From 122dd57b8337101bca7598bad2c4761ed6d4de88 Mon Sep 17 00:00:00 2001 From: hpl Date: Fri, 16 Aug 2024 23:51:23 +0200 Subject: [PATCH] supp version de chaque docker-compose et vire le proxy nginx --- dockers/apikaz/docker-compose.yml | 1 - dockers/cachet/docker-compose.yml | 2 - dockers/cloud/docker-compose.yml | 2 - dockers/collabora/docker-compose.yml | 2 - dockers/dokuwiki/docker-compose.yml | 2 - dockers/ethercalc/docker-compose.yml | 2 - dockers/etherpad/docker-compose.yml | 2 - dockers/framadate/docker-compose.yml | 2 - dockers/gitea/docker-compose.yml | 1 - dockers/grafana/docker-compose.yml | 2 - dockers/imapsync/docker-compose.yml | 2 - dockers/jirafeau/docker-compose.yml | 2 - dockers/ldap/docker-compose.yml | 1 - dockers/mattermost/docker-compose.yml | 2 - dockers/mobilizon/docker-compose.yml | 2 - dockers/paheko/docker-compose.yml.dist | 2 - dockers/postfix/docker-compose.yml | 2 - dockers/postfix2/docker-compose.yml | 2 - dockers/proxy/.env | 1 - dockers/proxy/Dockerfile | 22 - dockers/proxy/Readme.txt | 43 -- dockers/proxy/build.sh | 11 - dockers/proxy/config/nginx.tmpl.conf | 734 --------------------- dockers/proxy/docker-compose.tmpl.yml.dist | 242 ------- dockers/proxy/proxy-gen.sh | 127 ---- dockers/proxy/reload.sh | 3 - dockers/proxy/todo-ssl | 68 -- dockers/quotas/docker-compose.yml | 2 - dockers/roundcube/docker-compose.yml | 1 - dockers/sympa/docker-compose.yml | 2 - dockers/vaultwarden/docker-compose.yml | 1 - dockers/web/docker-compose.yml | 1 - 32 files changed, 1291 deletions(-) delete mode 120000 dockers/proxy/.env delete mode 100644 dockers/proxy/Dockerfile delete mode 100644 dockers/proxy/Readme.txt delete mode 100755 dockers/proxy/build.sh delete mode 100644 dockers/proxy/config/nginx.tmpl.conf delete mode 100644 dockers/proxy/docker-compose.tmpl.yml.dist delete mode 100755 dockers/proxy/proxy-gen.sh delete mode 100755 dockers/proxy/reload.sh delete mode 100644 dockers/proxy/todo-ssl diff --git a/dockers/apikaz/docker-compose.yml b/dockers/apikaz/docker-compose.yml index 7795600..c334831 100644 --- a/dockers/apikaz/docker-compose.yml +++ b/dockers/apikaz/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3.8' services: api-service: build: ./source/ diff --git a/dockers/cachet/docker-compose.yml b/dockers/cachet/docker-compose.yml index 4a7213d..0a36657 100644 --- a/dockers/cachet/docker-compose.yml +++ b/dockers/cachet/docker-compose.yml @@ -1,5 +1,3 @@ -version: "3" - services: cachet: diff --git a/dockers/cloud/docker-compose.yml b/dockers/cloud/docker-compose.yml index cc676c5..88e5df0 100644 --- a/dockers/cloud/docker-compose.yml +++ b/dockers/cloud/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: cloud: diff --git a/dockers/collabora/docker-compose.yml b/dockers/collabora/docker-compose.yml index 824b347..f86f97e 100644 --- a/dockers/collabora/docker-compose.yml +++ b/dockers/collabora/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: collabora: diff --git a/dockers/dokuwiki/docker-compose.yml b/dockers/dokuwiki/docker-compose.yml index e352e0d..1b33750 100644 --- a/dockers/dokuwiki/docker-compose.yml +++ b/dockers/dokuwiki/docker-compose.yml @@ -1,5 +1,3 @@ -version: '2.1' - services: dokuwiki: diff --git a/dockers/ethercalc/docker-compose.yml b/dockers/ethercalc/docker-compose.yml index 16efc5c..a9ed485 100644 --- a/dockers/ethercalc/docker-compose.yml +++ b/dockers/ethercalc/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: calc: diff --git a/dockers/etherpad/docker-compose.yml b/dockers/etherpad/docker-compose.yml index 5bb221f..14c4060 100644 --- a/dockers/etherpad/docker-compose.yml +++ b/dockers/etherpad/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: pad: diff --git a/dockers/framadate/docker-compose.yml b/dockers/framadate/docker-compose.yml index cefd2a3..a760200 100644 --- a/dockers/framadate/docker-compose.yml +++ b/dockers/framadate/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: framadate: diff --git a/dockers/gitea/docker-compose.yml b/dockers/gitea/docker-compose.yml index 35717ca..55c3267 100644 --- a/dockers/gitea/docker-compose.yml +++ b/dockers/gitea/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3' services: web: image: gitea/gitea diff --git a/dockers/grafana/docker-compose.yml b/dockers/grafana/docker-compose.yml index 156d100..e42753f 100644 --- a/dockers/grafana/docker-compose.yml +++ b/dockers/grafana/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3' - services: prometheus: diff --git a/dockers/imapsync/docker-compose.yml b/dockers/imapsync/docker-compose.yml index 2977a33..fb700a6 100644 --- a/dockers/imapsync/docker-compose.yml +++ b/dockers/imapsync/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: imapsync: diff --git a/dockers/jirafeau/docker-compose.yml b/dockers/jirafeau/docker-compose.yml index cb8bd73..0aeabf1 100644 --- a/dockers/jirafeau/docker-compose.yml +++ b/dockers/jirafeau/docker-compose.yml @@ -1,8 +1,6 @@ # jirafeauDir doit être déclaré dans .env qui pointe sur ../../config/docker.env # car les variables déclarées dans env_file: ne sont pas encore connues dans volumes: -version: '3' - services: jirafeau: image: filekaz diff --git a/dockers/ldap/docker-compose.yml b/dockers/ldap/docker-compose.yml index 5edbefd..e6679fa 100644 --- a/dockers/ldap/docker-compose.yml +++ b/dockers/ldap/docker-compose.yml @@ -6,7 +6,6 @@ # apt install ldap-utils # ldapsearch -x -H ldaps://kaz.local -D "cn=admin,dc=kaz,dc=local" -W -version: '2' services: web: diff --git a/dockers/mattermost/docker-compose.yml b/dockers/mattermost/docker-compose.yml index 6445d07..875093b 100644 --- a/dockers/mattermost/docker-compose.yml +++ b/dockers/mattermost/docker-compose.yml @@ -1,5 +1,3 @@ -version: "3" - services: app: diff --git a/dockers/mobilizon/docker-compose.yml b/dockers/mobilizon/docker-compose.yml index d4fb128..2b69387 100644 --- a/dockers/mobilizon/docker-compose.yml +++ b/dockers/mobilizon/docker-compose.yml @@ -1,5 +1,3 @@ -version: "3.9" - services: mobilizon: image: framasoft/mobilizon:latest diff --git a/dockers/paheko/docker-compose.yml.dist b/dockers/paheko/docker-compose.yml.dist index 4f772d9..cdb2fe5 100644 --- a/dockers/paheko/docker-compose.yml.dist +++ b/dockers/paheko/docker-compose.yml.dist @@ -1,5 +1,3 @@ -version: '3.5' - services: paheko: diff --git a/dockers/postfix/docker-compose.yml b/dockers/postfix/docker-compose.yml index ecbca49..0799efc 100644 --- a/dockers/postfix/docker-compose.yml +++ b/dockers/postfix/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: mail: image: postfixkaz diff --git a/dockers/postfix2/docker-compose.yml b/dockers/postfix2/docker-compose.yml index 6e7cf0a..ad6ba16 100644 --- a/dockers/postfix2/docker-compose.yml +++ b/dockers/postfix2/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.3' - services: mail: image: docker.io/mailserver/docker-mailserver:latest diff --git a/dockers/proxy/.env b/dockers/proxy/.env deleted file mode 120000 index 406acd1..0000000 --- a/dockers/proxy/.env +++ /dev/null @@ -1 +0,0 @@ -../../config/dockers.env \ No newline at end of file diff --git a/dockers/proxy/Dockerfile b/dockers/proxy/Dockerfile deleted file mode 100644 index 9b41398..0000000 --- a/dockers/proxy/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM nginx - -######################################## -# APT local cache -# work around because COPY failed if no source file -COPY .dummy .apt-mirror-confi[g] .proxy-confi[g] / -RUN cp /.proxy-config /etc/profile.d/proxy.sh 2> /dev/null || true -RUN if [ -f /.apt-mirror-config ] ; then . /.apt-mirror-config && sed -i \ - -e "s/deb.debian.org/${APT_MIRROR_DEBIAN}/g" \ - -e "s/security.debian.org/${APT_MIRROR_DEBIAN_SECURITY}/g" \ - -e "s/archive.ubuntu.com/${APT_MIRROR_UBUNTU}/g" \ - -e "s/security.ubuntu.com/${APT_MIRROR_UBUNTU_SECURITY}/g" \ - /etc/apt/sources.list; fi - -######################################## -RUN apt-get update --quiet && apt-get upgrade -y - -RUN apt install -y python3 python3-venv libaugeas0 -RUN python3 -m venv /opt/certbot/ -RUN /opt/certbot/bin/python -m pip install --upgrade pip -RUN /opt/certbot/bin/python -m pip install certbot certbot-nginx -RUN ln -s /opt/certbot/bin/certbot /usr/bin/certbot diff --git a/dockers/proxy/Readme.txt b/dockers/proxy/Readme.txt deleted file mode 100644 index 4e392ea..0000000 --- a/dockers/proxy/Readme.txt +++ /dev/null @@ -1,43 +0,0 @@ -Pour l'installation d'un mandataire pour aiguiller les demandes web - -Contenu du répertoire : -. -├── conf Paramettrage du mandataire -│   ├── allow_admin_ip Les adresses IP des administrateur pour les URI protégés -│   ├── nginx.conf La config du mandataire produite automatiquement -│   ├── nginx.conf.tmpl Modèle de config du mandataire -│   ├── proxy_params Le paramétrage de transmetre des requêtes -│   └── proxy-gen.sh Le script de production à partir du modèle -├── docker-compose.yml Scénario de lancement -└── Readme.txt Ce fichier - -# cd /dockers/proxy - -1) Lancement du mandataire -Dans docker-compose.yml - - il y a nommage du container - -# docker-compose up -d - -2) Verification -Il y a un container reverse-proxy - -# docker ps | grep reverse - -3) Modification de config -Il faut éditer - -# cd conf -# emacs .env nginx.conf.tmpl -# ./proxy-gen.sh - -4) Arrêt du mandataire - -# docker-compose down - - -A faire: -Impose le https dans le cache du navigateur -7776000 (= 90jours) -31536000 (= 365 jours) -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/dockers/proxy/build.sh b/dockers/proxy/build.sh deleted file mode 100755 index 35f2d0a..0000000 --- a/dockers/proxy/build.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd) -. "${KAZ_ROOT}/bin/.commonFunctions.sh" -setKazVars - -printKazMsg "\n *** Création du Dockerfile proxy" - -cd "${KAZ_ROOT}" - -docker build -t proxykaz . -f dockers/proxy/Dockerfile diff --git a/dockers/proxy/config/nginx.tmpl.conf b/dockers/proxy/config/nginx.tmpl.conf deleted file mode 100644 index eed5199..0000000 --- a/dockers/proxy/config/nginx.tmpl.conf +++ /dev/null @@ -1,734 +0,0 @@ -# pour l'utilisation de certificats dynamique -user root; - -events { - worker_connections 1000000; -} -http { - - resolver 127.0.0.11 ipv6=off; - server_tokens off; - - ######################################## - #### autoriser des uploads de 50Mo max - #### pour tous les sites - ### sinon placer la variable dans chaque server{} - client_max_body_size 1024M; - add_header Set-Cookie lang="fr"; - - ######################################## - #### redirection http vers https - include includes/redirect; - - map $ssl_early_data $tls1_3_early_data { - "~." $ssl_early_data; - default ""; - } - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - map $ssl_server_name $ssl_local_cert { - volatile; - hostnames; - ~^(?.*\.)__DOMAIN__$ __DOMAIN__; - default $ssl_server_name; - } - - ######################################## - #### Default -{{web - -# ######################################## -# #### Autoconfig pour thunderbird -server { - server_name autoconfig.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - location /mail/config-v1.1.xml { - proxy_pass http://__DOMAIN__/mail/config-v1.1.xml; - } - } - -# merci de ne pas effacer -server { - server_name autoconfig.bodamcity.fr; - include includes/port; - ssl_certificate /etc/letsencrypt/live/autoconfig.bodamcity.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/autoconfig.bodamcity.fr/privkey.pem; - include includes/proxy_params; - include includes/allow_ip; - location / { - proxy_pass http://kaz.bzh; - } -} - -# merci de ne pas effacer -server { - server_name autoconfig.legrandmechantlude.org; - include includes/port; - ssl_certificate /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/privkey.pem; - include includes/proxy_params; - include includes/allow_ip; - location / { - proxy_pass http://kaz.bzh; - } -} - -# merci de ne pas effacer -server { - server_name autoconfig.lbrondel-psychotherapie.fr; - include includes/port; - ssl_certificate /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/privkey.pem; - include includes/proxy_params; - include includes/allow_ip; - location / { - proxy_pass http://kaz.bzh; - } -} - - - server { - server_name __DOMAIN__ www.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/www.__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.__DOMAIN__/privkey.pem; - include includes/proxy_params; - - include includes/allow_ip; - # XXX >>> - # A concerver jusqu'en juin 2021 - location /email.css { - proxy_pass http://__DOMAIN__/m/email.css; - } - location /kaz-50.png { - proxy_pass http://__DOMAIN__/m/logo.png; - } - location /kaz-du-libre-23.png { - proxy_pass http://__DOMAIN__/m/coche.png; - } - # <<< - location / { - proxy_pass http://__DOMAIN__; - } - } -}} - - ######################################## - #### Jirafeau (filesender) -{{jirafeau - server { - server_name __FILE_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location /admin.php { - include allow_admin_ip; - proxy_pass http://__FILE_HOST__.__DOMAIN__; - } - location / { - include includes/allow_ip; - proxy_pass http://__FILE_HOST__.__DOMAIN__; - } - } -}} - - ######################################## - #### CALC -{{ethercalc - server { - server_name __CALC_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__CALC_HOST__.__DOMAIN__:8000; - } - } -}} - - ######################################## - #### YAKFORMS -{{yakforms - server { - server_name __YAKFORMS_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__YAKFORMS_HOST__.__DOMAIN__; - } - } -}} - - ######################################## - #### PAD -{{etherpad - server { - server_name __PAD_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location /admin/ { - include allow_admin_ip; - proxy_pass http://__PAD_HOST__.__DOMAIN__:9001; - } - location / { - include includes/allow_ip; - proxy_pass http://__PAD_HOST__.__DOMAIN__:9001; - } - } -}} - - ######################################## - #### roundcube -{{roundcube - server { - server_name __WEBMAIL_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__WEBMAIL_HOST__.__DOMAIN__; - } - } -}} - - ######################################## - #### Framadate -{{framadate - server { - server_name __DATE_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location /admin/ { - include allow_admin_ip; - proxy_pass http://__DATE_HOST__.__DOMAIN__; - } - location / { - include includes/allow_ip; - proxy_pass http://__DATE_HOST__.__DOMAIN__; - } - } -}} - - ######################################## - #### LDAP -{{ldap - server { - server_name __LDAPUI_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__LDAPUI_HOST__.__DOMAIN__; - } - } -}} - -######################################## -#### Mobilizon -{{mobilizon -server { - server_name __MOBILIZON_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__MOBILIZON_HOST__.__DOMAIN__; - } -} -}} - - - ######################################## - #### paheko kaz -{{paheko - # map $http_host $paheko_kaz_map { - # hostnames; - # # déclaration des domaines extérieurs vers un paheko local - # include includes/paheko_kaz_map; - # } - - server { - # XXX dans __DOMAIN__ il faudrait remplacer le . par \. - # mais c'est pas grave pour nous. Il n'y a pas de domaine kazXbzh à la racine du NIC - server_name ~^(?.+)-__PAHEKO_HOST__\.__DOMAIN__$; - - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__PAHEKO_HOST__.__DOMAIN__; - } - } -}} - - ############################################# - # dokuwiki kaz -{{dokuwiki - server { - server_name __DOKUWIKI_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__DOKUWIKI_HOST__.__DOMAIN__; - } - } -}} - - ############################################# - # gitea kaz -{{gitea - server { - server_name __GIT_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__GIT_HOST__.__DOMAIN__:3000; - } - } -}} - - ############################################# - # vaultwarden - {{vaultwarden - server { - server_name __VAULTWARDEN_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__VAULTWARDEN_HOST__.__DOMAIN__:80; - } - } - }} - - ############################################# - # imapsync - {{imapsync - server { - server_name __IMAPSYNC_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__IMAPSYNC_HOST__.__DOMAIN__:8080; - } - } - }} - - ############################################# - # castopod - {{castopod - server { - server_name __CASTOPOD_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__CASTOPOD_HOST__.__DOMAIN__:8000; - } - } - }} - - - ######################################## - #### mattermost -{{mattermost - - server { - server_name __MATTER_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - include includes/allow_ip; - ssl_ecdh_curve prime256v1:secp384r1:secp521r1; - -# test add_header X-Early-Data $tls1_3_early_data; - location ~ /api/v[0-9]+/(users/)?websocket$ { - proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000; -# test proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; -#test proxy_set_header Connection $connection_upgrade; - client_body_timeout 60; - send_timeout 300; - lingering_timeout 5; - proxy_connect_timeout 90; - proxy_send_timeout 300; - proxy_read_timeout 90s; -# test proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# test proxy_set_header Proxy ""; - rewrite ^/(.+)$ /$1 break; - } - - location / { - proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_read_timeout 600s; - # proxy_cache mattermost_cache; # test - # proxy_cache_lock on; # test - # proxy_cache_min_uses 2; # test - # proxy_cache_revalidate on; # test - # proxy_cache_use_stale timeout; # test - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } -}} - - ######################################## - #### nextcloud / collabora -{{cloud - server { - server_name __CLOUD_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://__CLOUD_HOST__.__DOMAIN__; - } - } -}} -{{collabora - server { - server_name __OFFICE_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - proxy_set_header Host $http_host; - - # static files - location ^~ /loleaflet { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - location ^~ /browser { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - # WOPI discovery URL - location ^~ /hosting/discovery { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - # Capabilities - location ^~ /hosting/capabilities { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - # main websocket - location ~ ^/(.|l)ool/(.*)/ws$ { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_read_timeout 36000s; - } - # download, presentation and image upload - location ~ ^/(c|l)ool { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - # Admin Console websocket - location ^~ /(c|l)ool/adminws { - include allow_admin_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_read_timeout 36000s; - } - location / { - include includes/allow_ip; - proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; - } - } -}} - - ######################################## - #### association -{{orga - map $http_host $cloud_kaz_map { - hostnames; - include includes/cloud_kaz_map; - } - map $http_host $agora_kaz_map { - hostnames; - include includes/agora_kaz_map; - } - map $http_host $wiki_kaz_map { - hostnames; - include includes/wiki_kaz_map; - } - map $http_host $wp_kaz_map { - hostnames; - include includes/wp_kaz_map; - } - map $http_host $pod_kaz_map { - hostnames; - include includes/pod_kaz_map; - } - - server { - server_name ~^(?.+)-__CASTOPOD_HOST__\.__DOMAIN__$; - include includes/pod_kaz_name; - if ($asso = '') { - set $asso $pod_kaz_map; - } - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://$asso-__CASTOPOD_HOST__.__DOMAIN__:8000; - } - } - - server { - server_name ~^(?.+)-__CLOUD_HOST__\.__DOMAIN__$; - include includes/cloud_kaz_name; - if ($asso = '') { - set $asso $cloud_kaz_map; - } - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://$asso-__CLOUD_HOST__.__DOMAIN__; - } - } - - server { - server_name ~^(?.+)-__OFFICE_HOST__\.__DOMAIN__$; - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - proxy_set_header Host $http_host; - - # static files - location ^~ /loleaflet { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - location ^~ /browser { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - # WOPI discovery URL - location ^~ /hosting/discovery { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - # Capabilities - location ^~ /hosting/capabilities { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - # main websocket - location ~ ^/(c|l)ool/(.*)/ws$ { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_read_timeout 36000s; - } - # download, presentation and image upload - location ~ ^/(c|l)ool { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - # Admin Console websocket - location ^~ /(c|l)ool/adminws { - include allow_admin_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_read_timeout 36000s; - } - location / { - include includes/allow_ip; - proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; - } - } - - server { - server_name ~^(?.+)-__MATTER_HOST__\.__DOMAIN__$; - include includes/agora_kaz_name; - if ($asso = '') { - set $asso $agora_kaz_map; - } - - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - include includes/allow_ip; - ssl_ecdh_curve prime256v1:secp384r1:secp521r1; - - add_header X-Early-Data $tls1_3_early_data; - location ~ /api/v[0-9]+/(users/)?websocket$ { - proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000; - proxy_set_header Connection "upgrade"; # test -# test proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; -# test proxy_set_header Connection $connection_upgrade; - client_body_timeout 60; - send_timeout 300; - lingering_timeout 5; - proxy_connect_timeout 90; - proxy_send_timeout 300; - proxy_read_timeout 90s; -# test proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# test proxy_set_header Proxy ""; - rewrite ^/(.+)$ /$1 break; - } - - location / { - proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_read_timeout 600s; - # proxy_cache mattermost_cache; # test - # proxy_cache_lock on; # test - # proxy_cache_min_uses 2; # test - # proxy_cache_revalidate on; # test - # proxy_cache_use_stale timeout; # test - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } - - server { - server_name ~^(?.+)-__DOKUWIKI_HOST__\.__DOMAIN__$; - include includes/wiki_kaz_name; - if ($asso = '') { - set $asso $wiki_kaz_map; - } - - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://$asso-__DOKUWIKI_HOST__.__DOMAIN__; - } - } - - server { - server_name ~^(?.+)-__WORDPRESS_HOST__\.__DOMAIN__$; - include includes/wp_kaz_name; - if ($asso = '') { - set $asso $wp_kaz_map; - } - - include includes/port; - ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; - include includes/proxy_params; - - location / { - include includes/allow_ip; - proxy_pass http://$asso-__WORDPRESS_HOST__.__DOMAIN__; - } - } -}} - - ######################################## - #### vigilo kaz -{{vigilo - server { - server_name __VIGILO_HOST__.__DOMAIN__; - include includes/port; - ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; - include includes/proxy_params; - - proxy_set_header X-Real-IP $remote_addr; - - location / { - include includes/allow_ip; - proxy_pass http://__VIGILO_HOST__.__DOMAIN__; - - proxy_hide_header 'x-frame-options'; - #proxy_set_header x-frame-options allowall; - #add_header X-Frame-Options "ALLOW-FROM *"; - add_header X-Frame-Options "ALLOWALL"; - - if ($request_method = OPTIONS) { - add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE"; - add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept"; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - - } - } -}} - ######################################## -} diff --git a/dockers/proxy/docker-compose.tmpl.yml.dist b/dockers/proxy/docker-compose.tmpl.yml.dist deleted file mode 100644 index 5f3c25c..0000000 --- a/dockers/proxy/docker-compose.tmpl.yml.dist +++ /dev/null @@ -1,242 +0,0 @@ -# if faut définir les variables d'environnement avant -# ln -s ../dockers.env .env - -version: '3.3' - -services: - reverse-proxy: - image: proxykaz - container_name: ${proxyServName} - restart: ${restartPolicy} - ports: - - ${MAIN_IP}:80:80 - - ${MAIN_IP}:443:443 - # - 80:80 - # - 443:443 - external_links: - - ${proxyServName}:proxy.${domain} -{{web - - ${webServName}:${domain} -}} -{{jirafeau - - ${jirafeauServName}:${fileHost}.${domain} -}} -{{ethercalc - - ${ethercalcServName}:${calcHost}.${domain} -}} -{{etherpad - - ${etherpadServName}:${padHost}.${domain} -}} -{{framadate - - ${framadateServName}:${dateHost}.${domain} -}} -{{ldap - - ${ldapUIName}:${ldapUIHost}.${domain} -}} -{{mobilizon - - ${mobilizonServName}:${mobilizonHost}.${domain} -}} -{{cloud - - ${nextcloudServName}:${cloudHost}.${domain} -}} -{{collabora - - ${officeServName}:${site}-${officeHost}.${domain} -}} -{{paheko - - ${pahekoServName}:${pahekoHost}.${domain} -}} -{{mattermost - - ${mattermostServName}:${matterHost}.${domain} -}} -{{roundcube - - ${roundcubeServName}:${webmailHost}.${domain} -}} -{{gitea - - ${gitServName}:${gitHost}.${domain} -}} -{{dokuwiki - - ${dokuwikiServName}:${dokuwikiHost}.${domain} -}} -{{vigilo - - ${vigiloServName}:${vigiloHost}.${domain} -}} -{{postfix - - ${smtpServName}:${smtpHost}.${domain} -}} -{{vaultwarden - - ${vaultwardenServName}:${vaultwardenHost}.${domain} -}} -{{imapsync - - ${imapsyncServName}:${imapsyncHost}.${domain} -}} -{{castopod - - ${castopodServName}:${castopodHost}.${domain} -}} - -#### BEGIN ORGA HOST -#### END ORGA HOST - networks: - - proxyNet -{{web - - webNet -}} -{{jirafeau - - jirafeauNet -}} -{{ethercalc - - ethercalcNet -}} -{{etherpad - - etherpadNet -}} -{{framadate - - framadateNet -}} -{{ldap - - ldapNet -}} -{{mobilizon - - mobilizonNet -}} -{{cloud - - cloudNet -}} -{{collabora - - collaboraNet -}} -{{paheko - - pahekoNet -}} -{{mattermost - - mattermostNet -}} -{{roundcube - - roundcubeNet -}} -{{gitea - - giteaNet -}} -{{dokuwiki - - dokuwikiNet -}} -{{postfix - - postfixNet -}} -{{vaultwarden - - vaultwardenNet -}} -{{imapsync - - imapsyncNet -}} -{{castopod - - castopodNet -}} - -#### BEGIN ORGA USE_NET -#### END ORGA USE_NET - volumes: - - ../../config/proxy/:/etc/nginx/includes/:rw - - ../../secret/allow_admin_ip:/etc/nginx/allow_admin_ip:ro - - ./config/nginx.conf:/etc/nginx/nginx.conf:rw - - /etc/ssl:/etc/ssl:ro - - /etc/letsencrypt:/etc/letsencrypt:rw - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - - /root/mkcert:/root/mkcert:ro - -networks: - proxyNet: - external: true - name: proxyNet -{{web - webNet: - external: true - name: webNet -}} -{{jirafeau - jirafeauNet: - external: true - name: jirafeauNet -}} -{{ethercalc - ethercalcNet: - external: true - name: ethercalcNet -}} -{{etherpad - etherpadNet: - external: true - name: etherpadNet -}} -{{framadate - framadateNet: - external: true - name: framadateNet -}} -{{ldap - ldapNet: - external: true - name: ldapNet -}} -{{mobilizon - mobilizonNet: - external: true - name: mobilizonNet -}} -{{cloud - cloudNet: - external: true - name: cloudNet -}} -{{collabora - collaboraNet: - external: true - name: collaboraNet -}} -{{paheko - pahekoNet: - external: true - name: pahekoNet -}} -{{mattermost - mattermostNet: - external: true - name: mattermostNet -}} -{{roundcube - roundcubeNet: - external: true - name: roundcubeNet -}} -{{gitea - giteaNet: - external: true - name: giteaNet -}} -{{dokuwiki - dokuwikiNet: - external: true - name: dokuwikiNet -}} -{{postfix - postfixNet: - external: true - name: postfixNet -}} -{{vaultwarden - vaultwardenNet: - external: true - name: vaultwardenNet -}} -{{imapsync - imapsyncNet: - external: true - name: imapsyncNet -}} -{{castopod - castopodNet: - external: true - name: castopodNet -}} -#### BEGIN ORGA DEF_NET -#### END ORGA DEF_NET diff --git a/dockers/proxy/proxy-gen.sh b/dockers/proxy/proxy-gen.sh deleted file mode 100755 index a264d26..0000000 --- a/dockers/proxy/proxy-gen.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash - -KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd) -. "${KAZ_ROOT}/bin/.commonFunctions.sh" -setKazVars -. "${DOCKERS_ENV}" - -printKazMsg "\n *** Proxy update config" - -NGINX_TMPL=config/nginx.tmpl.conf -NGINX_CONF=config/nginx.conf -DOCKER_DIST=docker-compose.tmpl.yml.dist -DOCKER_TMPL=docker-compose.tmpl.yml -DOCKER_CONF=docker-compose.yml - -for service in agora cloud paheko wiki wp pod; do - touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map" - touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name" -done - -# update port -PROXY_ALLOW_CFG="${KAZ_CONF_PROXY_DIR}/allow_ip" -if [ ! -f "${PROXY_ALLOW_CFG}" ]; then - cat > "${PROXY_ALLOW_CFG}" < "${PROXY_PORT_CFG}" < "${PROXY_REDIRECT}" <