|
43 | 43 | [tls.options.default] |
44 | 44 | minVersion = "VersionTLS12" |
45 | 45 |
|
46 | | -[tls.stores] |
47 | | - # these self-signed certs will be used by default if let's encrypt |
48 | | - # fails due to e.g. the domain not being publicly reachable. |
49 | | - # you might need --insecure flag in curl; and to manually bypass |
50 | | - # the browser's security warning if this is the case. |
51 | | - [tls.stores.default] |
52 | | - [tls.stores.default.defaultCertificate] |
53 | | - certFile = "/etc/traefik/certs/public_key.crt" |
54 | | - keyFile = "/etc/traefik/certs/private_key.pem" |
| 46 | + [tls.stores] |
| 47 | + # these self-signed certs will be used by default if let's encrypt |
| 48 | + # fails due to e.g. the domain not being publicly reachable. |
| 49 | + # you might need --insecure flag in curl; and to manually bypass |
| 50 | + # the browser's security warning if this is the case. |
| 51 | + [tls.stores.default] |
| 52 | + [tls.stores.default.defaultCertificate] |
| 53 | + certFile = "/etc/traefik/certs/public_key.crt" |
| 54 | + keyFile = "/etc/traefik/certs/private_key.pem" |
55 | 55 |
|
56 | 56 | [entryPoints] |
57 | 57 |
|
|
63 | 63 | # redirect all HTTP traffic to HTTPS |
64 | 64 | to = "web-secure" |
65 | 65 |
|
66 | | -[entryPoints.web-secure] |
67 | | - address = ":443" |
68 | | - asDefault = true |
69 | | - [entryPoints.web-secure.http2] |
70 | | - maxConcurrentStreams = 250 |
71 | | - [entryPoints.web-secure.http3] |
| 66 | + [entryPoints.web-secure] |
| 67 | + address = ":443" |
| 68 | + asDefault = true |
| 69 | + [entryPoints.web-secure.http2] |
| 70 | + maxConcurrentStreams = 250 |
| 71 | + [entryPoints.web-secure.http3] |
72 | 72 |
|
73 | 73 | [certificatesResolvers] |
74 | 74 | [certificatesResolvers.letsencrypt] |
|
90 | 90 | [http.routers.traefik-api.tls] |
91 | 91 | certResolver = "letsencrypt" |
92 | 92 |
|
93 | | -# LOCAL router |
94 | | -[http.routers.sds-gateway-local-app] |
95 | | - entryPoints = ["web", "web-secure"] |
96 | | - middlewares = ["csrf"] |
97 | | - rule = "Host(`sds-dev.crc.nd.edu`)" |
98 | | - service = "sds-gateway-local-app" |
99 | | - [http.routers.sds-gateway-local-app.tls] |
100 | | - certResolver = "letsencrypt" |
101 | | - |
102 | | -# ⚠️ PROD router |
103 | | -[http.routers.sds-gateway-prod-app] |
104 | | - entryPoints = ["web", "web-secure"] |
105 | | - middlewares = ["csrf"] |
106 | | - rule = "Host(`sds.crc.nd.edu`)" |
107 | | - service = "sds-gateway-prod-app" |
108 | | - [http.routers.sds-gateway-prod-app.tls] |
109 | | - certResolver = "letsencrypt" |
110 | | - |
111 | | -# LOCAL router for static files |
112 | | -[http.routers.sds-gateway-local-nginx] |
113 | | - entryPoints = ["web", "web-secure"] |
114 | | - rule = "Host(`sds-dev.crc.nd.edu`) && PathPrefix(`/static/`)" |
115 | | - service = "sds-gateway-local-nginx" |
116 | | - [http.routers.sds-gateway-local-nginx.tls] |
117 | | - certResolver = "letsencrypt" |
118 | | - |
119 | | -# ⚠️ PROD router for static files |
120 | | -[http.routers.sds-gateway-prod-nginx] |
121 | | - entryPoints = ["web", "web-secure"] |
122 | | - rule = "Host(`sds.crc.nd.edu`) && PathPrefix(`/static/`)" |
123 | | - service = "sds-gateway-prod-nginx" |
124 | | - [http.routers.sds-gateway-prod-nginx.tls] |
125 | | - certResolver = "letsencrypt" |
126 | | - |
127 | | - # "whoami" service to debug Traefik |
128 | | - # [http.routers.whoami] |
129 | | - # entryPoints = ["web", "web-secure"] |
130 | | - # rule = "Host(`sds-dev.crc.nd.edu`)" |
131 | | - # service = "whoami" |
132 | | - # [http.routers.whoami.tls] |
133 | | - # certResolver = "letsencrypt" |
| 93 | + # LOCAL router |
| 94 | + [http.routers.sds-gateway-local-app] |
| 95 | + entryPoints = ["web", "web-secure"] |
| 96 | + middlewares = ["csrf"] |
| 97 | + rule = "Host(`sds-dev.crc.nd.edu`)" |
| 98 | + service = "sds-gateway-local-app" |
| 99 | + [http.routers.sds-gateway-local-app.tls] |
| 100 | + certResolver = "letsencrypt" |
| 101 | + |
| 102 | + # ⚠️ PROD router - SVI endpoints /users/get-svi-api-key/ |
| 103 | + [http.routers.sds-gateway-prod-app-secure] |
| 104 | + entryPoints = ["web", "web-secure"] |
| 105 | + middlewares = ["csrf", "whitelist-svi-domains"] |
| 106 | + rule = "Host(`sds.crc.nd.edu`) && Path(`/users/get-svi-api-key/`)" |
| 107 | + service = "sds-gateway-prod-app" |
| 108 | + |
| 109 | + [http.routers.sds-gateway-prod-app-secure.tls] |
| 110 | + certResolver = "letsencrypt" |
| 111 | + |
| 112 | + # ⚠️ PROD router - public-facing |
| 113 | + [http.routers.sds-gateway-prod-app] |
| 114 | + entryPoints = ["web", "web-secure"] |
| 115 | + middlewares = ["csrf"] |
| 116 | + rule = "Host(`sds.crc.nd.edu`)" |
| 117 | + service = "sds-gateway-prod-app" |
| 118 | + [http.routers.sds-gateway-prod-app.tls] |
| 119 | + certResolver = "letsencrypt" |
| 120 | + |
| 121 | + # LOCAL router for static files |
| 122 | + [http.routers.sds-gateway-local-nginx] |
| 123 | + entryPoints = ["web", "web-secure"] |
| 124 | + rule = "Host(`sds-dev.crc.nd.edu`) && PathPrefix(`/static/`)" |
| 125 | + service = "sds-gateway-local-nginx" |
| 126 | + [http.routers.sds-gateway-local-nginx.tls] |
| 127 | + certResolver = "letsencrypt" |
| 128 | + |
| 129 | + # ⚠️ PROD router for static files |
| 130 | + [http.routers.sds-gateway-prod-nginx] |
| 131 | + entryPoints = ["web", "web-secure"] |
| 132 | + rule = "Host(`sds.crc.nd.edu`) && PathPrefix(`/static/`)" |
| 133 | + service = "sds-gateway-prod-nginx" |
| 134 | + [http.routers.sds-gateway-prod-nginx.tls] |
| 135 | + certResolver = "letsencrypt" |
| 136 | + |
| 137 | + # "whoami" service to debug Traefik |
| 138 | + # [http.routers.whoami] |
| 139 | + # entryPoints = ["web", "web-secure"] |
| 140 | + # rule = "Host(`sds-dev.crc.nd.edu`)" |
| 141 | + # service = "whoami" |
| 142 | + # [http.routers.whoami.tls] |
| 143 | + # certResolver = "letsencrypt" |
134 | 144 |
|
135 | 145 | [http.middlewares] |
136 | 146 |
|
|
139 | 149 | [http.middlewares.csrf.headers] |
140 | 150 | hostsProxyHeaders = ["X-CSRFToken"] |
141 | 151 |
|
142 | | -[http.middlewares.auth] |
| 152 | + [http.middlewares.whitelist-svi-domains] |
| 153 | + |
| 154 | + [http.middlewares.whitelist-svi-domains.ipWhiteList] |
| 155 | + sourceRange = [ |
| 156 | + "127.0.0.1/32", # localhost |
| 157 | + "129.74.246.5/32", # svi server |
| 158 | + "10.32.8.29/32", # svi qa |
| 159 | + ] |
| 160 | + |
| 161 | + [http.middlewares.auth] |
143 | 162 |
|
144 | | - # This is a basic auth for the Traefik dashboard |
| 163 | + # This is a basic auth for the Traefik dashboard |
145 | 164 |
|
146 | | - [http.middlewares.auth.basicAuth] |
147 | | - # Generate the credentials file with bcrypt hashes for the users: |
148 | | - # $ htpasswd -nB your-user-name >> traefik/credentials.htpasswd |
149 | | - # Try it out: |
150 | | - # $ e.g. curl -u your-user-name:your-password http://your-sds-hostname/dashboard/ |
151 | | - # https://doc.traefik.io/traefik/middlewares/http/basicauth/#usersfile |
152 | | - usersFile = "/etc/traefik/dashboard/credentials.htpasswd" |
| 165 | + [http.middlewares.auth.basicAuth] |
| 166 | + # Generate the credentials file with bcrypt hashes for the users: |
| 167 | + # $ htpasswd -nB your-user-name >> traefik/credentials.htpasswd |
| 168 | + # Try it out: |
| 169 | + # $ e.g. curl -u your-user-name:your-password http://your-sds-hostname/dashboard/ |
| 170 | + # https://doc.traefik.io/traefik/middlewares/http/basicauth/#usersfile |
| 171 | + usersFile = "/etc/traefik/dashboard/credentials.htpasswd" |
153 | 172 |
|
154 | 173 | [http.services] |
155 | 174 |
|
|
0 commit comments