From 80d25fac6f438e0c759d11cbb28abf60ebb246a5 Mon Sep 17 00:00:00 2001 From: Emilien Devos Date: Tue, 16 Jan 2024 11:55:20 +0100 Subject: [PATCH 01/14] switch to caddy webserver --- .gitignore | 3 +- docker-compose.override.yml | 142 +++++++++++------------------------- resources/caddy/README.md | 1 + resources/ssl/README.md | 6 -- 4 files changed, 46 insertions(+), 106 deletions(-) create mode 100644 resources/caddy/README.md delete mode 100644 resources/ssl/README.md diff --git a/.gitignore b/.gitignore index 6a336db..4783b97 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,5 @@ .env .envs-* # ignore the certs files automatically downloaded on docker-compose up -resources/ssl/traefik.me* +resources/caddy/* +!resources/caddy/README.md \ No newline at end of file diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 3d9ca20..7ca29de 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -8,119 +8,56 @@ volumes: smtp_maildir: services: - traefik-me-certificate-downloader: - image: alpine - depends_on: - envsubst: - condition: service_completed_successfully - command: sh -c "cd /etc/ssl/traefik - && wget traefik.me/fullchain.pem -O traefik.me.crt - && wget traefik.me/privkey.pem -O traefik.me-key.pem" - volumes: - - ./resources/ssl:/etc/ssl/traefik - - georchestra-127-0-1-1.traefik.me: - image: traefik:2.9 - depends_on: - traefik-me-certificate-downloader: - condition: service_completed_successfully - healthcheck: - test: traefik healthcheck --ping + caddy: + image: lucaslorentz/caddy-docker-proxy:2.8-alpine + networks: + - caddy ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ./resources/ssl:/etc/certs:ro - - ./resources/traefik.yml:/etc/traefik/traefik.yml:ro - - ./resources/traefik-config.yml:/etc/traefik/config.yml:ro + - ./resources/caddy:/data/caddy restart: always - labels: - - "traefik.enable=true" - - "traefik.http.routers.traefik.tls=true" - - "traefik.http.routers.traefik.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))" - - "traefik.http.routers.traefik.service=api@internal" - - "traefik.http.routers.traefik.middlewares=traefik-strip@docker" - - "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik" - static: image: nginx:stable restart: unless-stopped + networks: + - caddy volumes: - ./resources/static:/usr/share/nginx/html:ro - /etc/localtime:/etc/localtime:ro labels: - - "traefik.enable=true" - - "traefik.http.routers.static.tls=true" - - "traefik.http.routers.static.rule=Host(`georchestra-127-0-1-1.traefik.me`)" - - "traefik.http.routers.static.priority=1" + - "caddy=georchestra-127-0-1-1.traefik.me" + - "caddy.tls=internal" + - "caddy.handle=/public/*" + - "caddy.handle.0_reverse_proxy={{upstreams 80}}" - gateway: + proxy: + networks: + - caddy + - default labels: - - "traefik.enable=true" - - "traefik.http.routers.gateway.tls=true" - - "traefik.http.routers.gateway.priority=2" - - >- - traefik.http.routers.gateway.rule=Host(`georchestra-127-0-1-1.traefik.me`) && ( - PathPrefix(`/analytics`) - || PathPrefix(`/datafeeder`) - || PathPrefix(`/datahub`) - || PathPrefix(`/console`) - || PathPrefix(`/extractorapp`) - || PathPrefix(`/geonetwork`) - || PathPrefix(`/geoserver`) - || PathPrefix(`/header`) - || PathPrefix(`/import`) - || PathPrefix(`/login`) - || PathPrefix(`/logout`) - || PathPrefix(`/oauth2`) - || PathPrefix(`/mapstore`) - || PathPrefix(`/ogc-api-records`) - || PathPrefix(`/_static`) - || PathPrefix(`/whoami`) - || Query(`login=`) - ) - - "traefik.http.services.gateway.loadbalancer.server.port=8080" - # CORS related. Open everything to the world. - - "traefik.http.routers.gateway.middlewares=corsheader@docker" - - "traefik.http.middlewares.corsheader.headers.accesscontrolallowmethods=GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH" - - "traefik.http.middlewares.corsheader.headers.accesscontrolalloworiginlist=*" - - "traefik.http.middlewares.corsheader.headers.accesscontrolmaxage=1800" - - "traefik.http.middlewares.corsheader.headers.addvaryheader=true" - - "traefik.http.middlewares.corsheader.headers.accesscontrolallowcredentials=true" - - "traefik.http.routers.gateway.middlewares=corsheader@docker,static-errors-middleware@docker" - # handle downstream errors - - "traefik.http.middlewares.static-errors-middleware.errors.status=500-599" - - "traefik.http.middlewares.static-errors-middleware.errors.service=static-docker@docker" - - "traefik.http.middlewares.static-errors-middleware.errors.query=/errors/50x.html" - # Add trailing slash to well-known apps - - "traefik.http.routers.traefik-redirect.tls=true" - - >- - traefik.http.routers.traefik-redirect.rule=Host(`georchestra-127-0-1-1.traefik.me`) && ( - Path(`/analytics`) - || Path(`/datafeeder`) - || Path(`/datahub`) - || Path(`/console`) - || Path(`/geonetwork`) - || Path(`/geoserver`) - || Path(`/header`) - || Path(`/import`) - || Path(`/mapstore`) - || Path(`/ogc-api-records`) - ) - - "traefik.http.routers.traefik-redirect.priority=10" - - "traefik.http.routers.traefik-redirect.middlewares=add-trailing-slash@docker" - - "traefik.http.middlewares.add-trailing-slash.redirectregex.regex=^https?://(.+)/([^?]+)(\\?.*)?" - - "traefik.http.middlewares.add-trailing-slash.redirectregex.replacement=https://$${1}/$${2}/$${3}" - - "traefik.http.middlewares.add-trailing-slash.redirectregex.permanent=false" + - "caddy=georchestra-127-0-1-1.traefik.me" + - "caddy.tls=internal" + - "caddy.handle.reverse_proxy={{upstreams 8080}}" + - "caddy.handle.0_header=Access-Control-Allow-Origin *" + - "caddy.handle.1_header=Access-Control-Allow-Methods \"GET, POST, PUT, PATCH, DELETE, OPTIONS\"" + - "caddy.handle.2_header=Access-Control-Max-Age 1800" + - "caddy.handle.3_header=Access-Control-Allow-Credentials: true" + - "caddy.@trailingslash=path_regexp reg_static ^/(\\w+)$" + - "caddy.redir=@trailingslash /{http.regexp.reg_static.1}/" -# uncomment for oauth 2.0 -# cas: -# labels: -# - "traefik.enable=true" -# - "traefik.http.routers.cas.tls=true" -# - "traefik.http.routers.cas.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/cas`)" + cas: + networks: + - caddy + - default + labels: + - "caddy=georchestra-127-0-1-1.traefik.me" + - "caddy.tls=internal" + - "caddy.handle=/cas/*" + - "caddy.handle.0_reverse_proxy={{upstreams 8080}}" smtp: image: camptocamp/smtp-sink:latest @@ -139,12 +76,16 @@ services: environment: - IMAP_HOSTNAME=courier-imap - SMTP_HOSTNAME=smtp-sink + networks: + - caddy + - default volumes: - smtp_maildir:/home/smtp/Maildir/ labels: - - "traefik.enable=true" - - "traefik.http.routers.webmail.tls=true" - - "traefik.http.routers.webmail.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/webmail`)" + - "caddy=georchestra-127-0-1-1.traefik.me" + - "caddy.tls=internal" + - "caddy.handle=/webmail/*" + - "caddy.handle.0_reverse_proxy={{upstreams 80}}" restart: always ssh: @@ -154,3 +95,6 @@ services: volumes: - geoserver_geodata:/mnt/geoserver_geodata restart: always + +networks: + caddy: \ No newline at end of file diff --git a/resources/caddy/README.md b/resources/caddy/README.md new file mode 100644 index 0000000..dfa3e90 --- /dev/null +++ b/resources/caddy/README.md @@ -0,0 +1 @@ +This repository is for the storage of caddy webserver. diff --git a/resources/ssl/README.md b/resources/ssl/README.md deleted file mode 100644 index 7393e24..0000000 --- a/resources/ssl/README.md +++ /dev/null @@ -1,6 +0,0 @@ -This folder contains SSL material for the docker composition default FQDN. - -It is empty (except this readme) when you clone it: the certificate's files are automatically downloaded and stored here by the traefik-me-certificate-downloader container (see docker-compose.override.yml). - - -For a public service, you should use Traefik's ability to [generate its own certificates](https://doc.traefik.io/traefik/https/acme/) using [Let's Encrypt](https://letsencrypt.org/). From 099405010d59ea3e55591a29d27f4be35d926c96 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 24 May 2024 17:24:47 +0200 Subject: [PATCH 02/14] switching to classic caddy service --- .gitignore | 3 +- README.md | 37 +++++++++++++++--- docker-compose.override.yml | 70 ++++++++--------------------------- resources/caddy/README.md | 3 +- resources/caddy/etc/Caddyfile | 55 +++++++++++++++++++++++++++ 5 files changed, 105 insertions(+), 63 deletions(-) create mode 100644 resources/caddy/etc/Caddyfile diff --git a/.gitignore b/.gitignore index 4783b97..9d96559 100644 --- a/.gitignore +++ b/.gitignore @@ -10,5 +10,4 @@ .env .envs-* # ignore the certs files automatically downloaded on docker-compose up -resources/caddy/* -!resources/caddy/README.md \ No newline at end of file +resources/caddy/data/* diff --git a/README.md b/README.md index 9567ac8..e38e632 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,10 @@ docker compose down **4. Play** -Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. +Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. Then: + +* Accept the security warning. +* Or solve the security warning by [following this step](#locally-trust-the-tls-certificate-for-georchestra). To login, use these credentials: * `testuser` / `testuser` @@ -68,18 +71,42 @@ Emails sent by the SDI (eg when users request a new password) will not be relaye These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (with login `smtp` and password `smtp`). +## Locally trust the TLS certificate for geOrchestra +### On Linux + +1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64"` +2. Make it executable: `chmod +x caddy` +3. Trust the certificate using this command: `./caddy trust`. +4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. + If that doesn't work, try to restart your browser. + +### On Windows +1. Download Caddy binary: https://caddyserver.com/download + Click on Download button on the website. +2. Open the Downloads folder using your file explorer and rename the file downloaded to `caddy`. +3. Open the command prompt (cmd) and navigate to your Downloads folder. + `cd "C:\Users\%USERNAME%\Downloads"` +3. Trust the certificate using this command: `caddy trust`. +4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. + If that doesn't work, try to restart your browser. + ## About the domain name The current FQDN `georchestra-127-0-1-1.traefik.me` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address. To change it: - * Rename the traefik service in the `docker-compose.override.yml` file to match the new domain - * Modify the three `traefik.http.routers.*.rule` in the `docker-compose.override.yml` file - * Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`) - * Put a valid SSL certificate in the `resources/ssl` folder and declare it in the `resources/traefik-config.yml` file + +1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`) +2. Two options for the TLS/SSL certificate: + * If your web server exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`. + * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`. +3. Reload the docker composition: `docker compose up -d`. + May need to restart Caddy later if you are just modifying the Caddyfile or some file resources: `docker compose restart caddy`. ## Notes +Find the Caddy web server documentation here: https://caddyserver.com/docs/caddyfile/directives. + These docker-compose files describe: * which images / webapps will run, * how they are linked together, diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 7ca29de..8358f96 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -9,55 +9,26 @@ volumes: services: caddy: - image: lucaslorentz/caddy-docker-proxy:2.8-alpine - networks: - - caddy + image: caddy:2.8-alpine ports: - "80:80" - "443:443" + - "127.0.0.1:2019:2019" + environment: + - CADDY_ADMIN=0.0.0.0:2019 volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - ./resources/caddy:/data/caddy + - ./resources/ssl:/etc/certs:ro + - ./resources/caddy/etc:/etc/caddy:ro + - ./resources/caddy/data:/data/caddy + - ./resources/static:/usr/share/caddy/static:ro restart: always - - static: - image: nginx:stable - restart: unless-stopped - networks: - - caddy - volumes: - - ./resources/static:/usr/share/nginx/html:ro - - /etc/localtime:/etc/localtime:ro - labels: - - "caddy=georchestra-127-0-1-1.traefik.me" - - "caddy.tls=internal" - - "caddy.handle=/public/*" - - "caddy.handle.0_reverse_proxy={{upstreams 80}}" - - proxy: - networks: - - caddy - - default - labels: - - "caddy=georchestra-127-0-1-1.traefik.me" - - "caddy.tls=internal" - - "caddy.handle.reverse_proxy={{upstreams 8080}}" - - "caddy.handle.0_header=Access-Control-Allow-Origin *" - - "caddy.handle.1_header=Access-Control-Allow-Methods \"GET, POST, PUT, PATCH, DELETE, OPTIONS\"" - - "caddy.handle.2_header=Access-Control-Max-Age 1800" - - "caddy.handle.3_header=Access-Control-Allow-Credentials: true" - - "caddy.@trailingslash=path_regexp reg_static ^/(\\w+)$" - - "caddy.redir=@trailingslash /{http.regexp.reg_static.1}/" - - cas: - networks: - - caddy - - default - labels: - - "caddy=georchestra-127-0-1-1.traefik.me" - - "caddy.tls=internal" - - "caddy.handle=/cas/*" - - "caddy.handle.0_reverse_proxy={{upstreams 8080}}" + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:2019/reverse_proxy/upstreams >/dev/null || exit 1"] + interval: 30s + timeout: 10s + retries: 10 + env_file: + - .envs-common smtp: image: camptocamp/smtp-sink:latest @@ -76,16 +47,8 @@ services: environment: - IMAP_HOSTNAME=courier-imap - SMTP_HOSTNAME=smtp-sink - networks: - - caddy - - default volumes: - smtp_maildir:/home/smtp/Maildir/ - labels: - - "caddy=georchestra-127-0-1-1.traefik.me" - - "caddy.tls=internal" - - "caddy.handle=/webmail/*" - - "caddy.handle.0_reverse_proxy={{upstreams 80}}" restart: always ssh: @@ -95,6 +58,3 @@ services: volumes: - geoserver_geodata:/mnt/geoserver_geodata restart: always - -networks: - caddy: \ No newline at end of file diff --git a/resources/caddy/README.md b/resources/caddy/README.md index dfa3e90..abcf5d6 100644 --- a/resources/caddy/README.md +++ b/resources/caddy/README.md @@ -1 +1,2 @@ -This repository is for the storage of caddy webserver. +* `etc`: Configuration folder for Caddy web server. You will find the Caddyfile there. +* `data`: This repository is for the storage of Caddy web server. diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile new file mode 100644 index 0000000..13bde51 --- /dev/null +++ b/resources/caddy/etc/Caddyfile @@ -0,0 +1,55 @@ +(static_fileserver) { + root * /usr/share/caddy/static + file_server +} + +{$FQDN} { + tls internal + # For using a custom certificate: + # tls /etc/certs/ca.pem /etc/certs/key.pem + + @trailing-slash { + path_regexp reg_static ^/(\w+)$ + } + + @static-resources { + path /favicon.ico + path /crossdomain.xml + path /robots.txt + } + + handle_errors { + @5xx `{err.status_code} >= 500 && {err.status_code} < 600` + handle @5xx { + import static_fileserver + rewrite * /errors/50x.html + } + } + + handle @static-resources { + import static_fileserver + } + + handle_path /public/* { + import static_fileserver + } + + handle /cas/* { + reverse_proxy cas:8080 + } + + handle /webmail/* { + reverse_proxy webmail:80 + } + + handle { + reverse_proxy proxy:8080 + header { + Access-Control-Allow-Origin * + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" + Access-Control-Max-Age 1800 + Access-Control-Allow-Credentials: true + } + redir @trailing-slash /{http.regexp.reg_static.1}/ + } +} \ No newline at end of file From e545a67aba53f84d8e5461135fc210f4286fd855 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 24 May 2024 21:37:50 +0200 Subject: [PATCH 03/14] adapt .gitignore --- .gitignore | 3 ++- resources/ssl/.gitkeep | 0 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 resources/ssl/.gitkeep diff --git a/.gitignore b/.gitignore index 9d96559..4c3f0e2 100644 --- a/.gitignore +++ b/.gitignore @@ -9,5 +9,6 @@ # not pushed to github .env .envs-* -# ignore the certs files automatically downloaded on docker-compose up +# ignore the certs files and Caddy data directory +resources/ssl/* resources/caddy/data/* diff --git a/resources/ssl/.gitkeep b/resources/ssl/.gitkeep new file mode 100644 index 0000000..e69de29 From 7e7af9a2fcdcea614709fc4af6d37e43d74fcbcc Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 24 May 2024 21:42:23 +0200 Subject: [PATCH 04/14] add return line end of file Caddyfile --- resources/caddy/etc/Caddyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile index 13bde51..4380057 100644 --- a/resources/caddy/etc/Caddyfile +++ b/resources/caddy/etc/Caddyfile @@ -52,4 +52,4 @@ } redir @trailing-slash /{http.regexp.reg_static.1}/ } -} \ No newline at end of file +} From b301ccc1f14f892124f02de5fc6e9ce8944cd6cb Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Mon, 27 May 2024 09:44:45 +0200 Subject: [PATCH 05/14] fix wording in README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e38e632..9a90c51 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (w ## Locally trust the TLS certificate for geOrchestra ### On Linux -1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64"` +1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O caddy` 2. Make it executable: `chmod +x caddy` 3. Trust the certificate using this command: `./caddy trust`. 4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. @@ -98,7 +98,7 @@ To change it: 1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`) 2. Two options for the TLS/SSL certificate: - * If your web server exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`. + * If your web server is exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`. * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`. 3. Reload the docker composition: `docker compose up -d`. May need to restart Caddy later if you are just modifying the Caddyfile or some file resources: `docker compose restart caddy`. From d859da56ce1be3c68c4f422cec1a4be8166ffb0a Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Wed, 5 Jun 2024 17:47:29 +0200 Subject: [PATCH 06/14] remove traefik.yml ressources --- resources/traefik-config.yml | 4 ---- resources/traefik.yml | 33 --------------------------------- 2 files changed, 37 deletions(-) delete mode 100644 resources/traefik-config.yml delete mode 100644 resources/traefik.yml diff --git a/resources/traefik-config.yml b/resources/traefik-config.yml deleted file mode 100644 index 2c46340..0000000 --- a/resources/traefik-config.yml +++ /dev/null @@ -1,4 +0,0 @@ -tls: - certificates: - - certFile: "/etc/certs/traefik.me.crt" - keyFile: "/etc/certs/traefik.me-key.pem" \ No newline at end of file diff --git a/resources/traefik.yml b/resources/traefik.yml deleted file mode 100644 index f11d210..0000000 --- a/resources/traefik.yml +++ /dev/null @@ -1,33 +0,0 @@ -global: - sendAnonymousUsage: false - checkNewVersion: false - -entryPoints: - web: - address: ":80" - http: - redirections: - entryPoint: - to: websecure - scheme: https - - websecure: - address: ":443" - -providers: - docker: - watch: true - exposedByDefault: false - endpoint: unix:///var/run/docker.sock - - file: - filename: /etc/traefik/config.yml - watch: true - -api: - dashboard: true - -log: - level: INFO - -ping: {} \ No newline at end of file From faead6bc546174d19f828484bff059611e220db1 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:06:23 +0200 Subject: [PATCH 07/14] switch to gateway + add caddy binary to gitignore --- .gitignore | 1 + resources/caddy/etc/Caddyfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4c3f0e2..4cb3d73 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ # ignore the certs files and Caddy data directory resources/ssl/* resources/caddy/data/* +caddy diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile index 4380057..ab393b6 100644 --- a/resources/caddy/etc/Caddyfile +++ b/resources/caddy/etc/Caddyfile @@ -43,7 +43,7 @@ } handle { - reverse_proxy proxy:8080 + reverse_proxy gateway:8080 header { Access-Control-Allow-Origin * Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" From 47662ac7a8f7f49652a79d10ed8655bd77a8a8ad Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:32:24 +0200 Subject: [PATCH 08/14] remove redirection because now handled in gateway + redirect just import --- .gitignore | 2 +- resources/caddy/etc/Caddyfile | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 4cb3d73..afa3240 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,4 @@ # ignore the certs files and Caddy data directory resources/ssl/* resources/caddy/data/* -caddy +/caddy diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile index ab393b6..9e3d04d 100644 --- a/resources/caddy/etc/Caddyfile +++ b/resources/caddy/etc/Caddyfile @@ -8,10 +8,6 @@ # For using a custom certificate: # tls /etc/certs/ca.pem /etc/certs/key.pem - @trailing-slash { - path_regexp reg_static ^/(\w+)$ - } - @static-resources { path /favicon.ico path /crossdomain.xml @@ -34,14 +30,19 @@ import static_fileserver } - handle /cas/* { - reverse_proxy cas:8080 - } + # Uncomment if using CAS + # handle /cas/* { + # reverse_proxy cas:8080 + # } handle /webmail/* { reverse_proxy webmail:80 } + handle /import { + redir /import /import/ + } + handle { reverse_proxy gateway:8080 header { @@ -50,6 +51,5 @@ Access-Control-Max-Age 1800 Access-Control-Allow-Credentials: true } - redir @trailing-slash /{http.regexp.reg_static.1}/ } } From c40ff8f96f7d4058faa35d5968902b341a5f9f57 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:34:42 +0200 Subject: [PATCH 09/14] add more comments --- .gitignore | 1 + resources/caddy/etc/Caddyfile | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index afa3240..fd5c05e 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,5 @@ # ignore the certs files and Caddy data directory resources/ssl/* resources/caddy/data/* +# remove possible caddy binary downloaded /caddy diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile index 9e3d04d..c211f3e 100644 --- a/resources/caddy/etc/Caddyfile +++ b/resources/caddy/etc/Caddyfile @@ -39,6 +39,7 @@ reverse_proxy webmail:80 } + # To be removed once import container support automatic redirection. handle /import { redir /import /import/ } From efbaf4221ad07b329a79798c0103ce8b0ee27f75 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:35:07 +0200 Subject: [PATCH 10/14] remove -> ignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index fd5c05e..f7fd38c 100644 --- a/.gitignore +++ b/.gitignore @@ -12,5 +12,5 @@ # ignore the certs files and Caddy data directory resources/ssl/* resources/caddy/data/* -# remove possible caddy binary downloaded +# ignore possible caddy binary downloaded /caddy From 58c2e7dbf14beff9f84c38d1bbdcf8a1035d8af7 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:43:58 +0200 Subject: [PATCH 11/14] can keep cas path uncommented since it doesn't hurt anything --- resources/caddy/etc/Caddyfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile index c211f3e..41404ed 100644 --- a/resources/caddy/etc/Caddyfile +++ b/resources/caddy/etc/Caddyfile @@ -30,10 +30,9 @@ import static_fileserver } - # Uncomment if using CAS - # handle /cas/* { - # reverse_proxy cas:8080 - # } + handle /cas/* { + reverse_proxy cas:8080 + } handle /webmail/* { reverse_proxy webmail:80 From 3e8712ef60667b93eb7be57494b8ceaf2c2ec9b4 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Mon, 4 Nov 2024 09:53:35 +0100 Subject: [PATCH 12/14] migrate from traefik.me to nip.io --- .envs-common | 2 +- README.md | 16 ++++++++-------- docker-compose.sendmail.yml | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.envs-common b/.envs-common index 8c59834..8351395 100644 --- a/.envs-common +++ b/.envs-common @@ -1,4 +1,4 @@ # envs-common -FQDN=georchestra-127-0-1-1.traefik.me +FQDN=georchestra-127-0-0-1.nip.io SMTPHOST=smtp SMTPPORT=25 \ No newline at end of file diff --git a/README.md b/README.md index 9a90c51..b59be68 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ docker compose down **4. Play** -Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. Then: +Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. Then: * Accept the security warning. * Or solve the security warning by [following this step](#locally-trust-the-tls-certificate-for-georchestra). @@ -61,14 +61,14 @@ To login, use these credentials: To upload data into the GeoServer data volume (`geoserver_geodata`), use `rsync`: ``` -rsync -arv -e 'ssh -p 2222' /path/to/geodata/ geoserver@georchestra-127-0-1-1.traefik.me:/mnt/geoserver_geodata/ +rsync -arv -e 'ssh -p 2222' /path/to/geodata/ geoserver@georchestra-127-0-0-1.nip.io:/mnt/geoserver_geodata/ ``` (password is: `geoserver`) Files uploaded into this volume will also be available to the geoserver instance in `/mnt/geoserver_geodata/`. Emails sent by the SDI (eg when users request a new password) will not be relayed on the internet but trapped by a local SMTP service. -These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (with login `smtp` and password `smtp`). +These emails can be read on https://georchestra-127-0-0-1.nip.io/webmail/ (with login `smtp` and password `smtp`). ## Locally trust the TLS certificate for geOrchestra @@ -77,7 +77,7 @@ These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (w 1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O caddy` 2. Make it executable: `chmod +x caddy` 3. Trust the certificate using this command: `./caddy trust`. -4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. +4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. If that doesn't work, try to restart your browser. ### On Windows @@ -87,16 +87,16 @@ These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (w 3. Open the command prompt (cmd) and navigate to your Downloads folder. `cd "C:\Users\%USERNAME%\Downloads"` 3. Trust the certificate using this command: `caddy trust`. -4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. +4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. If that doesn't work, try to restart your browser. ## About the domain name -The current FQDN `georchestra-127-0-1-1.traefik.me` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address. +The current FQDN `georchestra-127-0-0-1.nip.io` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address. To change it: -1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`) +1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-0-1.nip.io`) 2. Two options for the TLS/SSL certificate: * If your web server is exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`. * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`. @@ -238,7 +238,7 @@ In /docker : `docker compose up -d` -You can now test modifications locally with the current FQDN (by default `georchestra-127-0-1-1.traefik.me`). +You can now test modifications locally with the current FQDN (by default `georchestra-127-0-0-1.nip.io`). **3. Debug** diff --git a/docker-compose.sendmail.yml b/docker-compose.sendmail.yml index 829d5a6..82ec0ae 100644 --- a/docker-compose.sendmail.yml +++ b/docker-compose.sendmail.yml @@ -20,5 +20,5 @@ services: sendmail: image: pigeosolutions/sendmail:20210906-1657-6e05771 environment: - HOSTNAME: georchestra-127-0-1-1.traefik.me + HOSTNAME: georchestra-127-0-0-1.nip.io restart: always From 09f96fea44d79622be55b3c0804cf2fe9db4f061 Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Mon, 4 Nov 2024 15:48:59 +0100 Subject: [PATCH 13/14] add note about snap and security caddy trust --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b59be68..d804b8b 100644 --- a/README.md +++ b/README.md @@ -72,13 +72,16 @@ These emails can be read on https://georchestra-127-0-0-1.nip.io/webmail/ (with ## Locally trust the TLS certificate for geOrchestra + +Note: If you don't use the docker composition for geOrchestra for a few days, we recommend to "untrust" the certificate due to security because the certificate installed will work on all the domains. + ### On Linux 1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O caddy` 2. Make it executable: `chmod +x caddy` 3. Trust the certificate using this command: `./caddy trust`. 4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. - If that doesn't work, try to restart your browser. + If that doesn't work, try to restart your browser. Make sure to be running a browser not installed through snap. ### On Windows 1. Download Caddy binary: https://caddyserver.com/download From a2dad2fedcbab17ba05e2e90220f4127a64c3e2f Mon Sep 17 00:00:00 2001 From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com> Date: Mon, 4 Nov 2024 17:24:42 +0100 Subject: [PATCH 14/14] add warning icon for fnecas --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d804b8b..241a508 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ Note: If you don't use the docker composition for geOrchestra for a few days, we 2. Make it executable: `chmod +x caddy` 3. Trust the certificate using this command: `./caddy trust`. 4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. - If that doesn't work, try to restart your browser. Make sure to be running a browser not installed through snap. + If that doesn't work, try to restart your browser. ⚠ Make sure to be running a browser not installed through snap. ### On Windows 1. Download Caddy binary: https://caddyserver.com/download