarded-Port: 80 X-Forwarded-Proto: http X-Forwarded-Server: 814dfa472b98 X-Real-Ip: 172.20.0.1
Next, we are right The whoami service is expanded to verify the load balancing function of Traefik. The specific operations are as follows:
[administrator@JavaLangOutOfMemory ~] % docker-compose up -d --scale whoami=4 traefik_reverse-proxy_1 is up-to-date Creating traefik_whoami_2 ... done Creating traefik_whoami_3 ... done Creating traefik_whoami_4 ... done
At this point, let's take a look at the container status of our service after the expansion is completed, as shown below:
[administrator@JavaLangOutOfMemory ~] % docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------------------
traefik_reverse-proxy_1 /entrypoint.sh --api.insec ... Up 0.0.0.0:80->80/tcp,:::80->80/tcp, 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
traefik_whoami_1 /whoami Up 80/tcp
traefik_whoami_2 /whoami Up 80/tcp
traefik_whoami_3 /whoami Up 80/tcp
traefik_whoami_4 /whoami Up 80/tc[administrator@JavaLangOutOfMemory ~] % curl -i http://192.168.56.114:8080/api/rawdata?json
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 09 Sep 2021 02:28:35 GMT
Content-Length: 1882
{"routers":{"api@internal":{"entryPoints":["traefik"],"service":"api@internal","rule":"PathPrefix(`/api`)","priority":2147483646,"status":"enabled","using":["traefik"]},"dashboard@internal":{"entryPoints":["traefik"],"middlewares":["dashboard_redirect@internal","dashboard_stripprefix@internal"],"service":"dashboard@internal","rule":"PathPrefix(`/`)","priority":2147483645,"status":"enabled","using":["traefik"]},"reverse-proxy-traefik@docker":{"entryPoints":["http"],"service":"reverse-proxy-traefik","rule":"Host(`reverse-proxy-traefik`)","status":"enabled","using":["http"]},"whoami@docker":{"entryPoints":["http"],"service":"whoami-traefik","rule":"Host(`whoami.docker.localhost`)","status":"enabled","using":["http"]}},"middlewares":{"dashboard_redirect@internal":{"redirectRegex":{"regex":"^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$","replacement":"${1}/dashboard/","permanent":true},"status":"enabled","usedBy":["dashboard@internal"]},"dashboard_stripprefix@internal":{"stripPrefix":{"prefixes":["/dashboard/","/dashboard"]},"status":"enabled","usedBy":["dashboard@internal"]}},"services":{"api@internal":{"status":"enabled","usedBy":["api@internal"]},"dashboard@internal":{"status":"enabled","usedBy":["dashboard@internal"]},"noop@internal":{"status":"enabled"},"reverse-proxy-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.2:80"}],"passHostHeader":true},"status":"enabled","usedBy":["reverse-proxy-traefik@docker"],"serverStatus":{"http://172.20.0.2:80":"UP"}},"whoami-traefik@docker":{"loadBalancer":{"servers":[{"url":"http://172.20.0.4:80"},{"url":"http://172.20.0.5:80"},{"url":"http://172.20.0.3:80"},{"url":"http://172.20.0.6:80"}],"passHostHeader":true},"status":"enabled","usedBy":["whoami@docker"],"serverStatus":{"http://172.20.0.3:80":"UP","http://172.20.0.4:80":"UP","http://172.20.0.5:80":"UP","http://172.20.0.6:80":"UP"}}}}At this time, we request 4 times to view the load balancing of Traefik among the four instances. The specific commands are as follows:
[administrator@JavaLangOutOfMemory ~] % curl -H Host:whoami.docker.localhost http://127.0.0.1 # for the first time Hostname: 50f70b1ccace IP: 127.0.0.1 IP: 172.20.0.4 RemoteAddr: 172.20.0.2:40000 ... # The second time Hostname: 8c2204231f98 IP: 127.0.0.1 IP: 172.20.0.5 RemoteAddr: 172.20.0.2:39660 ... # third time Hostname: d1078dbb0332 IP: 127.0.0.1 IP: 172.20.0.3 RemoteAddr: 172.20.0.2:37600 ... # Fourth time Hostname: f1cf5b632fde IP: 127.0.0.1 IP: 172.20.0.6 RemoteAddr: 172.20.0.2:50384 ...
Based on this, we http://192.168.56.114:8080/dashboard/#/ Access the traifik Web UI to observe different routing requests, services, middleware and other associated information. The details are as follows:
On the whole homepage, we can see the requests and service types of different protocols supported by Traefik, including HTTP, TCP and UDP. At the same time, different types of Providers are displayed, including Docker and K8S And other relevant information. Based on the HTTP protocol, you can see the established 4 routing rules, 5 services and 2 custom middleware. Taking middlewars as an example, we can click the "Explore" link in the "middlewars" section based on HTTP protocol to see the link topology call chain formed by the currently deployed applications, as shown below:
If you are interested in the custom development practice of traifik middleware, please refer to the previous article: Traifik middleware plug-in practice So that everyone can understand the rich functions of traifik.
The custom renewal function for certificates is also one of the powerful functions of the traifik component. Based on this, we will briefly describe it based on HTTP and DNS respectively.
Based on the above scenario, the brief activity flow is analyzed as follows:
Traifik uses ACME (a protocol (a precisely agreed means of communication) to negotiate certificates from LE. It is part of traifik) Request a domain specific certificate from LE (Let's Encrypt, a service that provides free certificates), such as example.com. LE answers with randomly generated text, which Traefik places in a specific location on the server. LE then asks the DNS Internet server, such as. Com, which points to an IP address. LE views the IP address of the file containing the random text through port 80 / 443.
If so, this proves that the person requesting the certificate controls both the server and the domain because it shows control over DNS records. The certificate has been issued and is valid for 3 months. When less than 30 days remain, traifik will automatically try to renew it.
The advantage of HttpChallenge is that it can obtain wildcard certificates. These are all subdomains that are validated *. In addition, you do not need to open any ports. The related file configuration is as follows:
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: whatever@gmail.com
httpChallenge:
entryPoint: web
Based on this scenario, Traefik uses ACME to request domain specific certificates from LE, such as example.com. LE answers some randomly generated text, which Traefik uses as a new DNS TXT record. Then, check the example.com DNS record to see if the text exists.
If it exists, it proves that the person requesting the certificate controls the domain, and the certificate is valid for 3 months. Traifik will automatically attempt to renew when the remaining time is less than 30 days.
Compared with HttpChallenge , Traifik needs to be able to automatically update DNS records, so it needs the support of anyone who manages DNS sites. That's why Cloudflare is used. The related file configuration is as follows:
## STATIC CONFIGURATION
log:
level: INFO
api:
insecure: true
dashboard: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
lets-encr:
acme:
#caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: acme.json
email: whatever@gmail.com
httpChallenge:
entryPoint: web
In addition to the above features, in Traefik V2.3.x and subsequent versions, a series of latest functions are introduced, including Traefik plug-in system, integration with Traefik Pilot, support for Amazon ECS, etc., so that the functions of Traefik ecological components are richer and more widely used.
In addition to the example, alarm and monitoring information functions shown above, traifik pilot also supports user-defined "plug-in" development functions. It provides rich plug-in types, which can be adaptively assembled in combination with actual business scenarios, as shown below:
To sum up, as a cloud native edge router, the traifik function has been able to meet most business scenarios, as well as many industries and applications. Perhaps, in the next version, we will usher in a more powerful Traifik ecology, including support for Kubernetes Service API newly launched by Google team, and support for mTLS in traifik mesh The function of. In addition to the above, other potential functional features will emerge with the continuous changes of the market. Finally, let's wait and see
# reference material
- https://github.com/DoTheEvo/
Original:
https://mp.weixin.qq.com/cgi-bin/home?t=home/index&token=753063752&lang=zh_CN