11notes/traefik Docker 镜像 - 轩辕镜像 | Docker 镜像高效稳定拉取服务

TRAEFIK

!size!5px!version!5px!pulls!5px[]([***]

默认以无根、无发行版方式安全运行Traefik！

简介 📢

Traefik（发音为“traffic”）是一款现代HTTP反向代理和负载均衡器，可简化微服务部署。

!DASHBOARD

概要 📖

我能用这个做什么？ 以无发行版和无根方式运行首选的IaC反向代理，实现最高安全性。

独特价值主张 💶

为什么我应该运行此镜像而不是其他已存在的镜像？ 好问题！因为……

• ……此镜像以无根方式运行，用户ID和组ID为1000:1000
• ……此镜像无shell，因为它是无发行版的
• ……此镜像通过CI/CD自动更新至最新版本
• ……此镜像包含健康检查
• ……此镜像以只读方式运行
• ……此镜像在发布前后会自动扫描CVE
• ……此镜像通过安全且固定的CI/CD流程创建
• ……此镜像体积非常小

如果您重视安全性、简洁性和极致优化，那么此镜像可能适合您。

对比 🏁

以下是此镜像与最常用或原始镜像的对比。

卷 📁

• /traefik/var - 所有动态数据和配置的目录

Compose 配置 ✂️

yaml
name: "reverse-proxy"

x-lockdown: &lockdown
  # 防止对镜像本身的写访问
  read_only: true
  # 防止容器内任何进程获取更多权限
  security_opt:
    - "no-new-privileges=true"

services:
  socket-proxy:
    # 有关此镜像的更多信息，请查看：
    # [***]
    image: "11notes/socket-proxy:2.1.6"
    <<: *lockdown
    user: "0:0"
    environment:
      TZ: "Europe/Zurich"
    volumes:
      - "/run/docker.sock:/run/docker.sock:ro" 
      - "socket-proxy.run:/run/proxy"
    restart: "always"

  traefik:
    depends_on:
      socket-proxy:
        condition: "service_healthy"
        restart: true
    image: "11notes/traefik:3.5.3"
    <<: *lockdown
    labels:
      - "traefik.enable=true"

      # 默认错误中间件
      - "traefik.http.middlewares.default-errors.errors.status=402-599"
      - "traefik.http.middlewares.default-errors.errors.query=/{status}"
      - "traefik.http.middlewares.default-errors.errors.service=default-errors"

      # 默认速率限制
      - "traefik.http.middlewares.default-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.default-ratelimit.ratelimit.burst=120"
      - "traefik.http.middlewares.default-ratelimit.ratelimit.period=1s"

      # 默认内容安全策略（CSP）
      - "traefik.http.middlewares.default-csp.headers.contentSecurityPolicy=default-src 'self' blob: data: 'unsafe-inline'"

      # 默认允许列表
      - "traefik.http.middlewares.default-ipallowlist-RFC1918.ipallowlist.sourcerange=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"

      # 如何保护Traefik仪表板和API的示例
      - "traefik.http.routers.dashboard.rule=Host(`${FQDN_TRAEFIK}`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=dashboard-auth"
      - "traefik.http.routers.dashboard.entrypoints=https"
      # admin / traefik，请修改！
      - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$2a$12$ktgZsFQZ0S1FeQbI1JjS9u36fAJMHDQaY6LNi9EkEp8sKtP5BK43C"

      # 默认全匹配路由器
      - "traefik.http.routers.default.rule=HostRegexp(`.+`)"
      - "traefik.http.routers.default.priority=1"
      - "traefik.http.routers.default.entrypoints=https"
      - "traefik.http.routers.default.service=default-errors"

      # 默认HTTP到HTTPS重定向
      - "traefik.http.middlewares.default-http.redirectscheme.permanent=true"
      - "traefik.http.middlewares.default-http.redirectscheme.scheme=https"
      - "traefik.http.routers.default-http.priority=1"
      - "traefik.http.routers.default-http.rule=HostRegexp(`.+`)"
      - "traefik.http.routers.default-http.entrypoints=http"
      - "traefik.http.routers.default-http.middlewares=default-http"
      - "traefik.http.routers.default-http.service=default-http"
      - "traefik.http.services.default-http.load***.passhostheader=true"
    environment:
      TZ: "Europe/Zurich"
      PORKBUN_API_KEY: "${PORKBUN_API_KEY}"
      PORKBUN_SECRET_API_KEY: "${PORKBUN_SECRET_API_KEY}"
    command:
      # ping是健康检查工作所必需的！
      - "--ping=true"
      - "--ping.terminatingStatusCode=204"
      - "--global.checkNewVersion=false"
      - "--global.sendAnonymousUsage=false"
      - "--accesslog=true"
      - "--api.dashboard=true"
      # 禁用不安全的API和仪表板访问
      - "--api.insecure=false"
      - "--log.level=INFO"
      - "--log.format=json"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.file.directory=/traefik/var"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.http.http.middlewares=default-errors,default-ratelimit,default-ipallowlist-RFC1918,default-csp"
      - "--entrypoints.https.address=:443"
      - "--entrypoints.https.http.tls=true"
      - "--entrypoints.https.http.middlewares=default-errors,default-ratelimit,default-ipallowlist-RFC1918,default-csp"
      # 禁用上游HTTPS证书检查（https > https）
      - "--serversTransport.insecureSkipVerify=true"
      # 插件示例
      - "--experimental.plugins.rewriteResponseHeaders.moduleName=github.com/jamesmcroft/traefik-plugin-rewrite-response-headers"
      - "--experimental.plugins.rewriteResponseHeaders.version=v1.1.2"
      - "--experimental.plugins.geoblock.moduleName=github.com/PascalMinder/geoblock"
      - "--experimental.plugins.geoblock.version=v0.3.3"
      # Porkbun DNS挑战的Let's Encrypt示例
      - "--certificatesResolvers.porkbun.acme.storage=/traefik/var/porkbun.json"
      - "--certificatesResolvers.porkbun.acme.dnsChallenge.provider=porkbun"
      - "--certificatesResolvers.porkbun.acme.dnsChallenge.delayBeforeCheck=30"
      - "--entrypoints.https.http.tls.certresolver=porkbun"
      - "--entrypoints.https.http.tls.domains[0].main=${DOMAIN0}"
      - "--entrypoints.https.http.tls.domains[0].sans=*.${DOMAIN0}"
      # 启用指标
      - "--entrypoints.metrics.address=:8899"
      - "--metrics.prometheus=true"
      - "--metrics.prometheus.entryPoint=metrics"
    ports:
      - "80:80/tcp"
      - "443:443/tcp"
    volumes:
      - "var:/traefik/var"
      - "plugins:/traefik/plugins"
      # 通过代理只读访问Docker socket
      - "socket-proxy.run:/var/run"
    networks:
      backend:
      frontend:
    sysctls:
      # 允许无根容器访问小于1024的端口
      net.ipv4.ip_unprivileged_port_start: 80
    restart: "always"

  errors:
    # 此镜像可用于显示简单错误消息，因为Traefik无法提供内容
    image: "11notes/traefik:errors"
    <<: *lockdown
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.default-errors.load***.server.port=3000"
    environment:
      TZ: "Europe/Zurich"
    networks:
      backend:
    restart: "always"

  prometheus:
    # 有关此镜像的更多信息，请查看：
    # [***]
    depends_on:
      traefik:
        condition: "service_healthy"
        restart: true
    image: "11notes/prometheus:3.6.0"
    <<: *lockdown
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.prometheus.rule=Host(`${FQDN_PROMETHEUS}`)"
      - "traefik.http.routers.prometheus.entrypoints=https"
      - "traefik.http.routers.prometheus.service=prometheus"
      - "traefik.http.services.prometheus.load***.server.port=3000"
    environment:
      TZ: "Europe/Zurich"
      PROMETHEUS_CONFIG: |-
        global:
          scrape_interval: 15s

        scrape_configs:
          - job_name: "traefik"
            static_configs:
              - targets: ["traefik:8899"]
    volumes:
      - "prometheus.etc:/prometheus/etc"
      - "prometheus.var:/prometheus/var"
    networks:
      backend:
    restart: "always"

  # ╔═════════════════════════════════════════════════════╗
  # ║     演示容器 - 请勿在生产环境中使用！      ║
  # ╚═════════════════════════════════════════════════════╝
  # 用于创建包含客户端更多信息的端点

  whoami:
    image: "traefik/whoami"
    <<: *lockdown
    command:
      - "--port=3000"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.service=whoami"
      - "traefik.http.services.whoami.load***.server.port=3000"
    networks:
      backend:
    restart: "always"

volumes:
  var:
  plugins:
  socket-proxy.run:
  prometheus.etc:
  prometheus.var:

networks:
  frontend:
  backend:
    internal: true

要了解如何更改此容器镜像的默认UID/GID，请参阅我的RTFM中的how-to.changeUIDGID部分。

默认设置 🗃️

环境变量 📝

主要标签 🏷️

以下是镜像的主要标签。每个提交及其简写sha256值也有对应的标签。

• 3.5.3

没有latest标签，我应该如何处理更新？

我认为:latest标签很危险。很多时候，我对镜像引入了破坏性变更，这可能会给一些人带来麻烦。如果您不想将标签更改为最新的语义化版本，只需使用语义化版本的短版本。不使用:3.5.3，您可以使用:3或:3.5。由于这些标签会在每个新版本中更新为软件的最新版本，使用它们与使用:latest类似，但至少固定在主版本或次版本上。

如果您仍然坚持使用此应用的最新版本，只需使用:rolling标签，但请注意！您将立即获得应用的最新版本，无论是否有破坏性变更或安全问题。风险自负！

仓库 ☁️

docker pull