Switch to caddy webserver (#268)

* switch to caddy webserver * switching to classic caddy service * adapt .gitignore * add return line end of file Caddyfile * fix wording in README.md * remove traefik.yml ressources * switch to gateway + add caddy binary to gitignore * remove redirection because now handled in gateway + redirect just import * add more comments * remove -> ignore * can keep cas path uncommented since it doesn't hurt anything * migrate from traefik.me to nip.io * add note about snap and security caddy trust * add warning icon for fnecas
georchestra · Nov 4, 2024 · 254e7f4 · 254e7f4
1 parent 2efff63
commit 254e7f4
Show file tree

Hide file tree

Showing 11 changed files with 118 additions and 167 deletions.
diff --git a/.envs-common b/.envs-common
@@ -1,4 +1,4 @@
 # envs-common
-FQDN=georchestra-127-0-1-1.traefik.me
+FQDN=georchestra-127-0-0-1.nip.io
 SMTPHOST=smtp
 SMTPPORT=25
diff --git a/.gitignore b/.gitignore
@@ -9,5 +9,8 @@
 # not pushed to github
 .env
 .envs-*
-# ignore the certs files automatically downloaded on docker-compose up
-resources/ssl/traefik.me*
+# ignore the certs files and Caddy data directory
+resources/ssl/*
+resources/caddy/data/*
+# ignore possible caddy binary downloaded
+/caddy
diff --git a/README.md b/README.md
@@ -50,36 +50,66 @@ docker compose down
 
 **4. Play**
 
-Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.
+Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser. Then:
+
+* Accept the security warning.
+* Or solve the security warning by [following this step](#locally-trust-the-tls-certificate-for-georchestra).
 
 To login, use these credentials:
  * `testuser` / `testuser`
  * `testadmin` / `testadmin`
 
 To upload data into the GeoServer data volume (`geoserver_geodata`), use `rsync`:
 ```
-rsync -arv -e 'ssh -p 2222' /path/to/geodata/ geoserver@georchestra-127-0-1-1.traefik.me:/mnt/geoserver_geodata/
+rsync -arv -e 'ssh -p 2222' /path/to/geodata/ geoserver@georchestra-127-0-0-1.nip.io:/mnt/geoserver_geodata/
 ```
 (password is: `geoserver`)
 
 Files uploaded into this volume will also be available to the geoserver instance in `/mnt/geoserver_geodata/`.
 
 Emails sent by the SDI (eg when users request a new password) will not be relayed on the internet but trapped by a local SMTP service.  
-These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (with login `smtp` and password `smtp`).
+These emails can be read on https://georchestra-127-0-0-1.nip.io/webmail/ (with login `smtp` and password `smtp`).
+
+
+## Locally trust the TLS certificate for geOrchestra
+
+Note: If you don't use the docker composition for geOrchestra for a few days, we recommend to "untrust" the certificate due to security because the certificate installed will work on all the domains.
 
+### On Linux
+
+1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O caddy`
+2. Make it executable: `chmod +x caddy`
+3. Trust the certificate using this command: `./caddy trust`.
+4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser.  
+   If that doesn't work, try to restart your browser. ⚠ Make sure to be running a browser not installed through snap.
+
+### On Windows
+1. Download Caddy binary: https://caddyserver.com/download  
+   Click on Download button on the website.
+2. Open the Downloads folder using your file explorer and rename the file downloaded to `caddy`.
+3. Open the command prompt (cmd) and navigate to your Downloads folder.
+   `cd "C:\Users\%USERNAME%\Downloads"`
+3. Trust the certificate using this command: `caddy trust`.
+4. Open [https://georchestra-127-0-0-1.nip.io/](https://georchestra-127-0-0-1.nip.io/) in your browser.  
+   If that doesn't work, try to restart your browser.
 
 ## About the domain name
 
-The current FQDN `georchestra-127-0-1-1.traefik.me` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address.
+The current FQDN `georchestra-127-0-0-1.nip.io` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address.
 
 To change it:
- * Rename the traefik service in the `docker-compose.override.yml` file to match the new domain
- * Modify the three `traefik.http.routers.*.rule` in the `docker-compose.override.yml` file
- * Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`)
- * Put a valid SSL certificate in the `resources/ssl` folder and declare it in the `resources/traefik-config.yml` file
+
+1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-0-1.nip.io`)
+2. Two options for the TLS/SSL certificate:
+    * If your web server is exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`.
+    * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`.
+3. Reload the docker composition: `docker compose up -d`.  
+   May need to restart Caddy later if you are just modifying the Caddyfile or some file resources: `docker compose restart caddy`.
 
 ## Notes
 
+Find the Caddy web server documentation here: https://caddyserver.com/docs/caddyfile/directives.
+
 These docker-compose files describe:
  * which images / webapps will run,
  * how they are linked together,
@@ -211,7 +241,7 @@ In /docker :
 
 `docker compose up -d`
 
-You can now test modifications locally with the current FQDN (by default `georchestra-127-0-1-1.traefik.me`).
+You can now test modifications locally with the current FQDN (by default `georchestra-127-0-0-1.nip.io`).
 
 **3. Debug**
 

diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -8,119 +8,27 @@ volumes:
   smtp_maildir:
 
 services:
-  traefik-me-certificate-downloader:
-    image: alpine
-    depends_on:
-      envsubst:
-        condition: service_completed_successfully
-    command: sh -c "cd /etc/ssl/traefik
-      && wget traefik.me/fullchain.pem -O traefik.me.crt
-      && wget traefik.me/privkey.pem -O traefik.me-key.pem"
-    volumes:
-      - ./resources/ssl:/etc/ssl/traefik
-
-  georchestra-127-0-1-1.traefik.me:
-    image: traefik:2.9
-    depends_on:
-      traefik-me-certificate-downloader:
-        condition: service_completed_successfully
-    healthcheck:
-      test: traefik healthcheck --ping
+  caddy:
+    image: caddy:2.8-alpine
     ports:
       - "80:80"
       - "443:443"
+      - "127.0.0.1:2019:2019"
+    environment:
+      - CADDY_ADMIN=0.0.0.0:2019
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./resources/ssl:/etc/certs:ro
-      - ./resources/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./resources/traefik-config.yml:/etc/traefik/config.yml:ro
+      - ./resources/caddy/etc:/etc/caddy:ro
+      - ./resources/caddy/data:/data/caddy
+      - ./resources/static:/usr/share/caddy/static:ro
     restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.tls=true"
-      - "traefik.http.routers.traefik.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.middlewares=traefik-strip@docker"
-      - "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik"
-
-
-  static:
-    image: nginx:stable
-    restart: unless-stopped
-    volumes:
-      - ./resources/static:/usr/share/nginx/html:ro
-      - /etc/localtime:/etc/localtime:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.static.tls=true"
-      - "traefik.http.routers.static.rule=Host(`georchestra-127-0-1-1.traefik.me`)"
-      - "traefik.http.routers.static.priority=1"
-
-  gateway:
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.gateway.tls=true"
-      - "traefik.http.routers.gateway.priority=2"
-      - >-
-        traefik.http.routers.gateway.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (
-        PathPrefix(`/analytics`)
-        || PathPrefix(`/datafeeder`)
-        || PathPrefix(`/datahub`)
-        || PathPrefix(`/console`)
-        || PathPrefix(`/extractorapp`)
-        || PathPrefix(`/geonetwork`)
-        || PathPrefix(`/geoserver`)
-        || PathPrefix(`/header`)
-        || PathPrefix(`/import`)
-        || PathPrefix(`/login`)
-        || PathPrefix(`/logout`)
-        || PathPrefix(`/oauth2`)
-        || PathPrefix(`/mapstore`)
-        || PathPrefix(`/ogc-api-records`)
-        || PathPrefix(`/_static`)
-        || PathPrefix(`/whoami`)
-        || Query(`login=`)
-        )
-      - "traefik.http.services.gateway.loadbalancer.server.port=8080"
-      # CORS related. Open everything to the world.
-      - "traefik.http.routers.gateway.middlewares=corsheader@docker"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolallowmethods=GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolalloworiginlist=*"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolmaxage=1800"
-      - "traefik.http.middlewares.corsheader.headers.addvaryheader=true"
-      - "traefik.http.middlewares.corsheader.headers.accesscontrolallowcredentials=true"
-      - "traefik.http.routers.gateway.middlewares=corsheader@docker,static-errors-middleware@docker"
-      # handle downstream errors
-      - "traefik.http.middlewares.static-errors-middleware.errors.status=500-599"
-      - "traefik.http.middlewares.static-errors-middleware.errors.service=static-docker@docker"
-      - "traefik.http.middlewares.static-errors-middleware.errors.query=/errors/50x.html"
-      # Add trailing slash to well-known apps
-      - "traefik.http.routers.traefik-redirect.tls=true"
-      - >-
-        traefik.http.routers.traefik-redirect.rule=Host(`georchestra-127-0-1-1.traefik.me`) && (
-        Path(`/analytics`)
-        || Path(`/datafeeder`)
-        || Path(`/datahub`)
-        || Path(`/console`)
-        || Path(`/geonetwork`)
-        || Path(`/geoserver`)
-        || Path(`/header`)
-        || Path(`/import`)
-        || Path(`/mapstore`)
-        || Path(`/ogc-api-records`)
-        )
-      - "traefik.http.routers.traefik-redirect.priority=10"
-      - "traefik.http.routers.traefik-redirect.middlewares=add-trailing-slash@docker"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.regex=^https?://(.+)/([^?]+)(\\?.*)?"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.replacement=https://$${1}/$${2}/$${3}"
-      - "traefik.http.middlewares.add-trailing-slash.redirectregex.permanent=false"
-
-# uncomment for oauth 2.0
-#  cas:
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.cas.tls=true"
-#      - "traefik.http.routers.cas.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/cas`)"
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:2019/reverse_proxy/upstreams >/dev/null || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+    env_file:
+      - .envs-common
 
   smtp:
     image: camptocamp/smtp-sink:latest
@@ -141,10 +49,6 @@ services:
       - SMTP_HOSTNAME=smtp-sink
     volumes:
       - smtp_maildir:/home/smtp/Maildir/
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.webmail.tls=true"
-      - "traefik.http.routers.webmail.rule=Host(`georchestra-127-0-1-1.traefik.me`) && PathPrefix(`/webmail`)"
     restart: always
 
   ssh:

diff --git a/docker-compose.sendmail.yml b/docker-compose.sendmail.yml
@@ -20,5 +20,5 @@ services:
   sendmail:
     image: pigeosolutions/sendmail:20210906-1657-6e05771
     environment:
-      HOSTNAME: georchestra-127-0-1-1.traefik.me
+      HOSTNAME: georchestra-127-0-0-1.nip.io
     restart: always
diff --git a/resources/caddy/README.md b/resources/caddy/README.md
@@ -0,0 +1,2 @@
+* `etc`: Configuration folder for Caddy web server. You will find the Caddyfile there.
+* `data`: This repository is for the storage of Caddy web server.
diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile
@@ -0,0 +1,55 @@
+(static_fileserver) {
+    root * /usr/share/caddy/static
+    file_server
+}
+
+{$FQDN} {
+    tls internal
+    # For using a custom certificate:
+    # tls /etc/certs/ca.pem /etc/certs/key.pem
+
+    @static-resources {
+        path /favicon.ico
+        path /crossdomain.xml
+        path /robots.txt
+    }
+
+    handle_errors {
+        @5xx `{err.status_code} >= 500 && {err.status_code} < 600`
+        handle @5xx {
+            import static_fileserver
+            rewrite * /errors/50x.html
+        }
+    }
+
+    handle @static-resources {
+        import static_fileserver
+    }
+
+    handle_path /public/* {
+        import static_fileserver
+    }
+
+    handle /cas/* {
+        reverse_proxy cas:8080
+    }
+
+    handle /webmail/* {
+        reverse_proxy webmail:80
+    }
+
+    # To be removed once import container support automatic redirection.
+    handle /import {
+        redir /import /import/
+    }
+
+    handle {
+        reverse_proxy gateway:8080
+        header {
+            Access-Control-Allow-Origin *
+            Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+            Access-Control-Max-Age 1800
+            Access-Control-Allow-Credentials: true
+        }
+    }
+}
diff --git a/resources/ssl/.gitkeep b/resources/ssl/.gitkeep
diff --git a/resources/ssl/README.md b/resources/ssl/README.md
diff --git a/resources/traefik-config.yml b/resources/traefik-config.yml
diff --git a/resources/traefik.yml b/resources/traefik.yml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		* `etc`: Configuration folder for Caddy web server. You will find the Caddyfile there.
		* `data`: This repository is for the storage of Caddy web server.