switching to classic caddy service

georchestra · May 24, 2024 · f141c1f · f141c1f
1 parent 0b83585
commit f141c1f
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 63 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,5 +10,4 @@
 .env
 .envs-*
 # ignore the certs files automatically downloaded on docker-compose up
-resources/caddy/*
-!resources/caddy/README.md
+resources/caddy/data/*
diff --git a/README.md b/README.md
@@ -50,7 +50,10 @@ docker compose down
 
 **4. Play**
 
-Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.
+Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser. Then:
+
+* Accept the security warning.
+* Or solve the security warning by [following this step](#locally-trust-the-tls-certificate-for-georchestra).
 
 To login, use these credentials:
  * `testuser` / `testuser`
@@ -68,18 +71,42 @@ Emails sent by the SDI (eg when users request a new password) will not be relaye
 These emails can be read on https://georchestra-127-0-1-1.traefik.me/webmail/ (with login `smtp` and password `smtp`).
 
 
+## Locally trust the TLS certificate for geOrchestra
+### On Linux
+
+1. Download Caddy binary: `wget "https://caddyserver.com/api/download?os=linux&arch=amd64"`
+2. Make it executable: `chmod +x caddy`
+3. Trust the certificate using this command: `./caddy trust`.
+4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.  
+   If that doesn't work, try to restart your browser.
+
+### On Windows
+1. Download Caddy binary: https://caddyserver.com/download  
+   Click on Download button on the website.
+2. Open the Downloads folder using your file explorer and rename the file downloaded to `caddy`.
+3. Open the command prompt (cmd) and navigate to your Downloads folder.
+   `cd "C:\Users\%USERNAME%\Downloads"`
+3. Trust the certificate using this command: `caddy trust`.
+4. Open [https://georchestra-127-0-1-1.traefik.me/](https://georchestra-127-0-1-1.traefik.me/) in your browser.  
+   If that doesn't work, try to restart your browser.
+
 ## About the domain name
 
 The current FQDN `georchestra-127-0-1-1.traefik.me` resolves to 127.0.1.1, thanks to [traefik.me](https://traefik.me/) which provides wildcard DNS for any IP address.
 
 To change it:
- * Rename the traefik service in the `docker-compose.override.yml` file to match the new domain
- * Modify the three `traefik.http.routers.*.rule` in the `docker-compose.override.yml` file
- * Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`)
- * Put a valid SSL certificate in the `resources/ssl` folder and declare it in the `resources/traefik-config.yml` file
+
+1. Update the FQDN variable in [.envs-common](.envs-common) file (hint: grep for `georchestra-127-0-1-1.traefik.me`)
+2. Two options for the TLS/SSL certificate:
+    * If your web server exposed to the internet (most likely it is), remove `tls internal` line in the file `resources/caddy/etc/Caddyfile`.
+    * If it is not, put a valid TLS certificate and a private key in the `resources/ssl` folder and declare it in the file `resources/caddy/etc/Caddyfile`.
+3. Reload the docker composition: `docker compose up -d`.  
+   May need to restart Caddy later if you are just modifying the Caddyfile or some file resources: `docker compose restart caddy`.
 
 ## Notes
 
+Find the Caddy web server documentation here: https://caddyserver.com/docs/caddyfile/directives.
+
 These docker-compose files describe:
  * which images / webapps will run,
  * how they are linked together,

diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -9,55 +9,26 @@ volumes:
 
 services:
   caddy:
-    image: lucaslorentz/caddy-docker-proxy:2.8-alpine
-    networks:
-      - caddy
+    image: caddy:2.8-alpine
     ports:
       - "80:80"
       - "443:443"
+      - "127.0.0.1:2019:2019"
+    environment:
+      - CADDY_ADMIN=0.0.0.0:2019
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./resources/caddy:/data/caddy
+      - ./resources/ssl:/etc/certs:ro
+      - ./resources/caddy/etc:/etc/caddy:ro
+      - ./resources/caddy/data:/data/caddy
+      - ./resources/static:/usr/share/caddy/static:ro
     restart: always
-
-  static:
-    image: nginx:stable
-    restart: unless-stopped
-    networks:
-      - caddy
-    volumes:
-      - ./resources/static:/usr/share/nginx/html:ro
-      - /etc/localtime:/etc/localtime:ro
-    labels:
-      - "caddy=georchestra-127-0-1-1.traefik.me"
-      - "caddy.tls=internal"
-      - "caddy.handle=/public/*"
-      - "caddy.handle.0_reverse_proxy={{upstreams 80}}"
-
-  proxy:
-    networks:
-      - caddy
-      - default
-    labels:
-      - "caddy=georchestra-127-0-1-1.traefik.me"
-      - "caddy.tls=internal"
-      - "caddy.handle.reverse_proxy={{upstreams 8080}}"
-      - "caddy.handle.0_header=Access-Control-Allow-Origin *"
-      - "caddy.handle.1_header=Access-Control-Allow-Methods \"GET, POST, PUT, PATCH, DELETE, OPTIONS\""
-      - "caddy.handle.2_header=Access-Control-Max-Age 1800"
-      - "caddy.handle.3_header=Access-Control-Allow-Credentials: true"
-      - "caddy.@trailingslash=path_regexp reg_static ^/(\\w+)$"
-      - "caddy.redir=@trailingslash /{http.regexp.reg_static.1}/"
-
-  cas:
-    networks:
-      - caddy
-      - default
-    labels:
-      - "caddy=georchestra-127-0-1-1.traefik.me"
-      - "caddy.tls=internal"
-      - "caddy.handle=/cas/*"
-      - "caddy.handle.0_reverse_proxy={{upstreams 8080}}"
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:2019/reverse_proxy/upstreams >/dev/null || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+    env_file:
+      - .envs-common
 
   smtp:
     image: camptocamp/smtp-sink:latest
@@ -76,16 +47,8 @@ services:
     environment:
       - IMAP_HOSTNAME=courier-imap
       - SMTP_HOSTNAME=smtp-sink
-    networks:
-      - caddy
-      - default
     volumes:
       - smtp_maildir:/home/smtp/Maildir/
-    labels:
-      - "caddy=georchestra-127-0-1-1.traefik.me"
-      - "caddy.tls=internal"
-      - "caddy.handle=/webmail/*"
-      - "caddy.handle.0_reverse_proxy={{upstreams 80}}"
     restart: always
 
   ssh:
@@ -95,6 +58,3 @@ services:
     volumes:
       - geoserver_geodata:/mnt/geoserver_geodata
     restart: always
-
-networks:
-  caddy:
diff --git a/resources/caddy/README.md b/resources/caddy/README.md
@@ -1 +1,2 @@
-This repository is for the storage of caddy webserver.
+* `etc`: Configuration folder for Caddy web server. You will find the Caddyfile there.
+* `data`: This repository is for the storage of Caddy web server.
diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile
@@ -0,0 +1,55 @@
+(static_fileserver) {
+    root * /usr/share/caddy/static
+    file_server
+}
+
+{$FQDN} {
+    tls internal
+    # For using a custom certificate:
+    # tls /etc/certs/ca.pem /etc/certs/key.pem
+
+    @trailing-slash {
+        path_regexp reg_static ^/(\w+)$
+    }
+
+    @static-resources {
+        path /favicon.ico
+        path /crossdomain.xml
+        path /robots.txt
+    }
+
+    handle_errors {
+        @5xx `{err.status_code} >= 500 && {err.status_code} < 600`
+        handle @5xx {
+            import static_fileserver
+            rewrite * /errors/50x.html
+        }
+    }
+
+    handle @static-resources {
+        import static_fileserver
+    }
+
+    handle_path /public/* {
+        import static_fileserver
+    }
+
+    handle /cas/* {
+        reverse_proxy cas:8080
+    }
+
+    handle /webmail/* {
+        reverse_proxy webmail:80
+    }
+
+    handle {
+        reverse_proxy proxy:8080
+        header {
+            Access-Control-Allow-Origin *
+            Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+            Access-Control-Max-Age 1800
+            Access-Control-Allow-Credentials: true
+        }
+        redir @trailing-slash /{http.regexp.reg_static.1}/
+    }
+}