使用 traefik 3 我想将
wg.my-domain.com
路由到 wg-easy UI,该 UI 正在监听 wg-easy 服务的端口 51821
。但我只想在专用网络上允许这样做10.0.0.0/24
。
现在我将
wg.my-domain.com
指向我的 10.0.0.4
中的 /etc/hosts
。我确实控制my-domain.com
并且证书已创建且有效。 A
没有 wg.my-domain.com
记录。
当我使用 docker
ports
将端口映射到私有 IP 上时(请参阅配置中的注释),我可以访问 http://10.0.0.4:51821
上的 ui,但我只想允许通过域访问并使用 ssl (https://wg.my-domain.com
) .
我的问题是,当我转到
https://wg.my-domain.com
时,我只看到404 page not found
。我希望它在我设置 traefik.http.routers.wg_easy.loadbalancer.server.port=51821
告诉 traefik 路由器将域路由到容器的特定端口后起作用。
这是我的 docker-compose.yml:
services:
traefik:
image: traefik:3.0
command:
# - "--log.level=DEBUG"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--api.dashboard=false"
- "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32"
# use DNS challenge because we issue certs for services not having A records in public DNS
- "--certificatesresolvers.leresolver.acme.dnschallenge=true"
- "--certificatesresolvers.leresolver.acme.dnschallenge.provider=hetzner"
- "--certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json"
environment:
- "HETZNER_API_KEY=${HETZNER_DNS_API_KEY}"
ports:
- ${PRIVATE_IPV4}:80:80 # traefik
- 443:443
volumes:
- ./traefik/certs:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
wg-easy:
image: ghcr.io/wg-easy/wg-easy:13
environment:
# ⚠️ Required:
- WG_HOST=<my-public-ip>
# Optional:
# - WEBUI_HOST=10.0.0.4
- PORT=51821 # web ui port
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- ./wg-easy:/etc/wireguard
ports:
- "51820:51820/udp"
# I don't want to expose the UI port, but only allow accessing it via the domain via traefik on 10.0.0.0/24
# When mapping the port on the private ip, I can access the ui on http://<ip>:51821 but I want to only allow access via the domain and use ssl.
# - "${PRIVATE_IPV4}:51821:51821/tcp"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.wg_easy.rule=Host(`wg.my-domain.com`)"
- "traefik.http.routers.wg_easy.entrypoints=websecure"
- "traefik.http.routers.wg_easy.loadbalancer.server.port=51821"
- "traefik.http.routers.wg_easy.tls=true"
- "traefik.http.routers.wg_easy.tls.certresolver=leresolver"
负载均衡器是服务的一部分,而不是路由的一部分,因此端口必须像这样设置:
-traefik.http.routers.wg_easy.loadbalancer.server.port=51821
+traefik.http.services.wg_easy.loadbalancer.server.port=51821