Traefik 反向代理与负载均衡
Traefik 是一款现代化的反向代理和负载均衡器,专为微服务和容器化环境设计。它最大的特点是可以自动发现 Docker 容器并配置路由规则,支持自动申请和续期 Let's Encrypt HTTPS 证书。相比 Nginx,Traefik 的配置更加动态和自动化。本文将在搬瓦工 VPS 上部署 Traefik 并配置反向代理。
一、环境要求
- Docker:需要先安装 Docker 和 Docker Compose。
- 内存:Traefik 仅需约 64MB 额外内存。
- 域名:至少一个域名指向 VPS 的 IP(用于 HTTPS 证书)。
二、使用 Docker Compose 部署
创建 docker-compose.yml:
version: '3.8'
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
- ./config:/etc/traefik/config:ro
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$xxxxx"
networks:
web:
external: true2.1 创建 Traefik 配置
创建 traefik.yml:
api:
dashboard: true
insecure: false
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: web
file:
directory: /etc/traefik/config
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: your@email.com
storage: /acme.json
httpChallenge:
entryPoint: web
log:
level: INFO
accessLog: {}2.2 初始化并启动
# 创建外部网络
docker network create web
# 创建证书存储文件
touch acme.json
chmod 600 acme.json
# 创建配置目录
mkdir -p config
# 启动 Traefik
docker compose up -d三、配置反向代理服务
Traefik 通过 Docker 标签(labels)自动配置路由。以部署一个 Web 应用为例:
version: '3.8'
services:
webapp:
image: nginx:alpine
container_name: webapp
restart: always
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.webapp.rule=Host(`app.yourdomain.com`)"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.services.webapp.loadbalancer.server.port=80"
networks:
web:
external: true只要容器连接到 web 网络并添加上述标签,Traefik 就会自动为其配置反向代理和 HTTPS 证书。
四、多服务配置示例
version: '3.8'
services:
blog:
image: wordpress:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.blog.rule=Host(`blog.yourdomain.com`)"
- "traefik.http.routers.blog.tls.certresolver=letsencrypt"
- "traefik.http.services.blog.loadbalancer.server.port=80"
networks:
- web
- internal
api:
image: myapi:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`api.yourdomain.com`)"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.services.api.loadbalancer.server.port=3000"
networks:
- web
- internal
gitea:
image: gitea/gitea:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`git.yourdomain.com`)"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
networks:
- web
- internal
networks:
web:
external: true
internal:
external: false五、中间件配置
5.1 Basic Auth
# 生成密码(注意 $ 需要双写为 $$)
apt install apache2-utils -y
htpasswd -nb admin your_passwordlabels:
- "traefik.http.middlewares.myauth.basicauth.users=admin:$$apr1$$xxxxx"
- "traefik.http.routers.myapp.middlewares=myauth"5.2 限速
labels:
- "traefik.http.middlewares.ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
- "traefik.http.routers.myapp.middlewares=ratelimit"5.3 IP 白名单
labels:
- "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=192.168.1.0/24,10.0.0.0/8"
- "traefik.http.routers.myapp.middlewares=ipwhitelist"5.4 请求头设置
labels:
- "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
- "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
- "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.security-headers.headers.frameDeny=true"六、文件配置方式
对于非 Docker 的后端服务,可以使用文件配置。创建 config/services.yml:
http:
routers:
external-app:
rule: "Host(`ext.yourdomain.com`)"
service: external-app
tls:
certResolver: letsencrypt
services:
external-app:
loadBalancer:
servers:
- url: "http://192.168.1.100:8080"
- url: "http://192.168.1.101:8080"
healthCheck:
path: /health
interval: 10s七、监控面板
访问 https://traefik.yourdomain.com 可以查看 Traefik Dashboard,实时查看所有路由、服务和中间件的状态。
八、常见问题
证书申请失败
确保域名已正确解析到 VPS IP,且 80 端口可从外部访问:
docker logs traefik | grep -i "acme\|certificate"502 Bad Gateway
检查后端服务容器是否在同一 Docker 网络中,以及端口是否正确:
docker network inspect web路由不生效
确保容器标签中 traefik.enable=true 已设置,且 exposedByDefault 为 false。
总结
Traefik 是容器化环境中反向代理的绝佳选择,自动服务发现和自动 HTTPS 极大简化了运维工作。搭配 Docker 可以快速为多个应用配置反向代理。选购搬瓦工 VPS 请参考 全部方案,使用优惠码 NODESEEK2026 享受 6.77% 折扣。