From f4b0bc5a6c87efed5b68bc835d9da0c776732001 Mon Sep 17 00:00:00 2001 From: Gael Date: Fri, 16 Aug 2024 16:15:24 +0200 Subject: [PATCH] traefik v3 --- bin/container.sh | 2 +- dockers/traefik/conf/allow_ip.yml.sample | 18 +++ dockers/traefik/conf/{dynamic => }/conf.yml | 0 .../conf/dynamic/certificates.yml.tmpl | 20 --- dockers/traefik/conf/traefik.yml.old | 54 ------- dockers/traefik/docker-compose.tmpl.yml.dist | 35 ++-- dockers/traefik/proxy-gen.sh | 152 +----------------- 7 files changed, 38 insertions(+), 243 deletions(-) create mode 100644 dockers/traefik/conf/allow_ip.yml.sample rename dockers/traefik/conf/{dynamic => }/conf.yml (100%) delete mode 100644 dockers/traefik/conf/dynamic/certificates.yml.tmpl delete mode 100644 dockers/traefik/conf/traefik.yml.old diff --git a/bin/container.sh b/bin/container.sh index dac3d2c..0023233 100755 --- a/bin/container.sh +++ b/bin/container.sh @@ -135,7 +135,7 @@ startComposes () { updateProxy "on" ${enableComposesNoNeedMail[@]} ${enableComposesNeedMail[@]} doComposes "up -d" ${enableProxyComposes[@]} for item in "${enableProxyComposes[@]}"; do - ${SIMU} ${KAZ_COMP_DIR}/${item}/reload.sh + [[ -x "${KAZ_COMP_DIR}/${item}/reload.sh" ]] && ${SIMU} "${KAZ_COMP_DIR}/${item}/reload.sh" done if grep -q "^.s*proxy_web.s*=.s*on" "${DOCKERS_ENV}" 2> /dev/null ; then ${SIMU} ${KAZ_COMP_DIR}/web/web-gen.sh diff --git a/dockers/traefik/conf/allow_ip.yml.sample b/dockers/traefik/conf/allow_ip.yml.sample new file mode 100644 index 0000000..979126f --- /dev/null +++ b/dockers/traefik/conf/allow_ip.yml.sample @@ -0,0 +1,18 @@ +http: + middlewares: + ipwhitelist: + ipWhiteList: + sourceRange: + - "192.168.0.0/16" + - "172.16.0.0/12" + - "127.0.0.0/8" + - "10.0.0.0/8" + - "0.0.0.0/0" + adminipwhitelist: + ipWhiteList: + sourceRange: + - "192.168.0.0/16" + - "172.16.0.0/12" + - "127.0.0.0/8" + - "10.0.0.0/8" + - "0.0.0.0/0" \ No newline at end of file diff --git a/dockers/traefik/conf/dynamic/conf.yml b/dockers/traefik/conf/conf.yml similarity index 100% rename from dockers/traefik/conf/dynamic/conf.yml rename to dockers/traefik/conf/conf.yml diff --git a/dockers/traefik/conf/dynamic/certificates.yml.tmpl b/dockers/traefik/conf/dynamic/certificates.yml.tmpl deleted file mode 100644 index 3676fd3..0000000 --- a/dockers/traefik/conf/dynamic/certificates.yml.tmpl +++ /dev/null @@ -1,20 +0,0 @@ -#tls: -# certificates: -# - certFile: __SSL_CERT__ -# keyFile: __SSL_KEY__ -# -# stores: -# default: -# defaultCertificate: -# certFile: __SSL_CERT__ -# keyFile: __SSL_KEY__ -# options: -# default: -# minVersion: VersionTLS12 -# cipherSuites: -# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 -# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/dockers/traefik/conf/traefik.yml.old b/dockers/traefik/conf/traefik.yml.old deleted file mode 100644 index 75e3c6e..0000000 --- a/dockers/traefik/conf/traefik.yml.old +++ /dev/null @@ -1,54 +0,0 @@ -providers: - file: - directory: "/etc/traefik/dynamic" - watch: true - docker: {} - -entryPoints: - web: - address: ":80" - websecure: - address: ":443" - http: - tls: - certResolver: letsencrypt - # Ajout d'un point d'entrée sur le port 8289 - metrics: - address: ":8289" - -#serversTransport: -# rootCAs: -# - /etc/letsencrypt/local/rootCA.pem - - -api: - dashboard: true - -accessLog: - filePath: "/var/log/traefik/access.log" - format: json - -certificatesresolvers: - letsencrypt: - acme: - # email: sysadmins@kaz.bzh - storage: /letsencrypt/acme.json - # caServer: "https://acme-staging.api.letsencrypt.org/directory" - httpChallenge: - entryPoint: web - -# Ajout de la partie métrique qui concerne Prometheus -metrics: - prometheus: - # Nom du point d'entrée défini au dessus - entryPoint: metrics - # On configure la latence des métriques - buckets: - - 0.1 - - 0.3 - - 1.2 - - 5.0 - # Ajout des métriques sur les points d'entrée - addEntryPointsLabels: true - # Ajout des services - addServicesLabels: true diff --git a/dockers/traefik/docker-compose.tmpl.yml.dist b/dockers/traefik/docker-compose.tmpl.yml.dist index 2d3b8c2..6b13311 100644 --- a/dockers/traefik/docker-compose.tmpl.yml.dist +++ b/dockers/traefik/docker-compose.tmpl.yml.dist @@ -1,20 +1,13 @@ -version: '3' - services: reverse-proxy: - # The official v2 Traefik docker image - image: traefik:v2.10.7 + image: traefik:v3.1.2 container_name: ${traefikServName} restart: ${restartPolicy} # Enables the web UI and tells Traefik to listen to docker ports: - # The HTTP port - ${MAIN_IP}:80:80 - ${MAIN_IP}:443:443 - # The Web UI (enabled by --api.insecure=true) - # - ${MAIN_IP}:8289:8289 volumes: - # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock:ro - ./conf:/etc/traefik/ - letsencrypt:/letsencrypt @@ -22,33 +15,39 @@ services: - TRAEFIK_PROVIDERS_DOCKER=true - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false - TRAEFIK_API=true - - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik/dynamic + - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik - TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80 - TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure - TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443 - TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt - #- TRAEFIK_ENTRYPOINTS_metrics_ADDRESS=:8289 - #- TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics + - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file,test-ipwhitelist@file - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain} - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server} - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true - - TRAEFIK_LOG_LEVEL=DEBUG - - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file - #- LEGO_CA_CERTIFICATES=/etc/traefik/root_ca.crt - #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE=true - #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE_ENTRYPOINT=web + - TRAEFIK_LOG_LEVEL=INFO - TRAEFIK_API_DASHBOARD=true + #pour la migration vers traefik3 + - TRAEFIK_CORE_DEFAULTRULESYNTAX=v3 labels: - "traefik.enable=true" - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`) && PathPrefix(`/api`, `/dashboard`)" - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)" - "traefik.http.routers.traefik_https.entrypoints=websecure" - # - "traefik.http.routers.traefik_https.tls=true" - "traefik.http.routers.traefik_https.service=api@internal" - "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth" - # - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt" - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile" + # Middleware for redirection + - "traefik.http.middlewares.redirect-to-www.redirectregex.regex=^https?://${domain}(.*)" + - "traefik.http.middlewares.redirect-to-www.redirectregex.replacement=https://www.${domain}$${1}" + - "traefik.http.middlewares.redirect-to-www.redirectregex.permanent=true" + # Router for redirection + - "traefik.http.routers.redirection.rule=Host(`${domain}`)" + - "traefik.http.routers.redirection.entrypoints=websecure" + - "traefik.http.routers.redirection.middlewares=redirect-to-www" + - "traefik.http.routers.redirection.tls.certresolver=myresolver" + + networks: - traefikNet {{web diff --git a/dockers/traefik/proxy-gen.sh b/dockers/traefik/proxy-gen.sh index 109951b..920a01b 100755 --- a/dockers/traefik/proxy-gen.sh +++ b/dockers/traefik/proxy-gen.sh @@ -8,161 +8,13 @@ setKazVars printKazMsg "\n *** Proxy update config" -#NGINX_TMPL=config/nginx.tmpl.conf -#NGINX_CONF=config/nginx.conf -DOCKER_DIST=docker-compose.tmpl.yml.dist DOCKER_TMPL=docker-compose.tmpl.yml +DOCKER_DIST=docker-compose.tmpl.yml.dist DOCKER_CONF=docker-compose.yml PASSFILE=conf/passfile -ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip" -ALLOW_IP_FILE="/kaz/config/proxy/allow_ip" - -# TODO -# for service in agora cloud paheko wiki wp; do -# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map" -# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name" -# done - -cd $(dirname $0) -# update ip allowed -TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml -if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then - cat > "${TRAEFIK_ALLOW_IP_FILE}" < "${PROXY_PORT_CFG}" < "${PROXY_REDIRECT}" <> ${PASSFILE} [[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}" -if [ -f "conf/root_ca.crt" ]; then - sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL} -fi +[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE} "${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}" -# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}" - -#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &