diff --git a/ccp/modules/dnpm-node-compose.yml b/ccp/modules/dnpm-node-compose.yml index 6f85ca54..4c9c7176 100644 --- a/ccp/modules/dnpm-node-compose.yml +++ b/ccp/modules/dnpm-node-compose.yml @@ -51,10 +51,29 @@ services: - NUXT_AUTHUP_URL=http://dnpm-authup:3000/ - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/ labels: + labels: - "traefik.enable=true" - - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)" - - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000" - - "traefik.http.routers.dnpm-frontend.tls=true" + - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000" + # expose everything + - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)" + - "traefik.http.routers.dnpm-backend.tls=true" + - "traefik.http.routers.dnpm-backend.service=dnpm-backend" + # except ETL + - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-etl.tls=true" + - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-etl.middlewares=dnpm-backend-etl" + # create this with "echo $(htpasswd -nB USER) | sed -e s/\\\$/\\\$\\\$/g" + # this needs an ETL processor with support for basic auth + - "traefik.http.middlewares.dnpm-backend-etl.basicauth.users=${ETL_PASSWD}" + # except peer-to-peer + - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-peer.tls=true" + - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer" + # this effectively denies all requests + # this is okay, because requests from peers don't go through Traefik + - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32" dnpm-backend: container_name: bridgehead-dnpm-backend diff --git a/minimal/modules/dnpm-node-compose.yml b/minimal/modules/dnpm-node-compose.yml index 6f85ca54..cc391ae1 100644 --- a/minimal/modules/dnpm-node-compose.yml +++ b/minimal/modules/dnpm-node-compose.yml @@ -74,9 +74,27 @@ services: condition: service_healthy labels: - "traefik.enable=true" - - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)" - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000" + # expose everything + - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)" - "traefik.http.routers.dnpm-backend.tls=true" + - "traefik.http.routers.dnpm-backend.service=dnpm-backend" + # except ETL + - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-etl.tls=true" + - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-etl.middlewares=dnpm-backend-etl" + # create this with "echo $(htpasswd -nB USER) | sed -e s/\\\$/\\\$\\\$/g" + # this needs an ETL processor with support for basic auth + - "traefik.http.middlewares.dnpm-backend-etl.basicauth.users=${ETL_PASSWD}" + # except peer-to-peer + - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-peer.tls=true" + - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer" + # this effectively denies all requests + # this is okay, because requests from peers don't go through Traefik + - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32" landing: labels: