Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0002:traefik [03.10.2020 17:55] – mape2k | dienste:bytecluster0002:traefik [12.12.2020 21:55] (aktuell) – mape2k | ||
---|---|---|---|
Zeile 16: | Zeile 16: | ||
* Traefik (Loadbalancer, | * Traefik (Loadbalancer, | ||
- | ===== Installation | + | ===== Betrieb |
- | < | + | ==== Routing für Domain anlegen ==== |
- | wget https:// | + | |
- | git clone https://github.com/Bytespeicher/traefik | + | - DNS-Eintrag anlegen |
+ | * Name: **Subdomain** der entsprechenden Domain | ||
+ | * Typ: **CNAME** | ||
+ | * Wert: **bytecluster0002.bytespeicher.org** | ||
+ | * TTL: **3600** | ||
+ | - Konfiguration anlegen | ||
+ | - Beispiel für einfachen Webdienst auf einem anderen Port< | ||
+ | [http.services] | ||
+ | [http.services.testwiki.loadbalancer] | ||
+ | [[http.services.testwiki.loadbalancer.servers]] | ||
+ | # Internal Destination URL and port | ||
+ | url = "http://10.2.0.10: | ||
- | cd traefik | + | [http.routers] |
- | tar xfz traefik_v2.3.0_linux_amd64.tar.gz | + | [http.routers.testwiki] |
- | + | entryPoints = [ " | |
- | rm traefik_v2.3.0_linux_amd64.tar.gz | + | # Domain used for service |
- | + | rule = " | |
- | sudo cp / | + | # Servicename used in http.services.SERVICENAME.loadbalancer above |
- | + | | |
- | sudo chown root:root / | + | |
- | + | # Use Let's Encrypt | |
- | sudo chmod 755 /usr/ | + | |
- | + | </file> | |
- | sudo setcap ' | + | ===== Installation ===== |
- | + | ||
- | sudo groupadd -g 321 traefik | + | |
- | + | ||
- | sudo useradd | + | |
- | + | ||
- | sudo mkdir / | + | |
- | + | ||
- | sudo mkdir / | + | |
- | + | ||
- | sudo chown -R root:root / | + | |
- | sudo chown -R traefik: | + | * Standard-Template mit Benutzern |
- | sudo touch / | + | ==== Traefik ==== |
- | sudo chown traefik:traefik / | + | - Traefik herunterladen |
+ | * **wget https:// | ||
+ | - Verzeichnisse erstellen | ||
+ | * **sudo mkdir /opt/traefik** | ||
+ | * **sudo mkdir -p /etc/traefik/ | ||
+ | * **sudo mkdir / | ||
+ | - Traefik-Archiv auspacken und entfernen | ||
+ | * **< | ||
+ | * **rm traefik_v2.3.1_linux_amd64.tar.gz** | ||
+ | - Benutzer und Gruppe anlegen | ||
+ | * **< | ||
+ | * **< | ||
+ | - Konfiguration anlegen | ||
+ | * **TODO** | ||
+ | - Service Unit anlegen< | ||
+ | [Unit] | ||
+ | Description=traefik proxy | ||
+ | After=network-online.target | ||
+ | Wants=network-online.target systemd-networkd-wait-online.service | ||
+ | [Service] | ||
+ | Restart=on-abnormal | ||
- | sudo mv *.toml /etc/traefik/ | + | ; User and group the process will run as. |
+ | User=traefik | ||
+ | Group=traefik | ||
- | sudo chown root:root / | + | ; Always set "-root" to something safe in case it gets forgotten in the traefikfile. |
+ | ExecStart=/ | ||
- | sudo chmod 644 / | + | ; Limit the number of file descriptors; |
+ | LimitNOFILE=1048576 | ||
- | sudo mv traefik.service | + | ; Use private /tmp and /var/tmp, which are discarded after traefik |
+ | PrivateTmp=true | ||
+ | ; Use a minimal /dev (May bring additional security if switched to ' | ||
+ | PrivateDevices=false | ||
+ | ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | ||
+ | ProtectHome=true | ||
+ | ; Make /usr, / | ||
+ | ProtectSystem=full | ||
+ | ; ... except | ||
+ | ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! | ||
+ | ReadWriteDirectories=/ | ||
- | sudo chown root:root /etc/systemd/system/traefik.service | + | ; The following additional security directives only work with systemd |
+ | ; They further restrict privileges that can be gained by traefik. | ||
+ | ; Note that you may have to add capabilities required by any plugins in use. | ||
+ | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
+ | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
+ | NoNewPrivileges=true | ||
- | sudo chmod 644 / | + | [Install] |
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | - Berechtigungen setzen | ||
+ | * **sudo chown -R traefik: | ||
+ | * **sudo chmod 750 / | ||
+ | * **sudo chmod 644 / | ||
+ | * **sudo chown root:root / | ||
+ | * **sudo chmod 644 / | ||
+ | * **sudo chown root:root / | ||
+ | - Traefik dauerhaft aktivieren und gleichzeitig starten | ||
+ | * **sudo systemctl daemon-reload** | ||
+ | * **sudo systemctl enable --now traefik.service** | ||
- | sudo systemctl daemon-reload | + | ==== Backup mit Borgmatic ==== |
- | sudo systemctl start traefik.service | + | * siehe [[mariadb]] |
- | sudo systemctl enable traefik.service | ||
- | </ |