Traefik behind the Firewall
Kevin Wittek
Software Developer @ GDATA Advanced Analytics
Freelancer @ Styracosoft GbR
http://groovy-coder.com/
@Kiview
https://github.com/kiview
Constraints in an Enterprise
- Certificates signed by company CA
- No wildcard certificates (not even subdomain)
- Secrets need to be secure (private key)
- Internal services not reachable via Internet
Infrastructure as Code
Text
source: https://oliverveits.wordpress.com/2015/11/09/it-automation-a-hello-world-example-using-ansible-on-docker/
Traefik compose
version: '2'
services:
traefik:
image: traefik:v1.0.3
restart: always
ports:
- "443:443"
- "8080:8080"
volumes:
- ./traefik.toml:/etc/traefik/traefik.toml
- ./certs:/etc/traefik/certs/
- /var/run/docker.sock:/var/run/docker.sock
Traefik role (tasks)
---
# tasks file for traefik
- name: create project directory
file: path=/docker/traefik state=directory
- name: copy docker-compose to host
copy: src=docker-compose.yml dest=/docker/traefik
- name: copy toml template
template: src=traefik.toml.j2 dest=/docker/traefik/traefik.toml
- name: create cert directory
file: path=/docker/traefik/certs state=directory
- name: Copy certs
copy: src={{ item }} dest=/docker/traefik/certs
with_fileglob:
- "{{ playbook_dir }}/*.crt"
- name: Write SSL keys
copy: content={{ item.ssl_key }} dest="/docker/traefik/certs/{{ item.name }}.key"
no_log: True
with_items: "{{ domains }}"
- name: start traefik
docker_service:
project_src: /docker/traefik
state: present
restarted: yes
Traefik config (SSL SNI)
# To redirect an http entrypoint to an https entrypoint (with SNI support):
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.com.cert"
KeyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.org.cert"
KeyFile = "integration/fixtures/https/snitest.org.key"
Traefik role (template)
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
{% for domain in domains %}
[[entryPoints.https.tls.certificates]]
certFile = "/etc/traefik/certs/{{domain.name}}.crt"
keyFile = "/etc/traefik/certs/{{domain.name}}.key"
{% endfor %}
Playbook
---
- hosts: ubuntu.hyperv.de
become: true
pre_tasks:
- include_vars: ssl_keys.yml
roles:
- role: traefik
domain_name: "{{ ansible_host }}"
tags:
- traefik
domains:
- {name: confluence.ubuntu.hyperv.de, ssl_key: "{{confluence_key}}"}
- {name: jira.ubuntu.hyperv.de, ssl_key: "{{jira_key}}"}
- role: jira
domain_name: "{{ ansible_host }}"
- role: confluence
domain_name: "{{ ansible_host }}"
tags:
- confluence
Secrets
- Ansible Vault
- Hashicorp Vault
- Square KeyWhiz
ansible-vault encrypt ssl_keys.yml
ansible-playbook site.yml --ask-vault-pass
Demo?
Traefik behind the Firewall
By Kevin Wittek
Traefik behind the Firewall
- 3,442