代码之家 › 专栏 › 技术社区 › johni

具有服务结构的Traefik-无法连接到服务结构服务器

traefik azure-service-fabric reverse-proxy cloud azure

johni · 技术社区 · 6 年前

我已使用以下配置在Azure Service Fabric群集上部署了Traefik:

# Enable Service Fabric configuration backend
[servicefabric]

# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"

# Service Fabric Management Endpoint API Version
apiversion = "3.0"

insecureSkipVerify = true

然而,当打开Traefik仪表板时,我得到了一个空屏幕,因为它无法映射我的所有结构应用程序。

查看我的一个虚拟机上的Traefik日志,我反复看到这个错误:

level=error msg="failed to connect to Service Fabric server Get https://localhost:19080/Applications/?api-version=3.0: x509: certificate is valid for <hidden>.eastus.cloudapp.azure.com, not localhost on https://localhost:19080/Applications/?api-version=3.0"

如何解决这个问题?

编辑1:

如果有帮助,这是Traefik加载的配置(根据日志):

{
    "LifeCycle": {
        "RequestAcceptGraceTimeout": 0,
        "GraceTimeOut": 0
    },
    "GraceTimeOut": 0,
    "Debug": true,
    "CheckNewVersion": true,
    "AccessLogsFile": "",
    "AccessLog": null,
    "TraefikLogsFile": "",
    "TraefikLog": null,
    "LogLevel": "DEBUG",
    "EntryPoints": {
        "http": {
            "Network": "",
            "Address": ":80",
            "TLS": null,
            "Redirect": null,
            "Auth": null,
            "WhitelistSourceRange": null,
            "Compress": false,
            "ProxyProtocol": null,
            "ForwardedHeaders": {
                "Insecure": true,
                "TrustedIPs": null
            }
        }
    },
    "Cluster": null,
    "Constraints": [],
    "ACME": null,
    "DefaultEntryPoints": [
        "http"
    ],
    "ProvidersThrottleDuration": 2000000000,
    "MaxIdleConnsPerHost": 200,
    "IdleTimeout": 0,
    "InsecureSkipVerify": true,
    "RootCAs": null,
    "Retry": null,
    "HealthCheck": {
        "Interval": 30000000000
    },
    "RespondingTimeouts": null,
    "ForwardingTimeouts": null,
    "Docker": null,
    "File": null,
    "Web": {
        "Address": ":9000",
        "CertFile": "",
        "KeyFile": "",
        "ReadOnly": false,
        "Statistics": null,
        "Metrics": null,
        "Path": "/",
        "Auth": null,
        "Debug": false,
        "CurrentConfigurations": null,
        "Stats": null,
        "StatsRecorder": null
    },
    "Marathon": null,
    "Consul": null,
    "ConsulCatalog": null,
    "Etcd": null,
    "Zookeeper": null,
    "Boltdb": null,
    "Kubernetes": null,
    "Mesos": null,
    "Eureka": null,
    "ECS": null,
    "Rancher": null,
    "DynamoDB": null,
    "ServiceFabric": {
        "Watch": false,
        "Filename": "",
        "Constraints": null,
        "Trace": false,
        "DebugLogGeneratedTemplate": false,
        "ClusterManagementURL": "https://localhost:19080",
        "APIVersion": "3.0",
        "UseCertificateAuth": false,
        "ClientCertFilePath": "",
        "ClientCertKeyFilePath": "",
        "InsecureSkipVerify": true
    }
}

其中一个建议使用集群的远程地址,而不是 localhost

Provider connection error: failed to connect to Service Fabric server Get https://<hidden>.eastus.cloudapp.azure.com:19080/Applications/?api-version=3.0: stream error: stream ID 1; HTTP_1_1_REQUIRED on https://<hidden>.eastus.cloudapp.azure.com:19080/Applications/?api-version=3.0; retrying in 656.765021ms

2 回复 | 直到 6 年前

johni 6 年前

由于迭戈的评论(在我的问题下),我成功地解决了这个问题,添加了以下内容。

有什么问题吗?

我的SF集群是安全的,需要客户端证书才能登录-- 在Traefik TOML文件中没有指定

查看Traefik日志,特别是SF部分(查找以 Starting provider *servicefabric.Provider :

"Watch": false,
"Filename": "",
"Constraints": null,
"Trace": false,
"DebugLogGeneratedTemplate": false,
"ClusterManagementURL": "https://localhost:19080",
"APIVersion": "3.0",
"UseCertificateAuth": false,      <-------- Important
"ClientCertFilePath": "",         <-------- Important
"ClientCertKeyFilePath": "",      <-------- Important
"InsecureSkipVerify": false

UseCertificateAuth --指示在Traefik查询群集的管理终结点时是否使用客户端证书。
ClientCertFilePath --包含客户端证书公钥的文件的路径。
ClientCertKeyFilePath --包含客户端证书私钥的文件的路径。

traefik.exe

不安全性检验

Traefik的SF config(上图)包含一个名为 InsecureSkipVerify

不安全性检验 --如果设置为 false
如果证书是为远程地址签名的,而Traefik使用 https://localhost 作为集群的端点--Traefik将打印类似于以下内容的错误:

无法连接到服务结构服务器Get https://localhost:19080/Applications/?api-version=3.0

为了克服这个问题,你可以

套 InsecureSkipVerify = true 重新部署
将管理终结点设置为远程地址: clustermanagementurl = "https://<hidden>.eastus.cloudapp.azure.com:19080"

再次感谢迭戈给我的提示,引导我理解和分享上述解释。

Scott McCollough 5 年前

我知道这是一个旧的职位,但我们只是遇到了这个确切的情况,这是唯一的地方,我看到的客户端设置提到。这是最终似乎对我们有用的提供者部分:

################################################################
# Service Fabric provider
################################################################

# Enable Service Fabric configuration backend
[servicefabric]

# Service Fabric Management Endpoint
clustermanagementurl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster

# Service Fabric Management Endpoint API Version
apiversion = "3.0"

# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
  cert               = "certs/servicefabric.crt"
  key                = "certs/servicefabric.key"
  insecureskipverify = true

UseCertificateAuth    =  true
ClientCertFilePath    = "certs/traefik.crt"
ClientCertKeyFilePath = "certs/traefik.key"
InsecureSkipVerify    =  true

Diego Mendes 6 年前

要对ServiceFabric API进行身份验证,必须使用证书,在您的配置中,您会忽略此细节。

在Traefik设置中,您应该具有以下内容:

# [serviceFabric.tls]
cert = "certs/servicefabric.crt"
key = "certs/servicefabric.key"
insecureskipverify = true

下面的帖子一步一步地描述

https://blog.techfabric.io/using-traefik-reverse-proxy-for-securing-microservices-on-azure-service-fabric/