traefik v3

This commit is contained in:
Gael 2024-08-16 16:15:24 +02:00
parent a2542d8fea
commit f4b0bc5a6c
7 changed files with 38 additions and 243 deletions

View File

@ -135,7 +135,7 @@ startComposes () {
updateProxy "on" ${enableComposesNoNeedMail[@]} ${enableComposesNeedMail[@]} updateProxy "on" ${enableComposesNoNeedMail[@]} ${enableComposesNeedMail[@]}
doComposes "up -d" ${enableProxyComposes[@]} doComposes "up -d" ${enableProxyComposes[@]}
for item in "${enableProxyComposes[@]}"; do for item in "${enableProxyComposes[@]}"; do
${SIMU} ${KAZ_COMP_DIR}/${item}/reload.sh [[ -x "${KAZ_COMP_DIR}/${item}/reload.sh" ]] && ${SIMU} "${KAZ_COMP_DIR}/${item}/reload.sh"
done done
if grep -q "^.s*proxy_web.s*=.s*on" "${DOCKERS_ENV}" 2> /dev/null ; then if grep -q "^.s*proxy_web.s*=.s*on" "${DOCKERS_ENV}" 2> /dev/null ; then
${SIMU} ${KAZ_COMP_DIR}/web/web-gen.sh ${SIMU} ${KAZ_COMP_DIR}/web/web-gen.sh

View File

@ -0,0 +1,18 @@
http:
middlewares:
ipwhitelist:
ipWhiteList:
sourceRange:
- "192.168.0.0/16"
- "172.16.0.0/12"
- "127.0.0.0/8"
- "10.0.0.0/8"
- "0.0.0.0/0"
adminipwhitelist:
ipWhiteList:
sourceRange:
- "192.168.0.0/16"
- "172.16.0.0/12"
- "127.0.0.0/8"
- "10.0.0.0/8"
- "0.0.0.0/0"

View File

@ -1,20 +0,0 @@
#tls:
# certificates:
# - certFile: __SSL_CERT__
# keyFile: __SSL_KEY__
#
# stores:
# default:
# defaultCertificate:
# certFile: __SSL_CERT__
# keyFile: __SSL_KEY__
# options:
# default:
# minVersion: VersionTLS12
# cipherSuites:
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

View File

@ -1,54 +0,0 @@
providers:
file:
directory: "/etc/traefik/dynamic"
watch: true
docker: {}
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
# Ajout d'un point d'entrée sur le port 8289
metrics:
address: ":8289"
#serversTransport:
# rootCAs:
# - /etc/letsencrypt/local/rootCA.pem
api:
dashboard: true
accessLog:
filePath: "/var/log/traefik/access.log"
format: json
certificatesresolvers:
letsencrypt:
acme:
# email: sysadmins@kaz.bzh
storage: /letsencrypt/acme.json
# caServer: "https://acme-staging.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
# Ajout de la partie métrique qui concerne Prometheus
metrics:
prometheus:
# Nom du point d'entrée défini au dessus
entryPoint: metrics
# On configure la latence des métriques
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
# Ajout des métriques sur les points d'entrée
addEntryPointsLabels: true
# Ajout des services
addServicesLabels: true

View File

@ -1,20 +1,13 @@
version: '3'
services: services:
reverse-proxy: reverse-proxy:
# The official v2 Traefik docker image image: traefik:v3.1.2
image: traefik:v2.10.7
container_name: ${traefikServName} container_name: ${traefikServName}
restart: ${restartPolicy} restart: ${restartPolicy}
# Enables the web UI and tells Traefik to listen to docker # Enables the web UI and tells Traefik to listen to docker
ports: ports:
# The HTTP port
- ${MAIN_IP}:80:80 - ${MAIN_IP}:80:80
- ${MAIN_IP}:443:443 - ${MAIN_IP}:443:443
# The Web UI (enabled by --api.insecure=true)
# - ${MAIN_IP}:8289:8289
volumes: volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- ./conf:/etc/traefik/ - ./conf:/etc/traefik/
- letsencrypt:/letsencrypt - letsencrypt:/letsencrypt
@ -22,33 +15,39 @@ services:
- TRAEFIK_PROVIDERS_DOCKER=true - TRAEFIK_PROVIDERS_DOCKER=true
- TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
- TRAEFIK_API=true - TRAEFIK_API=true
- TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik/dynamic - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik
- TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80 - TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80
- TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure - TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure
- TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443 - TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443
- TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt - TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt
#- TRAEFIK_ENTRYPOINTS_metrics_ADDRESS=:8289 - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file,test-ipwhitelist@file
#- TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics
- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain} - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain}
- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server} - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server}
- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json
- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true
- TRAEFIK_LOG_LEVEL=DEBUG - TRAEFIK_LOG_LEVEL=INFO
- TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file
#- LEGO_CA_CERTIFICATES=/etc/traefik/root_ca.crt
#- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE=true
#- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE_ENTRYPOINT=web
- TRAEFIK_API_DASHBOARD=true - TRAEFIK_API_DASHBOARD=true
#pour la migration vers traefik3
- TRAEFIK_CORE_DEFAULTRULESYNTAX=v3
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`) && PathPrefix(`/api`, `/dashboard`)" - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`) && PathPrefix(`/api`, `/dashboard`)"
- "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)" - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)"
- "traefik.http.routers.traefik_https.entrypoints=websecure" - "traefik.http.routers.traefik_https.entrypoints=websecure"
# - "traefik.http.routers.traefik_https.tls=true"
- "traefik.http.routers.traefik_https.service=api@internal" - "traefik.http.routers.traefik_https.service=api@internal"
- "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth" - "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth"
# - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile" - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile"
# Middleware for redirection
- "traefik.http.middlewares.redirect-to-www.redirectregex.regex=^https?://${domain}(.*)"
- "traefik.http.middlewares.redirect-to-www.redirectregex.replacement=https://www.${domain}$${1}"
- "traefik.http.middlewares.redirect-to-www.redirectregex.permanent=true"
# Router for redirection
- "traefik.http.routers.redirection.rule=Host(`${domain}`)"
- "traefik.http.routers.redirection.entrypoints=websecure"
- "traefik.http.routers.redirection.middlewares=redirect-to-www"
- "traefik.http.routers.redirection.tls.certresolver=myresolver"
networks: networks:
- traefikNet - traefikNet
{{web {{web

View File

@ -8,161 +8,13 @@ setKazVars
printKazMsg "\n *** Proxy update config" printKazMsg "\n *** Proxy update config"
#NGINX_TMPL=config/nginx.tmpl.conf
#NGINX_CONF=config/nginx.conf
DOCKER_DIST=docker-compose.tmpl.yml.dist
DOCKER_TMPL=docker-compose.tmpl.yml DOCKER_TMPL=docker-compose.tmpl.yml
DOCKER_DIST=docker-compose.tmpl.yml.dist
DOCKER_CONF=docker-compose.yml DOCKER_CONF=docker-compose.yml
PASSFILE=conf/passfile PASSFILE=conf/passfile
ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
# TODO
# for service in agora cloud paheko wiki wp; do
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
# done
cd $(dirname $0)
# update ip allowed
TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
cat > "${TRAEFIK_ALLOW_IP_FILE}" <<EOF
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
# Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
#ALLOWEDIP
- "0.0.0.0/0"
#FINALLOWEDIP
test-adminipwhitelist:
ipWhiteList:
sourceRange:
# Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
#ADMINIP
- "0.0.0.0/0"
#FINADMINIP
EOF
fi
# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
sed -i 's/#ADMINIP/#ADMINIP\n #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
fi
if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
fi
CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
CERTFILE=conf/dynamic/certificates.yml
if [ ! -f "${CERTFILE}" ]; then
cp "${CERTFILE_TMPL}" "${CERTFILE}"
case "${domain}" in
kaz.bzh)
SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
;;
kaz.local)
SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
;;
*)
SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
;;
esac
sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
fi
# cat > "${PROXY_PORT_CFG}" <<EOF
# listen 443 ssl http2;
# ssl_certificate ${SSL_CERT};
# ssl_certificate_key ${SSL_KEY};
# ssl_session_timeout 1d;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_early_data on;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:50m;
# ssl_stapling on;
# ssl_stapling_verify on;
# EOF
#fi
# update redirect
# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
# if [ ! -f "${PROXY_REDIRECT}" ]; then
# cat > "${PROXY_REDIRECT}" <<EOF
# server {
# listen 80;
# return 301 https://\$host\$request_uri;
# }
# # file
# server {
# listen 80;
# server_name file.${domain};
# return 301 https://depot.${domain}\$request_uri;
# }
# # cacl
# server {
# listen 80;
# server_name calc.${domain};
# return 301 https://tableur.${domain}\$request_uri;
# }
# # date
# server {
# listen 80;
# server_name date.${domain};
# return 301 https://sondage.${domain}\$request_uri;
# }
# # cloud
# server {
# listen 80;
# server_name bureau.${domain};
# return 301 https://cloud.${domain}\$request_uri;
# }
# # mattermost
# server {
# listen 80;
# server_name mattermost.${domain};
# return 301 https://agora.${domain}\$request_uri;
# }
# # dokuwiki
# server {
# listen 80;
# server_name dokuwiki.${domain};
# return 301 https://wiki.${domain}\$request_uri;
# }
# EOF
# fi
cd $(dirname $0) cd $(dirname $0)
[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}" [[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
if [ -f "conf/root_ca.crt" ]; then [[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
fi
"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}" "${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &