我的书签
添加书签
移除书签Tailscale
Provision TLS certificates for your internal Tailscale services.
To protect a service with TLS, a certificate from a public Certificate Authority is needed. In addition to its vpn role, Tailscale can also provide certificates for the machines in your Tailscale network.
Configuration Example
To obtain a TLS certificate from the Tailscale daemon, a Tailscale certificate resolver needs to be configured as below.
Enabling Tailscale certificate resolution
File (YAML)
entryPoints:web:address: ":80"websecure:address: ":443"certificatesResolvers:myresolver:tailscale: {}
File (TOML)
[entryPoints][entryPoints.web]address = ":80"[entryPoints.websecure]address = ":443"[certificatesResolvers.myresolver.tailscale]
CLI
--entrypoints.web.address=:80--entrypoints.websecure.address=:443# ...--certificatesresolvers.myresolver.tailscale=true
Domain from Router’s Rule Example
Docker & Swarm
labels:- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver
Docker (Swarm)
deploy:labels:- traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver
Kubernetes
apiVersion: traefik.io/v1alpha1kind: IngressRoutemetadata:name: blogtlsspec:entryPoints:- websecureroutes:- match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)kind: Ruleservices:- name: blogport: 8080tls:certResolver: myresolver
File (YAML)
## Dynamic configurationhttp:routers:blog:rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"tls:certResolver: myresolver
File (TOML)
## Dynamic configuration[http.routers][http.routers.blog]rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"[http.routers.blog.tls]certResolver = "myresolver"
Domain from Router’s tls.domain Example
Docker & Swarm
labels:- traefik.http.routers.blog.rule=Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
Docker (Swarm)
deploy:labels:- traefik.http.routers.blog.rule=Path(`/metrics`)- traefik.http.routers.blog.tls.certresolver=myresolver- traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
Kubernetes
apiVersion: traefik.io/v1alpha1kind: IngressRoutemetadata:name: blogtlsspec:entryPoints:- websecureroutes:- match: Path(`/metrics`)kind: Ruleservices:- name: blogport: 8080tls:certResolver: myresolverdomains:- main: monitoring.yak-bebop.ts.net
File (YAML)
http:routers:blog:rule: "Path(`/metrics`)"tls:certResolver: myresolverdomains:- main: "monitoring.yak-bebop.ts.net"
File (TOML)
## Dynamic configuration[http.routers][http.routers.blog]rule = "Path(`/metrics`)"[http.routers.blog.tls]certResolver = "myresolver"[[http.routers.blog.tls.domains]]main = "monitoring.yak-bebop.ts.net"
Referencing a certificate resolver
Defining a certificate resolver does not imply that routers are going to use it automatically. Each router or entrypoint that is meant to use the resolver must explicitly reference it.
Domain Definition
A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
If the router has a
tls.domainsoption set, then the certificate resolver derives this router domain name from the main option oftls.domains.Otherwise, the certificate resolver derives the domain name from any
Host()orHostSNI()matchers in the router’s rule.
Tailscale Domain Format
A domain is only considered if it is a Tailscale-specific one—that is, in the form machine-name.domains-alias.ts.net.
Tailscale Certificates Renewal
Traefik automatically tracks the expiry date of each Tailscale certificate it fetches and starts to renew a certificate 14 days before its expiry to match the Tailscale daemon renewal policy.
