Error pages

Re coop-cloud/organising#115

.drone.yml

@@ -16,9 +16,9 @@ steps:
       STACK_NAME: traefik
       LETS_ENCRYPT_ENV: production
       LETS_ENCRYPT_EMAIL: helo@autonomic.zone
-      TRAEFIK_YML_VERSION: v21
-      FILE_PROVIDER_YML_VERSION: v10
-      ENTRYPOINT_VERSION: v4
+      TRAEFIK_YML_VERSION: v4
+      FILE_PROVIDER_YML_VERSION: v3
+      ENTRYPOINT_VERSION: v1
 trigger:
   branch:
     - master

.env.sample

@@ -1,7 +1,6 @@
 TYPE=traefik
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true
 
 DOMAIN=traefik.example.com
 LETS_ENCRYPT_ENV=production
@@ -43,29 +42,18 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
-#GANDI_API_KEY_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
+#GANDI_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
-## Gandi, https://gandi.net
-## note: uses GandiV5 Personal Access Token
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
-#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
-#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
-
-## DigitalOcean, https://digitalocean.com
-#COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
-#DIGITALOCEAN_ENABLED=1
-#SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION=v1
-
 #####################################################################
 # Manual wildcard certificate insertion                             #
 #####################################################################
 
 # Set wildcards = 1, and uncomment compose_file to enable.
 # Create your certs elsewhere and add them like:
-# abra app secret insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
-# abra app secret insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
 #WILDCARDS_ENABLED=1
 #SECRET_WILDCARD_CERT_VERSION=v1
 #SECRET_WILDCARD_KEY_VERSION=v1

README.md

@@ -40,10 +40,8 @@ Letsencrypt DNS challenges.
    `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
-   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
-     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v21
+export TRAEFIK_YML_VERSION=v20
 export FILE_PROVIDER_YML_VERSION=v10
-export ENTRYPOINT_VERSION=v4
+export ENTRYPOINT_VERSION=v2

alaconnect.yml

@@ -1,4 +0,0 @@
-matrix-synapse:
-    uncomment:
-        - compose.matrix.yml
-        - MATRIX_FEDERATION_ENABLED

compose.digitalocean.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - DO_AUTH_TOKEN_FILE=/run/secrets/digitalocean_auth_token
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - digitalocean_auth_token
-
-secrets:
-  digitalocean_auth_token:
-    name: ${STACK_NAME}_digitalocean_auth_token_${SECRET_DIGITALOCEAN_AUTH_TOKEN_VERSION}
-    external: true

compose.errors.yml

@@ -0,0 +1,29 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - "CUSTOM_ERRORS=1"
+    volumes:
+      - "traefik-plugins:/plugins-local/"
+  errors:
+    image: "tarampampam/error-pages:2.27.0"
+    networks:
+      - proxy
+    deploy:
+      labels:
+          - "traefik.enable=true"
+          # use as "fallback" for any non-registered services (with priority below normal)
+          - "traefik.http.routers.${STACK_NAME}-error.rule=HostRegexp(`{host:.+}`)"
+          - "traefik.http.routers.${STACK_NAME}-error.priority=10"
+          - "traefik.http.routers.${STACK_NAME}-error.entrypoints=web-secure"
+          - "traefik.http.routers.${STACK_NAME}-error.tls.certresolver=${LETS_ENCRYPT_ENV}"
+          - "traefik.http.services.${STACK_NAME}-error.loadbalancer.server.port=8080"
+          # "errors" middleware settings
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.status=400-599"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.service=${STACK_NAME}-error"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.query=/{status}.html"
+
+volumes:
+  traefik-plugins:

compose.gandi-personal-access-token.yml

@@ -1,15 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_pat
-      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
-      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
-    secrets:
-      - gandiv5_pat
-
-secrets:
-  gandiv5_pat:
-    name: ${STACK_NAME}_gandiv5_pat_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
-    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "traefik:v2.11.14"
+    image: "traefik:v2.11.0"
     # Note(decentral1se): *please do not* add any additional ports here.
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
@@ -11,6 +11,7 @@ services:
       - "80:80"
       - "443:443"
     volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
     configs:
@@ -23,7 +24,6 @@ services:
         mode: 0555
     networks:
       - proxy
-      - internal
     environment:
       - DASHBOARD_ENABLED
       - LOG_LEVEL
@@ -47,49 +47,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.service=api@internal"
         - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.9.0+v2.11.14"
+        - "coop-cloud.${STACK_NAME}.version=2.6.0+v2.11.0"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-
-  socket-proxy:
-    image: lscr.io/linuxserver/socket-proxy:1.26.2-r0-ls30
-    environment:
-      - ALLOW_START=0
-      - ALLOW_STOP=0
-      - ALLOW_RESTARTS=0
-      - AUTH=0
-      - BUILD=0
-      - COMMIT=0
-      - CONFIGS=0
-      - CONTAINERS=1 # Needs access
-      - DISABLE_IPV6=0
-      - DISTRIBUTION=0
-      - EVENTS=1 # Needs access
-      - EXEC=0
-      - IMAGES=0
-      - INFO=0
-      - NETWORKS=1 # Needs access
-      - NODES=0
-      - PING=0
-      - POST=0
-      - PLUGINS=0
-      - SECRETS=0
-      - SERVICES=1 # Needs access
-      - SESSION=0
-      - SWARM=0
-      - SYSTEM=0
-      - TASKS=1 # Needs access
-      - VERSION=1 # Needs access
-      - VOLUMES=0
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - internal
 
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   traefik_yml:

entrypoint.sh.tmpl

@@ -7,8 +7,8 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
-export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
+{{ if eq (env "GANDI_ENABLED") "1" }}
+export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
 {{ end }}
 
 /entrypoint.sh "$@"

file-provider.yml.tmpl

@@ -1,6 +1,19 @@
 ---
+
 http:
   middlewares:
+    {{ if eq (env "CUSTOM_ERRORS") "1" }}
+    error:
+      plugin:
+        traefik-error-page:
+          debug: "true"
+          contentsOnly: "false"
+          contentsOnlyMatch: "Bad Gateway"
+          query: /{status}.html
+          service: http://{{ env "STACK_NAME" }}_errors:8080
+          status:
+            - 502
+    {{ end }}
     {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
     keycloak:
       forwardAuth:
@@ -48,4 +61,4 @@ tls:
   certificates:
     - certFile: /run/secrets/ssl_cert
       keyFile: /run/secrets/ssl_key
-  {{ end }}
+  {{ end }}

release/2.8.0+v2.11.10

@@ -1 +0,0 @@
-Important Security Update! https://nvd.nist.gov/vuln/detail/CVE-2024-45410

release/2.9.0+v2.11.14

@@ -1 +0,0 @@
-Closes Security Issue https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg

traefik.yml.tmpl

@@ -4,7 +4,7 @@ log:
 
 providers:
   docker:
-    endpoint: "tcp://socket-proxy:2375"
+    endpoint: "unix:///var/run/docker.sock"
     exposedByDefault: false
     network: proxy
     swarmMode: true
@@ -24,10 +24,6 @@ api:
 entrypoints:
   web:
     address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: web-secure
   web-secure:
     address: ":443"
   {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
@@ -119,3 +115,10 @@ certificatesResolvers:
           - "1.1.1.1:53"
           - "9.9.9.9:53"
       {{ end }}
+
+{{ if eq (env "CUSTOM_ERRORS") "1" }}
+experimental:
+  localplugins:
+    traefik-error-page:
+      moduleName: "github.com/3-w-c/traefik-error-page"
+{{ end }}