traefik: combine all allowlist into fileprovider (#235)

Reviewed-on: #235 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-11-10 18:07:12 +01:00 · 2024-11-10 18:07:12 +01:00 · b4860abb6a
commit b4860abb6a
parent 977b66495a
6 changed files with 17 additions and 27 deletions
--- a/docker-compose/gramps/docker-compose.yml.j2
+++ b/docker-compose/gramps/docker-compose.yml.j2
@ -62,5 +62,3 @@ volumes:
  gramps_db:
  gramps_media:
  gramps_tmp:
-
-# checkliste
--- a/docker-compose/minio/docker-compose.yml.j2
+++ b/docker-compose/minio/docker-compose.yml.j2
@ -1,11 +1,11 @@
 services:
  minio:
-    image: minio/minio:latest # add to renovate; https://github.com/renovatebot/renovate/issues/2438
+    image: minio/minio:latest # TODO: add to renovate; https://github.com/renovatebot/renovate/issues/2438
    container_name: minio
    restart: unless-stopped
    pull_policy: missing
    ports:
-      # - '9000:9000' # S3
+      # - '9000:9000' # S3, nur über traefik
      - '9001:9001' # WebUI
    networks:
      - traefik
@ -30,17 +30,6 @@ services:
      traefik.http.routers.minio-s3.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.minio-s3.entrypoints: entry_https
      traefik.http.services.minio-s3.loadbalancer.server.port: 9000
-      # WebUI
-      # traefik.http.routers.minio-ui.service: minio-ui
-      # traefik.http.routers.minio-ui.priority: "20"
-      # traefik.http.routers.minio-ui.rule: Host(`ui-s3.mgrote.net`)
-      # traefik.http.routers.minio-ui.tls: true
-      # traefik.http.routers.minio-ui.tls.certresolver: resolver_letsencrypt
-      # traefik.http.routers.minio-ui.entrypoints: entry_https
-      # traefik.http.services.minio-ui.loadbalancer.server.port: 9001
-      # traefik.http.routers.minio-ui.middlewares: minio-ui-ipallowlist # also entferne den Prefix danach wieder
-      # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24
-      # traefik.http.middlewares.minio-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth

 ######## Networks ########
 networks:
--- a/docker-compose/registry/docker-compose.yml.j2
+++ b/docker-compose/registry/docker-compose.yml.j2
@ -38,10 +38,7 @@ services:
      traefik.http.routers.registry.entrypoints: entry_https
      traefik.http.services.registry.loadbalancer.server.port: 5000

-      traefik.http.routers.registry.middlewares: registry-ipallowlist
-
-      traefik.http.middlewares.registry-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
-      traefik.http.middlewares.registry-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
+      traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file

    # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml

@ -92,16 +89,13 @@ services:
      retries: 3
    labels:
      traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`)
-      traefik.http.routers.registry-ui.middlewares: authelia,registry-ui-ipallowlist # also entferne den Prefix danach wieder
+      traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker
      traefik.enable: true
      traefik.http.routers.registry-ui.tls: true
      traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.registry-ui.entrypoints: entry_https
      traefik.http.services.registry-ui.loadbalancer.server.port: 80

-      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
-      traefik.http.middlewares.registry-ui-ipallowlist.ipallowlist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
-
 ######## Networks ########
 networks:
  traefik:
--- a/docker-compose/traefik/file-provider.yml
+++ b/docker-compose/traefik/file-provider.yml
@ -6,7 +6,7 @@ http:
      rule: "Host(`git.mgrote.net`)"
      service: "service_forgejo"
      middlewares:
-        - "ratelimit"
+        - "ratelimit40@file"
      entrypoints:
        - entry_https
      tls:
@ -19,10 +19,19 @@ http:
          - url: "http://forgejo.mgrote.net:3000/"
 ###### middlewares #####
  middlewares:
-    ratelimit:
+    ratelimit40:
      rateLimit:
        average: 40
        burst: 80
        sourceCriterion:
          ipStrategy:
            depth: 2
+    allowlist_localnet:
+      ipallowlist:
+        sourcerange:
+          - 192.168.2.0/24
+          - 10.25.25.0/24
+          - 192.168.48.0/24 # docker
+          #- 172.18.0.0/16  # ???
+        ipstrategy:
+          depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipallowlist/#ipstrategydepth
--- a/docker-compose/traefik/traefik.yml
+++ b/docker-compose/traefik/traefik.yml
@ -31,7 +31,7 @@ certificatesResolvers:
      tlsChallenge: true

 log:
-  level: INFO
+  level: INFO # TRACE , DEBUG , INFO , WARN , ERROR , FATAL , PANIC

 accessLog: {}

--- a/docker-compose/wiki/docker-compose.yml.j2
+++ b/docker-compose/wiki/docker-compose.yml.j2
@ -26,7 +26,7 @@ services:
      traefik.http.routers.wiki.entrypoints: entry_https
      traefik.http.services.wiki.loadbalancer.server.port: 80

-      traefik.http.routers.wiki.middlewares: authelia
+      traefik.http.routers.wiki.middlewares: authelia@docker

 ######## Networks ########
 networks: