georchestra · edevosc2c · Jan 16, 2024 · May 24, 2024 · May 24, 2024 · May 24, 2024
diff --git a/.gitignore b/.gitignore
@@ -9,5 +9,6 @@
 # not pushed to github
 .env
 .envs-*
-# ignore the certs files automatically downloaded on docker-compose up
-resources/ssl/traefik.me*
+# ignore the certs files and Caddy data directory
+resources/ssl/*
+resources/caddy/data/*
diff --git a/README.md b/README.md
@@ -50,7 +50,10 @@ docker compose down
 
 **4. Play**
 
-Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.
+Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. Then:
+
+* Accept the security warning.
+* Or solve the security warning by [following this step](#locally-trust-the-tls-certificate-for-georchestra).
 
 To login, use these credentials:
  * `testuser` / `testuser`
@@ -68,18 +71,42 @@ Emails sent by the SDI (eg when users request a new password) will not be relaye
 These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (with login `smtp` and password `smtp`).
 
 
+## Locally trust the TLS certificate for geOrchestra
+### On Linux
+
+1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O caddy`
+2. Make it executable: `chmod +x caddy`
+3. Trust the certificate using this command: `./caddy trust`.
+4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.  
+   If that doesn't work, try to restart your browser.
+
+### On Windows
+1. Download Caddy binary: https://caddyserver.com/download  
+   Click on Download button on the website.
+2. Open the Downloads folder using your file explorer and rename the file downloaded to `caddy`.
+3. Open the command prompt (cmd) and navigate to your Downloads folder.
+   `cd "C:\Users\%USERNAME%\Downloads"`
+3. Trust the certificate using this command: `caddy trust`.
+4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.  
+   If that doesn't work, try to restart your browser.
+
 ## About the domain name
 
 The current FQDN `georchestra-127-0-1-1.traefik.me` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address.
 
 To change it:
- * Rename the traefik service in the `docker-compose.override.yml` file to match the new domain
- * Modify the three `traefik.http.routers.*.rule` in the `docker-compose.override.yml` file
- * Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`)
- * Put a valid SSL certificate in the `resources/ssl` folder and declare it in the `resources/traefik-config.yml` file
+
+1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`)
+2. Two options for the TLS/SSL certificate:
+    * If your web server is exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`.
+    * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`.
+3. Reload the docker composition: `docker compose up -d`.  
+   May need to restart Caddy later if you are just modifying the Caddyfile or some file resources: `docker compose restart caddy`.
 
 ## Notes
 
+Find the Caddy web server documentation here: https://caddyserver.com/docs/caddyfile/directives.
+
 These docker-compose files describe:
  * which images / webapps will run,
  * how they are linked together,

diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -8,117 +8,27 @@ volumes:
   smtp_maildir:
 
 services:
-  traefik-me-certificate-downloader:
-    image: alpine
-    depends_on:
-      envsubst:
-        condition: service_completed_successfully
-    command: sh -c "cd /etc/ssl/traefik
-      && wget traefik.me/fullchain.pem -O traefik.me.crt
-      && wget traefik.me/privkey.pem -O traefik.me-key.pem"
-    volumes:
-      - ./resources/ssl:/etc/ssl/traefik
-
-  georchestra-127-0-1-1.traefik.me:
-    image: traefik:2.9
-    depends_on:
-      traefik-me-certificate-downloader:
-        condition: service_completed_successfully
-    healthcheck:
-      test: traefik healthcheck --ping
+  caddy:
+    image: caddy:2.8-alpine
     ports:
       - "80:80"
       - "443:443"
+      - "127.0.0.1:2019:2019"
+    environment:
+      - CADDY_ADMIN=0.0.0.0:2019
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./resources/ssl:/etc/certs:ro
-      - ./resources/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./resources/traefik-config.yml:/etc/traefik/config.yml:ro
+      - ./resources/caddy/etc:/etc/caddy:ro
+      - ./resources/caddy/data:/data/caddy
+      - ./resources/static:/usr/share/caddy/static:ro
     restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.tls=true"
-      - "traefik.http.routers.traefik.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.middlewares=traefik-strip@docker"
-      - "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik"
-
-
-  static:
-    image: nginx:stable
-    restart: unless-stopped
-    volumes:
-      - ./resources/static:/usr/share/nginx/html:ro
-      - /etc/localtime:/etc/localtime:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.static.tls=true"
-      - "traefik.http.routers.static.rule=Host(`georchestra-127-0-1-1.traefik.me`)"
-      - "traefik.http.routers.static.priority=1"
-
-  proxy:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.proxy.tls=true"
-      - "traefik.http.routers.proxy.priority=2"
-      - >-
-        traefik.http.routers.proxy.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (
-        PathPrefix(`/analytics`)
-        || PathPrefix(`/datafeeder`)
-        || PathPrefix(`/datahub`)
-        || PathPrefix(`/console`)
-        || PathPrefix(`/extractorapp`)
-        || PathPrefix(`/geonetwork`)
-        || PathPrefix(`/geoserver`)
-        || PathPrefix(`/header`)
-        || PathPrefix(`/import`)
-        || PathPrefix(`/login`)
-        || PathPrefix(`/logout`)
-        || PathPrefix(`/mapstore`)
-        || PathPrefix(`/ogc-api-records`)
-        || PathPrefix(`/_static`)
-        || PathPrefix(`/whoami`)
-        || Query(`login=`)
-        )
-      - "traefik.http.services.proxy.loadbalancer.server.port=8080"
-      # CORS related. Open everything to the world.
-      - "traefik.http.routers.proxy.middlewares=corsheader@docker"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolallowmethods=GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolalloworiginlist=*"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolmaxage=1800"
-      - "traefik.http.middlewares.corsheader.headers.addvaryheader=true"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolallowcredentials=true"
-      - "traefik.http.routers.proxy.middlewares=corsheader@docker,static-errors-middleware@docker"
-      # handle downstream errors
-      - "traefik.http.middlewares.static-errors-middleware.errors.status=500-599"
-      - "traefik.http.middlewares.static-errors-middleware.errors.service=static-docker@docker"
-      - "traefik.http.middlewares.static-errors-middleware.errors.query=/errors/50x.html"
-      # Add trailing slash to well-known apps
-      - "traefik.http.routers.traefik-redirect.tls=true"
-      - >-
-        traefik.http.routers.traefik-redirect.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (
-        Path(`/analytics`)
-        || Path(`/datafeeder`)
-        || Path(`/datahub`)
-        || Path(`/console`)
-        || Path(`/geonetwork`)
-        || Path(`/geoserver`)
-        || Path(`/header`)
-        || Path(`/import`)
-        || Path(`/mapstore`)
-        || Path(`/ogc-api-records`)
-        )
-      - "traefik.http.routers.traefik-redirect.priority=10"
-      - "traefik.http.routers.traefik-redirect.middlewares=add-trailing-slash@docker"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.regex=^https?://(.*)/(.+)"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.replacement=https://$${1}/$${2}/"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.permanent=false"
-
-  cas:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.cas.tls=true"
-      - "traefik.http.routers.cas.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/cas`)"
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:2019/reverse_proxy/upstreams >/dev/null || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+    env_file:
+      - .envs-common
 
   smtp:
     image: camptocamp/smtp-sink:latest
@@ -139,10 +49,6 @@ services:
       - SMTP_HOSTNAME=smtp-sink
     volumes:
       - smtp_maildir:/home/smtp/Maildir/
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.webmail.tls=true"
-      - "traefik.http.routers.webmail.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/webmail`)"
     restart: always
 
   ssh:

diff --git a/resources/caddy/README.md b/resources/caddy/README.md
@@ -0,0 +1,2 @@
+* `etc`: Configuration folder for Caddy web server. You will find the Caddyfile there.
+* `data`: This repository is for the storage of Caddy web server.
diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile
@@ -0,0 +1,55 @@
+(static_fileserver) {
+    root * /usr/share/caddy/static
+    file_server
+}
+
+{$FQDN} {
+    tls internal
+    # For using a custom certificate:
+    # tls /etc/certs/ca.pem /etc/certs/key.pem
+
+    @trailing-slash {
+        path_regexp reg_static ^/(\w+)$
+    }
+
+    @static-resources {
+        path /favicon.ico
+        path /crossdomain.xml
+        path /robots.txt
+    }
+
+    handle_errors {
+        @5xx `{err.status_code} >= 500 && {err.status_code} < 600`
+        handle @5xx {
+            import static_fileserver
+            rewrite * /errors/50x.html
+        }
+    }
+
+    handle @static-resources {
+        import static_fileserver
+    }
+
+    handle_path /public/* {
+        import static_fileserver
+    }
+
+    handle /cas/* {
+        reverse_proxy cas:8080
+    }
+
+    handle /webmail/* {
+        reverse_proxy webmail:80
+    }
+
+    handle {
+        reverse_proxy proxy:8080
+        header {
+            Access-Control-Allow-Origin *
+            Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+            Access-Control-Max-Age 1800
+            Access-Control-Allow-Credentials: true
+        }
+        redir @trailing-slash /{http.regexp.reg_static.1}/
+    }
+}
diff --git a/resources/ssl/.gitkeep b/resources/ssl/.gitkeep
diff --git a/resources/ssl/README.md b/resources/ssl/README.md
diff --git a/resources/traefik-config.yml b/resources/traefik-config.yml
diff --git a/resources/traefik.yml b/resources/traefik.yml