Add support for externally-sourced wildcard certificates #45
13
.env.sample
13
.env.sample
|
@ -46,6 +46,19 @@ COMPOSE_FILE="compose.yml"
|
|||
#GANDI_ENABLED=1
|
||||
#SECRET_GANDIV5_API_KEY_VERSION=v1
|
||||
|
||||
#####################################################################
|
||||
# Manual wildcard certificate insertion #
|
||||
#####################################################################
|
||||
|
||||
# Set wildcards = 1, and uncomment compose_file to enable.
|
||||
# Create your certs elsewhere and add them like:
|
||||
# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
|
||||
# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
|
||||
#WILDCARDS_ENABLED=1
|
||||
#SECRET_WILDCARD_CERT_VERSION=v1
|
||||
#SECRET_WILDCARD_KEY_VERSION=v1
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
|
||||
|
||||
#####################################################################
|
||||
# Keycloak log-in #
|
||||
#####################################################################
|
||||
|
|
4
abra.sh
4
abra.sh
|
@ -1,3 +1,3 @@
|
|||
export TRAEFIK_YML_VERSION=v17
|
||||
export FILE_PROVIDER_YML_VERSION=v8
|
||||
export TRAEFIK_YML_VERSION=v18
|
||||
export FILE_PROVIDER_YML_VERSION=v9
|
||||
export ENTRYPOINT_VERSION=v2
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- ssl_cert
|
||||
- ssl_key
|
||||
|
||||
secrets:
|
||||
ssl_cert:
|
||||
name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
|
||||
decentral1se marked this conversation as resolved
Outdated
|
||||
external: true
|
||||
ssl_key:
|
||||
name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
|
||||
decentral1se marked this conversation as resolved
Outdated
decentral1se
commented
I think you need to make a specific env var for this in the `name: ${STACK_NAME}_ssl_key_${SECRET_SSL_KEY_VERSION}`
I think you need to make a specific env var for this in the `.env.sample` also?
|
||||
external: true
|
|
@ -3,7 +3,7 @@ version: "3.8"
|
|||
|
||||
services:
|
||||
app:
|
||||
image: "traefik:v2.10.5"
|
||||
image: "traefik:v2.10.7"
|
||||
# Note(decentral1se): *please do not* add any additional ports here.
|
||||
# Doing so could break new installs with port conflicts. Please use
|
||||
# the usual `compose.$app.yml` approach for any additional ports
|
||||
|
|
|
@ -25,7 +25,6 @@ http:
|
|||
security:
|
||||
headers:
|
||||
frameDeny: true
|
||||
sslRedirect: true
|
||||
decentral1se marked this conversation as resolved
Outdated
decentral1se
commented
Does this break some expectations? Does this break some expectations?
wolcen
commented
My understanding is that the already existing:
is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂 My understanding is that the already existing:
```yaml
web:
address: ":80"
http:
redirections:
entryPoint:
to: web-secure
```
is the correct method to use/all that is needed. I'm pretty new to traefik still however, so ...🧂
wolcen
commented
For reference, this is the message I was getting:
For reference, this is the message I was getting:
`level=warning msg="SSLRedirect is deprecated, please use entrypoint redirection instead."`
decentral1se
commented
Great stuff, let's drop that and hope 🏄♀️ Great stuff, let's drop that and hope 🏄♀️
|
||||
browserXssFilter: true
|
||||
contentTypeNosniff: true
|
||||
stsIncludeSubdomains: true
|
||||
|
@ -45,3 +44,8 @@ tls:
|
|||
- CurveP521
|
||||
- CurveP384
|
||||
sniStrict: true
|
||||
{{ if eq (env "WILDCARDS_ENABLED") "1" }}
|
||||
certificates:
|
||||
- certFile: /run/secrets/ssl_cert
|
||||
keyFile: /run/secrets/ssl_key
|
||||
{{ end }}
|
Loading…
Reference in New Issue
${STACK_NAME}_ssl_cert_${SECRET_SSL_CERT_VERSION}
I think you need to make a specific env var for this in the
.env.sample
also?If I understand you correctly, you are asking to have two version vars? I already included SECRET_WILDCARD_CERT_VERSION, used for both as typically both change for me at the same time.
I guess in theory you could reuse the pwd/key, is that correct, or is it just "best practice" to allow a version var per variable, regardless of anything else?
Generally it's env var per secret, yep. So more convention at this point. But if you feel strongly against, please then document and sure just move on 👍