traefik: nforwardauth (#518)
Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #518
This commit is contained in:
parent
371067a8bb
commit
caf87e2c3f
|
|
@ -1,15 +0,0 @@
|
|||
{
|
||||
"uploadOnSave": true,
|
||||
"useAtomicWrites": true,
|
||||
"deleteLocal": false,
|
||||
"hostname": "ansible2.grote.lan",
|
||||
"port": "22",
|
||||
"target": "/home/mg/ansible",
|
||||
"ignore": [
|
||||
".git/**"
|
||||
],
|
||||
"username": "mg",
|
||||
"keyfile": "C:\\Users\\mg\\Desktop\\NextCloud\\Rest\\ssh-keys\\ssh_key_heimserver_mg2.ppk",
|
||||
"transport": "scp",
|
||||
"watch": []
|
||||
}
|
||||
|
|
@ -7,7 +7,7 @@ services:
|
|||
ports:
|
||||
- "9999:9999"
|
||||
volumes:
|
||||
- cache:/var/cache/apt-cacher-ng
|
||||
- /mnt/acng_cache:/var/cache/apt-cacher-ng
|
||||
environment:
|
||||
USER: acng-admin
|
||||
PASS: {{ lookup('keepass', 'acng_webinterface', 'password') }}
|
||||
|
|
@ -15,6 +15,3 @@ services:
|
|||
THRESHOLD: 60 # package housekeeping threshold
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
volumes:
|
||||
cache:
|
||||
|
|
|
|||
|
|
@ -39,6 +39,10 @@ blocking:
|
|||
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
|
||||
- https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
|
||||
- https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
|
||||
- https://v.firebog.net/hosts/AdguardDNS.txt
|
||||
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
|
||||
- https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt
|
||||
- https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileSpyware.txt
|
||||
# - |
|
||||
# # inline definition with YAML literal block scalar style
|
||||
# someadsdomain.com
|
||||
|
|
|
|||
|
|
@ -14,5 +14,21 @@ services:
|
|||
- ./assets/:/www/assets
|
||||
ports:
|
||||
- 333:8080
|
||||
networks:
|
||||
- traefik
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
traefik.http.routers.homer.rule: Host(`www.mgrote.net`,`mgrote.net`)
|
||||
traefik.enable: true
|
||||
traefik.http.routers.homer.tls: true
|
||||
traefik.http.routers.homer.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.homer.entrypoints: entry_https
|
||||
traefik.http.services.homer.loadbalancer.server.port: 8080
|
||||
|
||||
traefik.http.routers.homer.middlewares: nforwardauth
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
traefik:
|
||||
external: true
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ services:
|
|||
MAX_CONTENT_LENGTH: 50
|
||||
UPLOAD_DIRECTORY: /uploads
|
||||
AUTH_TOKEN: {{ lookup('keepass', 'httpd-api-server-token', 'password') }}
|
||||
ENABLE_WEBSERVER: false
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@ MYSQL_ROOT_PASSWORD={{ lookup('keepass', 'nextcloud_mysql_root_password', 'passw
|
|||
MYSQL_PASSWORD={{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}
|
||||
REDIS_HOST_PASSWORD={{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}
|
||||
SMTP_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||
NC_MAJOR_VERSION=25
|
||||
NC_MAJOR_VERSION=26
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ services:
|
|||
PHP_MEMORY_LIMIT: 1024M
|
||||
PHP_UPLOAD_LIMIT: 10G
|
||||
APACHE_DISABLE_REWRITE_IP: 1
|
||||
TRUSTED_PROXIES: "192.168.2.43" # docker10.grote.lan/traefik
|
||||
TRUSTED_PROXIES: "192.168.48.0/24" # Subnetz in dem sich traefik befindet
|
||||
volumes:
|
||||
- app:/var/www/html
|
||||
- data:/var/www/html/data
|
||||
|
|
|
|||
|
|
@ -27,18 +27,19 @@ services:
|
|||
traefik.http.routers.registry.entrypoints: entry_https
|
||||
traefik.http.services.registry.loadbalancer.server.port: 5000
|
||||
|
||||
traefik.http.routers.registry.middlewares: registry-ipwhitelist
|
||||
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.0.0/16
|
||||
traefik.http.routers.registry.middlewares: error-pages-middleware,registry-ipwhitelist
|
||||
|
||||
traefik.http.routers.registry.middlewares: error-pages-middleware
|
||||
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24 # .48. ist Docker
|
||||
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
|
||||
|
||||
com.centurylinklabs.watchtower.depends-on: oci-registry-redis
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
# registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect [--dry-run] --delete-untagged=true /etc/docker/registry/config.yml
|
||||
|
||||
# testen mit:
|
||||
# docker pull ubuntu
|
||||
# docker image tag ubuntu registry.mgrote.net/myfirstimage
|
||||
# docker login --username regadmin --password <password> registry.mgrote.net
|
||||
# docker push registry.mgrote.net/myfirstimage
|
||||
# docker pull registry.mgrote.net/myfirstimage
|
||||
|
||||
|
|
@ -63,12 +64,13 @@ services:
|
|||
DELETE_IMAGES: true
|
||||
SINGLE_REGISTRY: true
|
||||
NGINX_PROXY_PASS_URL: http://oci-registry:5000
|
||||
SHOW_CONTENT_DIGEST: true # https://github.com/Joxit/docker-registry-ui/issues/297
|
||||
networks:
|
||||
- traefik
|
||||
- intern
|
||||
labels:
|
||||
traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
|
||||
traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-auth,error-pages-middleware # also entferne den Prefix danach wieder
|
||||
traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,error-pages-middleware,nforwardauth # also entferne den Prefix danach wieder
|
||||
traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
|
||||
traefik.enable: true
|
||||
traefik.http.routers.registry-ui.tls: true
|
||||
|
|
@ -79,7 +81,6 @@ services:
|
|||
com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
traefik.http.middlewares.registry-ui-auth.basicauth.users: ui-user:$$2y$$05$$6NLaW1ewe/t4M/qnaPHCx.bmsIKR5MOukwJFrvhyFUcqueRcm9i8K # echo $(htpasswd -nB ui-user password) | sed -e s/\\$/\\$\\$/g
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ services:
|
|||
######## traefik ########
|
||||
traefik:
|
||||
container_name: "traefik"
|
||||
image: traefik:latest
|
||||
image: traefik:2.9
|
||||
restart: always
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
|
|
@ -21,7 +21,19 @@ services:
|
|||
TZ: Europe/Berlin
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
######## traefik ########
|
||||
# hier sind gemeinsame middlewares defniert und zu einer chain zusammengefasst
|
||||
# CAVE: die Reihenfolge innerhalb von Chains/von Middlewares ist wichtig
|
||||
# Aufbau: traefik.http.middlewares.<NAME>.chain.middlewares: middleware1,middleware2,middleware3
|
||||
# diese kann dann direkt eingebunden werden:
|
||||
# Beispiel: XXXXX
|
||||
# beim Einsatz von nforwardauth:
|
||||
# Beispiel: YYYYY
|
||||
|
||||
# Middleware default
|
||||
# enthält Rate-Limiting, Error-Pages und ZZZ?
|
||||
|
||||
|
||||
######## error-pages ########
|
||||
# https://github.com/tarampampam/error-pages/wiki/Traefik-(docker-compose)
|
||||
error-pages:
|
||||
container_name: "traefik-error-pages"
|
||||
|
|
@ -29,6 +41,7 @@ services:
|
|||
environment:
|
||||
TEMPLATE_NAME: ghost
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.depends-on: traefik
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
traefik.enable: true
|
||||
|
|
@ -49,6 +62,39 @@ services:
|
|||
networks:
|
||||
- traefik
|
||||
|
||||
######## nforwardauth ########
|
||||
# https://github.com/NOSDuco/nforwardauth
|
||||
nforwardauth:
|
||||
container_name: "traefik-nforwardauth"
|
||||
image: nosduco/nforwardauth:v1
|
||||
depends_on:
|
||||
- traefik
|
||||
networks:
|
||||
- traefik
|
||||
volumes:
|
||||
- ./passwd:/passwd:ro # Mount local passwd file at /passwd as ready only
|
||||
environment:
|
||||
TOKEN_SECRET: {{ lookup('keepass', 'traefik-nforwardauth-token-secret', 'password') }} # Secret to use when signing auth token
|
||||
AUTH_HOST: auth.mgrote.net
|
||||
#COOKIE_DOMAIN: mgrote.net # Set domain for the cookies. This value will allow cookie and auth on *.yourdomain.com (including base domain)
|
||||
PORT: 3000 # Set specific port to listen on
|
||||
labels:
|
||||
com.centurylinklabs.watchtower.depends-on: traefik
|
||||
com.centurylinklabs.watchtower.enable: true
|
||||
|
||||
traefik.enable: true
|
||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
||||
|
||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
||||
|
||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
||||
traefik.http.routers.nforwardauth.tls: true
|
||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
||||
|
||||
# traefik.http.routers.nforwardauth.middlewares: error-pages-middleware
|
||||
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
traefik:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ http:
|
|||
###### router #####
|
||||
routers:
|
||||
router_dokuwiki:
|
||||
rule: "Host(`dokuwiki.mgrote.net`,`mgrote.net`,`www.mgrote.net`,`wiki.mgrote.net`)"
|
||||
rule: "Host(`dokuwiki.mgrote.net`,`wiki.mgrote.net`)"
|
||||
service: "service_dokuwiki"
|
||||
entrypoints:
|
||||
- entry_https
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
echo "michaelgrote:$(mkpasswd -m sha-512 CTRqDgqth1lwgefS0-YXDKadZLqo8N)"
|
||||
michaelgrote:$6$L1HOdqYIBBZol0D5$Qcj.1NcF1Mk7iZjBU2/uuvUEYuRbl6w0XfQyBTTlmClhx1yoJjwTOGwSdueKjq5MPyD9R5xCixVUQ/qfvRJb30
|
||||
|
|
@ -31,7 +31,7 @@ certificatesResolvers:
|
|||
tlsChallenge: true
|
||||
|
||||
log:
|
||||
level: INFO
|
||||
level: DEBUG
|
||||
|
||||
api:
|
||||
insecure: true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
version: '3'
|
||||
services:
|
||||
# here it works as expected
|
||||
whoami:
|
||||
image: traefik/whoami
|
||||
container_name: whoami
|
||||
restart: always
|
||||
networks:
|
||||
- traefik
|
||||
labels:
|
||||
traefik.http.routers.whoami.rule: Host(`whoami.mgrote.net`)
|
||||
traefik.http.routers.whoami.middlewares: nforwardauth
|
||||
traefik.enable: true
|
||||
traefik.http.routers.whoami.tls: true
|
||||
traefik.http.routers.whoami.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.whoami.entrypoints: entry_https
|
||||
traefik.http.services.whoami.loadbalancer.server.port: 80
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
external: true
|
||||
|
|
@ -114,7 +114,7 @@
|
|||
postfix_smtp_server_port: 587
|
||||
postfix_smtp_use_tls: "yes"
|
||||
### mgrote.apt_manage_sources
|
||||
manage_sources_apt_proxy: "docker10.grote.lan:9999"
|
||||
manage_sources_apt_proxy: "192.168.2.43:9999" # als IP da apt warum auch immer >10s braucht den Namen aufzulösen
|
||||
### mgrote.tmux
|
||||
tmux_conf_destination: "/home/mg/.tmux.conf"
|
||||
tmux_bashrc_destination: "/home/mg/.bashrc"
|
||||
|
|
|
|||
|
|
@ -18,11 +18,17 @@
|
|||
create: true
|
||||
lvnames:
|
||||
- lvname: ociregistry
|
||||
size: +100%FREE
|
||||
size: 10G
|
||||
create: true
|
||||
filesystem: xfs
|
||||
mount: true
|
||||
mntp: /mnt/oci-registry
|
||||
- lvname: acng_cache
|
||||
size: 10G
|
||||
create: true
|
||||
filesystem: xfs
|
||||
mount: true
|
||||
mntp: /mnt/acng_cache
|
||||
manage_lvm: true
|
||||
pvresize_to_max: true
|
||||
### mgrote.restic
|
||||
|
|
@ -69,6 +75,9 @@
|
|||
- name: registry
|
||||
state: present
|
||||
network: traefik
|
||||
- name: whoami
|
||||
state: present
|
||||
network: traefik
|
||||
### oefenweb.ufw
|
||||
ufw_rules:
|
||||
- rule: allow
|
||||
|
|
@ -146,7 +155,7 @@
|
|||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/http/http_response
|
||||
config: |
|
||||
[http_response]
|
||||
env.sites http://docker10.grote.lan:333 http://docker10.grote.lan:8888/nodes http://docker10.grote.lan:1234 https://nextcloud.mgrote.net http://docker10.grote.lan:3344 http://docker10.grote.lan:5000 https://miniflux.mgrote.net/ http://docker10.grote.lan:3001 http://docker10.grote.lan:8081 http://docker10.grote.lan:9999/acng-report.html
|
||||
env.sites http://docker10.grote.lan:333 http://docker10.grote.lan:8888/nodes http://docker10.grote.lan:1234 https://nextcloud.mgrote.net http://docker10.grote.lan:3344 http://docker10.grote.lan:5000 https://miniflux.mgrote.net/ http://docker10.grote.lan:3001 http://docker10.grote.lan:8081 http://docker10.grote.lan:9999/acng-report.html https://auth.mgrote.net
|
||||
env.max_time 20
|
||||
env.short_label true
|
||||
env.follow_redirect true
|
||||
|
|
@ -302,6 +311,6 @@
|
|||
env.repo oxidized-configs
|
||||
env.user mg
|
||||
env.git_ref HEAD
|
||||
env.warning 720
|
||||
env.warning 1000
|
||||
env.critical 2880
|
||||
env.token {{ lookup('keepass', 'gitea_commit_time_diff_oxidized_token', 'password') }}
|
||||
|
|
|
|||
|
|
@ -298,5 +298,11 @@
|
|||
env.max_time 20
|
||||
env.short_label true
|
||||
env.follow_redirect true
|
||||
- name: lxc_guests
|
||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/lxc/lxc_guests
|
||||
config: |
|
||||
[lxc_guests]
|
||||
user root
|
||||
group root
|
||||
munin_node_disabled_plugins:
|
||||
- name: lvm_
|
||||
|
|
|
|||
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in New Issue