From f4b0bc5a6c87efed5b68bc835d9da0c776732001 Mon Sep 17 00:00:00 2001
From: Gael <gael.merbeth@kaz.bzh>
Date: Fri, 16 Aug 2024 16:15:24 +0200
Subject: [PATCH] traefik v3

---
 bin/container.sh                              |   2 +-
 dockers/traefik/conf/allow_ip.yml.sample      |  18 +++
 dockers/traefik/conf/{dynamic => }/conf.yml   |   0
 .../conf/dynamic/certificates.yml.tmpl        |  20 ---
 dockers/traefik/conf/traefik.yml.old          |  54 -------
 dockers/traefik/docker-compose.tmpl.yml.dist  |  35 ++--
 dockers/traefik/proxy-gen.sh                  | 152 +-----------------
 7 files changed, 38 insertions(+), 243 deletions(-)
 create mode 100644 dockers/traefik/conf/allow_ip.yml.sample
 rename dockers/traefik/conf/{dynamic => }/conf.yml (100%)
 delete mode 100644 dockers/traefik/conf/dynamic/certificates.yml.tmpl
 delete mode 100644 dockers/traefik/conf/traefik.yml.old

diff --git a/bin/container.sh b/bin/container.sh
index dac3d2c..0023233 100755
--- a/bin/container.sh
+++ b/bin/container.sh
@@ -135,7 +135,7 @@ startComposes () {
     updateProxy "on" ${enableComposesNoNeedMail[@]} ${enableComposesNeedMail[@]}
     doComposes "up -d" ${enableProxyComposes[@]}
 	for item in "${enableProxyComposes[@]}"; do
-    	${SIMU} ${KAZ_COMP_DIR}/${item}/reload.sh
+    	[[ -x "${KAZ_COMP_DIR}/${item}/reload.sh" ]] && ${SIMU} "${KAZ_COMP_DIR}/${item}/reload.sh"
 	done
     if grep -q  "^.s*proxy_web.s*=.s*on" "${DOCKERS_ENV}" 2> /dev/null ; then
 	${SIMU} ${KAZ_COMP_DIR}/web/web-gen.sh
diff --git a/dockers/traefik/conf/allow_ip.yml.sample b/dockers/traefik/conf/allow_ip.yml.sample
new file mode 100644
index 0000000..979126f
--- /dev/null
+++ b/dockers/traefik/conf/allow_ip.yml.sample
@@ -0,0 +1,18 @@
+http:
+  middlewares:
+    ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.0.0/16"
+          - "172.16.0.0/12"
+          - "127.0.0.0/8"
+          - "10.0.0.0/8"
+	      - "0.0.0.0/0"	
+    adminipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.0.0/16"
+          - "172.16.0.0/12"
+          - "127.0.0.0/8"
+          - "10.0.0.0/8"
+	      - "0.0.0.0/0"	
\ No newline at end of file
diff --git a/dockers/traefik/conf/dynamic/conf.yml b/dockers/traefik/conf/conf.yml
similarity index 100%
rename from dockers/traefik/conf/dynamic/conf.yml
rename to dockers/traefik/conf/conf.yml
diff --git a/dockers/traefik/conf/dynamic/certificates.yml.tmpl b/dockers/traefik/conf/dynamic/certificates.yml.tmpl
deleted file mode 100644
index 3676fd3..0000000
--- a/dockers/traefik/conf/dynamic/certificates.yml.tmpl
+++ /dev/null
@@ -1,20 +0,0 @@
-#tls:
-#  certificates:
-#    - certFile: __SSL_CERT__
-#      keyFile: __SSL_KEY__
-#
-#  stores:
-#    default:
-#      defaultCertificate:
-#        certFile: __SSL_CERT__
-#        keyFile: __SSL_KEY__
-#  options:
-#    default:
-#      minVersion: VersionTLS12
-#      cipherSuites:
-#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-#        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-#        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-#        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
diff --git a/dockers/traefik/conf/traefik.yml.old b/dockers/traefik/conf/traefik.yml.old
deleted file mode 100644
index 75e3c6e..0000000
--- a/dockers/traefik/conf/traefik.yml.old
+++ /dev/null
@@ -1,54 +0,0 @@
-providers:
-  file:
-     directory: "/etc/traefik/dynamic"
-     watch: true
-  docker: {}
-
-entryPoints:
-  web:
-    address: ":80"
-  websecure:
-    address: ":443"
-    http:
-      tls:
-        certResolver: letsencrypt
-  # Ajout d'un point d'entrée sur le port 8289
-  metrics:
-    address: ":8289"
-
-#serversTransport:
-#  rootCAs:
-#    - /etc/letsencrypt/local/rootCA.pem
-
-
-api:
-  dashboard: true
-
-accessLog:
-  filePath: "/var/log/traefik/access.log"
-  format: json
-
-certificatesresolvers:
-  letsencrypt:
-    acme:
-    #  email: sysadmins@kaz.bzh
-      storage: /letsencrypt/acme.json
-    #  caServer: "https://acme-staging.api.letsencrypt.org/directory"
-      httpChallenge:
-        entryPoint: web
-
-# Ajout de la partie métrique qui concerne Prometheus
-metrics:
-  prometheus:
-    # Nom du point d'entrée défini au dessus
-    entryPoint: metrics
-    # On configure la latence des métriques
-    buckets:
-      - 0.1
-      - 0.3
-      - 1.2
-      - 5.0
-    # Ajout des métriques sur les points d'entrée
-    addEntryPointsLabels: true
-    # Ajout des services
-    addServicesLabels: true
diff --git a/dockers/traefik/docker-compose.tmpl.yml.dist b/dockers/traefik/docker-compose.tmpl.yml.dist
index 2d3b8c2..6b13311 100644
--- a/dockers/traefik/docker-compose.tmpl.yml.dist
+++ b/dockers/traefik/docker-compose.tmpl.yml.dist
@@ -1,20 +1,13 @@
-version: '3'
-
 services:
   reverse-proxy:
-    # The official v2 Traefik docker image
-    image: traefik:v2.10.7
+    image: traefik:v3.1.2
     container_name: ${traefikServName}
     restart: ${restartPolicy}
     # Enables the web UI and tells Traefik to listen to docker
     ports:
-      # The HTTP port
       - ${MAIN_IP}:80:80
       - ${MAIN_IP}:443:443
-      # The Web UI (enabled by --api.insecure=true)
-      # - ${MAIN_IP}:8289:8289
     volumes:
-      # So that Traefik can listen to the Docker events
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./conf:/etc/traefik/
       - letsencrypt:/letsencrypt
@@ -22,33 +15,39 @@ services:
       - TRAEFIK_PROVIDERS_DOCKER=true
       - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
       - TRAEFIK_API=true
-      - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik/dynamic
+      - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik
       - TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80
       - TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure
       - TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443
       - TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt
-      #- TRAEFIK_ENTRYPOINTS_metrics_ADDRESS=:8289
-      #- TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics
+      - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file,test-ipwhitelist@file
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain}
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server}
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true
-      - TRAEFIK_LOG_LEVEL=DEBUG
-      - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file
-      #- LEGO_CA_CERTIFICATES=/etc/traefik/root_ca.crt
-      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE=true
-      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE_ENTRYPOINT=web
+      - TRAEFIK_LOG_LEVEL=INFO
       - TRAEFIK_API_DASHBOARD=true
+      #pour la migration vers traefik3
+      - TRAEFIK_CORE_DEFAULTRULESYNTAX=v3
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`) && PathPrefix(`/api`, `/dashboard`)"
       - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)"
       - "traefik.http.routers.traefik_https.entrypoints=websecure"
-      # - "traefik.http.routers.traefik_https.tls=true"
       - "traefik.http.routers.traefik_https.service=api@internal"
       - "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth"
-      # - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
       - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile"
+      # Middleware for redirection
+      - "traefik.http.middlewares.redirect-to-www.redirectregex.regex=^https?://${domain}(.*)"
+      - "traefik.http.middlewares.redirect-to-www.redirectregex.replacement=https://www.${domain}$${1}"
+      - "traefik.http.middlewares.redirect-to-www.redirectregex.permanent=true"
+      # Router for redirection
+      - "traefik.http.routers.redirection.rule=Host(`${domain}`)"
+      - "traefik.http.routers.redirection.entrypoints=websecure"
+      - "traefik.http.routers.redirection.middlewares=redirect-to-www"
+      - "traefik.http.routers.redirection.tls.certresolver=myresolver"
+
+
     networks:
       - traefikNet
 {{web
diff --git a/dockers/traefik/proxy-gen.sh b/dockers/traefik/proxy-gen.sh
index 109951b..920a01b 100755
--- a/dockers/traefik/proxy-gen.sh
+++ b/dockers/traefik/proxy-gen.sh
@@ -8,161 +8,13 @@ setKazVars
 
 printKazMsg "\n  *** Proxy update config"
 
-#NGINX_TMPL=config/nginx.tmpl.conf
-#NGINX_CONF=config/nginx.conf
-DOCKER_DIST=docker-compose.tmpl.yml.dist
 DOCKER_TMPL=docker-compose.tmpl.yml
+DOCKER_DIST=docker-compose.tmpl.yml.dist
 DOCKER_CONF=docker-compose.yml
 PASSFILE=conf/passfile
 
-ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
-ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
-
-# TODO
-# for service in agora cloud paheko wiki wp; do
-#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
-#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
-# done
-
-cd $(dirname $0)
-# update ip allowed
-TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
-if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
-    cat > "${TRAEFIK_ALLOW_IP_FILE}"  <<EOF
-http:
-  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
-        sourceRange:
-          # Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
-          #ALLOWEDIP
-          - "0.0.0.0/0"
-          #FINALLOWEDIP
-    test-adminipwhitelist:
-      ipWhiteList:
-        sourceRange:
-          # Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
-          #ADMINIP
-          - "0.0.0.0/0"
-          #FINADMINIP
-EOF
-fi
-
-# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
-if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
-    sed -i 's/#ADMINIP/#ADMINIP\n          #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
-    sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
-    grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
-fi
-if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
-    sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n          #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
-    sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
-    grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
-fi
-
-
-CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
-CERTFILE=conf/dynamic/certificates.yml
-if [ ! -f "${CERTFILE}" ]; then
-    cp "${CERTFILE_TMPL}" "${CERTFILE}"
-    case "${domain}" in
-     kaz.bzh)
-         SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
-         SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
-         ;;
-     kaz.local)
-         SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
-         SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
-         ;;
-     *)
-         SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
-         SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
-         ;;
-     esac
-
-    sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
-    sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
-fi
-
-#     cat > "${PROXY_PORT_CFG}"  <<EOF
-# listen 443 ssl http2;
-
-# ssl_certificate ${SSL_CERT};
-# ssl_certificate_key ${SSL_KEY};
-
-# ssl_session_timeout 1d;
-# ssl_protocols TLSv1.2 TLSv1.3;
-# ssl_early_data on;
-# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-# ssl_prefer_server_ciphers on;
-# ssl_session_cache shared:SSL:50m;
-# ssl_stapling on;
-# ssl_stapling_verify on;
-# EOF
-#fi
-
-# update redirect
-# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
-# if [ ! -f "${PROXY_REDIRECT}" ]; then
-#     cat > "${PROXY_REDIRECT}"  <<EOF
-# server {
-#   listen 80;
-#   return 301 https://\$host\$request_uri;
-# }
-
-# # file
-# server {
-#   listen 80;
-#   server_name file.${domain};
-#   return 301 https://depot.${domain}\$request_uri;
-# }
-
-# # cacl
-# server {
-#   listen 80;
-#   server_name calc.${domain};
-#   return 301 https://tableur.${domain}\$request_uri;
-# }
-
-# # date
-# server {
-#   listen 80;
-#   server_name date.${domain};
-#   return 301 https://sondage.${domain}\$request_uri;
-# }
-
-# # cloud
-# server {
-#   listen 80;
-#   server_name bureau.${domain};
-#   return 301 https://cloud.${domain}\$request_uri;
-# }
-
-# # mattermost
-# server {
-#   listen 80;
-#   server_name mattermost.${domain};
-#   return 301 https://agora.${domain}\$request_uri;
-# }
-
-# # dokuwiki
-# server {
-#   listen 80;
-#   server_name dokuwiki.${domain};
-#   return 301 https://wiki.${domain}\$request_uri;
-# }
-# EOF
-# fi
-
 cd $(dirname $0)
 
-
-[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
 [[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
-if [ -f "conf/root_ca.crt" ]; then
-    sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
-fi
+[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
 "${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
-# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
-
-#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &