diff --git a/docker/registrar.sh b/docker/registrar.sh index d43d8c4..f0b7b1c 100755 --- a/docker/registrar.sh +++ b/docker/registrar.sh @@ -15,6 +15,8 @@ CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}" DEREG_AFTER="${DEREG_AFTER:-1m}" TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}" TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}" +TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-alidns}" +TLS_MODE="${TLS_MODE:-terminating}" # terminating | passthrough | plaintext # TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}" echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT" @@ -29,27 +31,64 @@ done ID="${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}" -# 组装 Traefik tags(ConsulCatalog) +# 组装 Traefik tags(按“行”累加,避免值中逗号被拆) +NL=' +' TAGS="traefik.enable=true" + if [ "$SERVICE_PROTOCOL" = "http" ]; then - TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)" - TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}" - TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.tls=true" - TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http" - TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" - # 可选:应用云端 dynamic.yml 的中间件 - TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,security-headers@file" + TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)" + TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls=true" + TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http" + TAGS="$TAGS${NL}traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + # 抢占路由:给当前 Host 的 router 设置更高优先级 + TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.priority=10000" + # 可选中间件(注意:值里有逗号也安全) + TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,sec-headers@file" + # 如需 ACME 证书解析器可再加一行(取消注释) + # TAGS="$TAGS${NL}traefik.http.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then - TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" - TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" - TAGS="$TAGS,traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + case "$TLS_MODE" in + # A:Traefik 终止 TLS(推荐公网) + terminating) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls=true" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.certresolver=${TRAEFIK_CERT_RESOLVER}" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + # A-备用:后端自己终止 TLS(需要给 woodpecker-server 配 cert/key) + passthrough) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.tls.passthrough=true" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + # B:明文 TCP(仅内网/Tailscale,用 * 兜底) + plaintext) + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`*\`)" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}" + TAGS="$TAGS${NL}traefik.tcp.routers.${SERVICE_NAME}.priority=1" + TAGS="$TAGS${NL}traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}" + ;; + + *) + echo "unsupported TLS_MODE=$TLS_MODE" >&2; exit 2;; + esac else echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2 fi -# 转 JSON 数组(按逗号拆分) -to_json_array() { echo "$1" | awk -v RS=, 'NF{print "\""$0"\""}' | paste -sd, - | sed 's/^/[/' | sed 's/$/]/'; } -TAGS_JSON="$(to_json_array "$TAGS")" +# 转 JSON 数组(按“行”解析) +to_json_array() { + # 逐行 -> trim -> "..." -> [ ... ] + awk 'BEGIN{RS="\n"} NF {gsub(/^[ \t]+|[ \t]+$/,""); printf "\"%s\",\n",$0}' | + sed '1s/^/[/' | sed '$s/,\s*$/]/' +} +TAGS_JSON="$(printf "%s" "$TAGS" | to_json_array)" # 健康检查 JSON if [ "$CHECK_TYPE" = "http" ]; then @@ -64,12 +103,12 @@ EOF ) fi -# 写 service 定义并注册到"云端" Consul Server +# 写 service 定义并注册到云端 Consul cat > /tmp/svc.json < ${CONSUL}" consul services register -http-addr="$CONSUL" /tmp/svc.json term() { @@ -79,4 +118,4 @@ term() { } trap term TERM INT -tail -f /dev/null \ No newline at end of file +tail -f /dev/null