我的书签
添加书签
移除书签Tailscale
Provision TLS certificates for your internal Tailscale services.
To protect a service with TLS, a certificate from a public Certificate Authority is needed. In addition to its vpn role, Tailscale can also provide certificates for the machines in your Tailscale network.
Certificate resolvers
To obtain a TLS certificate from the Tailscale daemon, a Tailscale certificate resolver needs to be configured as below.
Referencing a certificate resolver
Defining a certificate resolver does not imply that routers are going to use it automatically. Each router or entrypoint that is meant to use the resolver must explicitly reference it.
File (YAML)
certificatesResolvers:myresolver:tailscale: {}
File (TOML)
[certificatesResolvers.myresolver.tailscale]
CLI
--certificatesresolvers.myresolver.tailscale=true
Domain Definition
A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
If the router has a tls.domains option set, then the certificate resolver derives this router domain name from the
mainoption oftls.domains.Otherwise, the certificate resolver derives the domain name from any
Host()orHostSNI()matchers in the router’s rule.
Tailscale Domain Format
The domain is only taken into account if it is a Tailscale-specific one, i.e. of the form machine-name.domains-alias.ts.net.
Configuration Example
Enabling Tailscale certificate resolution
File (YAML)
entryPoints:web:address: ":80"websecure:address: ":443"certificatesResolvers:myresolver:tailscale: {}
File (TOML)
[entryPoints][entryPoints.web]address = ":80"[entryPoints.websecure]address = ":443"[certificatesResolvers.myresolver.tailscale]
CLI
--entrypoints.web.address=:80--entrypoints.websecure.address=:443# ...--certificatesresolvers.myresolver.tailscale=true
Domain from Router’s Rule Example
Docker & Swarm
## Dynamic configurationlabels:- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver
Docker (Swarm)
## Dynamic configurationdeploy:labels:- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver
Kubernetes
apiVersion: traefik.io/v1alpha1kind: IngressRoutemetadata:name: blogtlsspec:entryPoints:- websecureroutes:- match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)kind: Ruleservices:- name: blogport: 8080tls:certResolver: myresolver
File (YAML)
## Dynamic configurationhttp:routers:blog:rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"tls:certResolver: myresolver
File (TOML)
## Dynamic configuration[http.routers][http.routers.blog]rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"[http.routers.blog.tls]certResolver = "myresolver"
Domain from Router’s tls.domain Example
Docker & Swarm
## Dynamic configurationlabels:- traefik.http.routers.blog.rule=Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
Docker (Swarm)
## Dynamic configurationdeploy:labels:- traefik.http.routers.blog.rule=Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
Kubernetes
apiVersion: traefik.io/v1alpha1kind: IngressRoutemetadata:name: blogtlsspec:entryPoints:- websecureroutes:- match: Path(`/metrics`)kind: Ruleservices:- name: blogport: 8080tls:certResolver: myresolverdomains:- main: monitoring.yak-bebop.ts.net
File (YAML)
## Dynamic configurationhttp:routers:blog:rule: "Path(`/metrics`)"tls:certResolver: myresolverdomains:- main: "monitoring.yak-bebop.ts.net"
File (TOML)
## Dynamic configuration[http.routers][http.routers.blog]rule = "Path(`/metrics`)"[http.routers.blog.tls]certResolver = "myresolver"[[http.routers.blog.tls.domains]]main = "monitoring.yak-bebop.ts.net"
Automatic Renewals
Traefik automatically tracks the expiry date of each Tailscale certificate it fetches, and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
