Beginner's question
traefik has the certificates stored at bind mount letsencrypt/acme.json on the host.
I want to pass SSL requests through the tcp router to the rabbitMQ docker service, its AMQPS port.
The RabbitMQ docker image understands these environment variables:
# Certificate Authority bundle file path
RABBITMQ_SSL_CACERTFILE:
# Server certificate file path
RABBITMQ_SSL_CERTFILE:
# Server private key file path
RABBITMQ_SSL_KEYFILE:
# ?
# RABBITMQ_SSL_DEPTH:
RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT: 'false'
RABBITMQ_SSL_VERIFY: verify_none
As traefik manages all my certificates (great) I am looking for a way to hand the applicable one to RabbitMQ.
But I cannot see how I can set those environment vars to achieve that.
Docker swarm Server Version: 19.03.5
# some sections of sli-traefik.yml
version: "3.7"
# sudo docker stack deploy --with-registry-auth -c sli-traefik.yml sli
services:
# the reverse proxy for all web apps
traefik:
image: "traefik:v2.0.2"
command:
# testing
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker.swarmMode=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.rabbitmq.address=:5672"
- "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
# testing: Letsencrypt would close us out for 24hrs if too many bad requests are made!
#- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.mytlschallenge.acme.email=postmaster@email.com"
- "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
- "--log=true"
- "--log.filepath=/var/log/traefik.log"
ports:
- "443:443"
- "8080:8080"
- "5672:5672"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
[ ... ]
mq:
hostname: calm_mq
image: rabbitmq:management-alpine
environment:
RABBITMQ_DEFAULT_VHOST: my_vhost
RABBITMQ_DEFAULT_USER: my_user
RABBITMQ_DEFAULT_PASS: my_pw
# https://www.rabbitmq.com.ssl.html
# Certificate Authority bundle file path
RABBITMQ_SSL_CACERTFILE: ???
# Server certificate file path
RABBITMQ_SSL_CERTFILE: ???
# Server private key file path
RABBITMQ_SSL_KEYFILE: ???
# RABBITMQ_SSL_DEPTH: ???
RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT: 'false'
RABBITMQ_SSL_VERIFY: verify_none
deploy:
labels:
- "traefik.enable=true"
# web browser access to RabbitMq management GUI
- "traefik.http.routers.mq.rule=Host(`mq.mydomain`)"
- "traefik.http.services.mq.loadbalancer.server.port=15672"
- "traefik.http.routers.mq.entrypoints=websecure"
- "traefik.http.routers.mq.tls.certresolver=mytlschallenge"
- "traefik.http.routers.mq.service=mq"
# AMQPS access to message broker, SSL terminated by broker
- "traefik.tcp.routers.mq-connect.rule=HostSNI(`*`)"
#- "traefik.tcp.routers.mq-connect.rule=HostSNI(`mq-connect.mydomain`)"
# single domain: will need to enable TLS support in rabbitMQ so that traefik can filter these requests.
- "traefik.tcp.routers.mq-connect.entrypoints=rabbitmq"
- "traefik.tcp.routers.mq-connect.tls=true"
- "traefik.tcp.routers.mq-connect.tls.passthrough=true"
- "traefik.tcp.services.mq-connect.loadbalancer.server.port=5672"
volumes:
- rabbitmq:/var/lib/rabbitmq
- ./rabbitmq_plugins:/etc/rabbitmq/enabled_plugins
stop_grace_period: 5m