dnpm: Secure endpoints for ETL and p2p communications

ccp/modules/dnpm-node-compose.yml

@@ -51,10 +51,29 @@ services:
       - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
       - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
     labels:
+      labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
-      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-frontend.tls=true"
+      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=dnpm-backend-etl"
+      # create this with "echo $(htpasswd -nB USER) | sed -e s/\\\$/\\\$\\\$/g"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.middlewares.dnpm-backend-etl.basicauth.users=${ETL_PASSWD}"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
 
   dnpm-backend:
     container_name: bridgehead-dnpm-backend

minimal/modules/dnpm-node-compose.yml

@@ -74,9 +74,27 @@ services:
         condition: service_healthy
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
       - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=dnpm-backend-etl"
+      # create this with "echo $(htpasswd -nB USER) | sed -e s/\\\$/\\\$\\\$/g"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.middlewares.dnpm-backend-etl.basicauth.users=${ETL_PASSWD}"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
 
   landing:
     labels: