From 8d2689a15a31a042d188abb5207f7352b4e4c971 Mon Sep 17 00:00:00 2001 From: lingyuzeng Date: Fri, 3 Oct 2025 17:30:18 +0800 Subject: [PATCH] feat(registrar): add TLS_MODE for Traefik TCP; fix tag newline; default ACME resolver - Add TLS_MODE env to control TCP TLS behavior: - terminating (default): Traefik terminates TLS (tls=true + tls.certresolver) - passthrough: end-to-end TLS passthrough (tls.passthrough=true) - plaintext: plain TCP for internal/Tailscale (HostSNI(`*`) + priority=1) - Introduce TRAEFIK_CERT_RESOLVER with default "alidns" for ACME issuance. (HTTP branch keeps optional tls.certresolver line commented for easy enablement.) - Fix tag concatenation: use a real newline for NL so that to_json_array() parses tags line-by-line into a proper JSON array (prevents single-line tag blob). - Improve TCP router/service tags and comments to make behavior explicit per mode, and keep HTTP branch consistent (middlewares + priority). BREAKING CHANGE: - TCP default changes from implicit plaintext to TLS-terminating via Traefik. If you relied on plaintext TCP previously, set `TLS_MODE=plaintext` (or use `TLS_MODE=passthrough` if your backend terminates TLS itself). Ensure Traefik has a working ACME resolver named in $TRAEFIK_CERT_RESOLVER (default "alidns") or override accordingly. --- registrar.sh | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/registrar.sh b/registrar.sh index 5f3918a..f0b7b1c 100755 --- a/registrar.sh +++ b/registrar.sh @@ -15,6 +15,8 @@ CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}" DEREG_AFTER="${DEREG_AFTER:-1m}" TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}" TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}" +TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-alidns}" +TLS_MODE="${TLS_MODE:-terminating}" # terminating | passthrough | plaintext # TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}" echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT" @@ -47,9 +49,35 @@ if [ "$SERVICE_PROTOCOL" = "http" ]; then # 如需 ACME 证书解析器可再加一行(取消注释) # TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then - TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" - TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" - TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + case "$TLS_MODE" in + # A:Traefik 终止 TLS(推荐公网) + terminating) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls=true" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + # A-备用:后端自己终止 TLS(需要给 woodpecker-server 配 cert/key) + passthrough) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.passthrough=true" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + # B:明文 TCP(仅内网/Tailscale,用 * 兜底) + plaintext) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`*\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.priority=1" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + *) + echo "unsupported TLS_MODE=$TLS_MODE" >&2; exit 2;; + esac else echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2 fi