Error pages

Re coop-cloud/organising#115
chore: publish 2.6.0+v2.11.0 release
2024-04-01 22:56:45 -03:00 · 2024-04-01 22:56:20 -03:00 · 2024-04-01 22:53:56 -03:00 · 2024-04-01 19:49:23 -03:00 · 2024-03-30 17:59:48 -03:00 · 2024-02-16 16:41:57 +01:00
9 changed files with 124 additions and 15 deletions
--- a/.env.sample
+++ b/.env.sample
@ -47,7 +47,20 @@ COMPOSE_FILE="compose.yml"
 #SECRET_GANDIV5_API_KEY_VERSION=v1

 #####################################################################
-# Keycloak log-in                                                   #
+# Manual wildcard certificate insertion                             #
+#####################################################################
+
+# Set wildcards = 1, and uncomment compose_file to enable.
+# Create your certs elsewhere and add them like:
+# abra app secrets insert {myapp.example.coop} ssl_cert v1 "$(cat /path/to/fullchain.pem)"
+# abra app secrets insert {myapp.example.coop} ssl_key v1 "$(cat /path/to/privkey.pem)"
+#WILDCARDS_ENABLED=1
+#SECRET_WILDCARD_CERT_VERSION=v1
+#SECRET_WILDCARD_KEY_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.wildcard.yml"
+
+#####################################################################
+# Authentication                                                    #
 #####################################################################

 ## Enable Keycloak
@ -57,12 +70,19 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_MIDDLEWARE_2_ENABLED=1
 #KEYCLOAK_TFA_SERVICE_2=traefik-forward-auth_app

+## BASIC_AUTH
+## Use httpasswd to generate the secret
+#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
+#BASIC_AUTH=1
+#SECRET_USERSFILE_VERSION=v1
+
 #####################################################################
 # Prometheus metrics                                                #
 #####################################################################

 ## Enable prometheus metrics collection
 ## used used by the coop-cloud monitoring stack
+#COMPOSE_FILE="$COMPOSE_FILE:compose.metrics.yml"
 #METRICS_ENABLED=1

 #####################################################################
@ -111,8 +131,7 @@ COMPOSE_FILE="compose.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_FEDERATION_ENABLED=1

-## BASIC_AUTH
-## Use httpasswd to generate the secret
-#COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
-#BASIC_AUTH=1
-#SECRET_USERSFILE_VERSION=v1
+## "Web alt", an alternative web port
+# NOTE(3wc): as of 2024-04-01 only the `icecast` recipe uses this
+#COMPOSE_FILE="$COMPOSE_FILE:compose.web-alt.yml"
+#WEB_ALT_ENABLED=1
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v16
-export FILE_PROVIDER_YML_VERSION=v8
+export TRAEFIK_YML_VERSION=v20
+export FILE_PROVIDER_YML_VERSION=v10
 export ENTRYPOINT_VERSION=v2
--- a/compose.errors.yml
+++ b/compose.errors.yml
@ -0,0 +1,29 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - "CUSTOM_ERRORS=1"
+    volumes:
+      - "traefik-plugins:/plugins-local/"
+  errors:
+    image: "tarampampam/error-pages:2.27.0"
+    networks:
+      - proxy
+    deploy:
+      labels:
+          - "traefik.enable=true"
+          # use as "fallback" for any non-registered services (with priority below normal)
+          - "traefik.http.routers.${STACK_NAME}-error.rule=HostRegexp(`{host:.+}`)"
+          - "traefik.http.routers.${STACK_NAME}-error.priority=10"
+          - "traefik.http.routers.${STACK_NAME}-error.entrypoints=web-secure"
+          - "traefik.http.routers.${STACK_NAME}-error.tls.certresolver=${LETS_ENCRYPT_ENV}"
+          - "traefik.http.services.${STACK_NAME}-error.loadbalancer.server.port=8080"
+          # "errors" middleware settings
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.status=400-599"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.service=${STACK_NAME}-error"
+          - "traefik.http.middlewares.${STACK_NAME}-error.errors.query=/{status}.html"
+
+volumes:
+  traefik-plugins:
--- a/compose.metrics.yml
+++ b/compose.metrics.yml
@ -0,0 +1,9 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - METRICS_ENABLED
+    ports:
+      - target: 8082
+        published: 8082
+        mode: host
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@ -0,0 +1,7 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - WEB_ALT_ENABLED
+    ports:
+      - "8000:8000"
--- a/compose.wildcard.yml
+++ b/compose.wildcard.yml
@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ssl_cert
+      - ssl_key
+
+secrets:
+  ssl_cert:
+    name: ${STACK_NAME}_ssl_cert_${SECRET_WILDCARD_CERT_VERSION}
+    external: true
+  ssl_key:
+    name: ${STACK_NAME}_ssl_key_${SECRET_WILDCARD_KEY_VERSION}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: "traefik:v2.10.1"
+    image: "traefik:v2.11.0"
    # Note(decentral1se): *please do not* add any additional ports here.
    # Doing so could break new installs with port conflicts. Please use
    # the usual `compose.$app.yml` approach for any additional ports
@ -47,7 +47,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.service=api@internal"
        - "traefik.http.routers.${STACK_NAME}.middlewares=security@file"
-        - "coop-cloud.${STACK_NAME}.version=2.3.1+v2.10.2"
+        - "coop-cloud.${STACK_NAME}.version=2.6.0+v2.11.0"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"

 networks:
--- a/file-provider.yml.tmpl
+++ b/file-provider.yml.tmpl
@ -1,6 +1,19 @@
 ---
+
 http:
  middlewares:
+    {{ if eq (env "CUSTOM_ERRORS") "1" }}
+    error:
+      plugin:
+        traefik-error-page:
+          debug: "true"
+          contentsOnly: "false"
+          contentsOnlyMatch: "Bad Gateway"
+          query: /{status}.html
+          service: http://{{ env "STACK_NAME" }}_errors:8080
+          status:
+            - 502
+    {{ end }}
    {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
    keycloak:
      forwardAuth:
@ -25,7 +38,6 @@ http:
    security:
      headers:
        frameDeny: true
-        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
@ -45,3 +57,8 @@ tls:
        - CurveP521
        - CurveP384
      sniStrict: true
+  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
+  certificates:
+    - certFile: /run/secrets/ssl_cert
+      keyFile: /run/secrets/ssl_key
+  {{ end }}
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@ -24,10 +24,6 @@ api:
 entrypoints:
  web:
    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: web-secure
  web-secure:
    address: ":443"
  {{ if eq (env "GITEA_SSH_ENABLED") "1" }}
@ -46,6 +42,10 @@ entrypoints:
  peertube-rtmp:
    address: ":1935"
  {{ end }}
+  {{ if eq (env "WEB_ALT_ENABLED") "1" }}
+  web-alt:
+    address: ":8000"
+  {{ end }}
  {{ if eq (env "SSB_MUXRPC_ENABLED") "1" }}
  ssb-muxrpc:
    address: ":8008"
@ -67,6 +67,9 @@ entrypoints:
  {{ if eq (env "METRICS_ENABLED") "1" }}
  metrics:
    address: ":8082"
+    http:
+      middlewares:
+        - basicauth@file
  {{ end }}
  {{ if eq (env "MATRIX_FEDERATION_ENABLED") "1" }}
  matrix-federation:
@ -80,6 +83,8 @@ ping:
 metrics:
  prometheus:
    entryPoint: metrics
+    addRoutersLabels: true
+    addServicesLabels: true
 {{ end }}

 certificatesResolvers:
@ -110,3 +115,10 @@ certificatesResolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"
      {{ end }}
+
+{{ if eq (env "CUSTOM_ERRORS") "1" }}
+experimental:
+  localplugins:
+    traefik-error-page:
+      moduleName: "github.com/3-w-c/traefik-error-page"
+{{ end }}
Author	SHA1	Message	Date
3wc	c5fd144ff0	Error pages Re coop-cloud/organising#115	2024-04-01 22:56:45 -03:00
3wc	2db2f71a80	chore: publish 2.6.0+v2.11.0 release	2024-04-01 22:56:20 -03:00
3wc	c558e1dbdb	Ditch DISABLE_HTTPS_REDIRECT	2024-04-01 22:53:56 -03:00
3wc	edc29f9594	Add "web-alt" entrypoint (mostly for Icecast)	2024-04-01 19:49:23 -03:00
3wc	f7f77dc942	Add support for unencrypted HTTP apps (please don't use this 😢)	2024-03-30 17:59:48 -03:00
p4u1	ecc12b2b68	chore: publish 2.5.0+v2.11.0 release	2024-02-16 16:41:57 +01:00
decentral1se	a0e70f33be	Merge pull request 'Add support for externally-sourced wildcard certificates' (#45 ) from wolcen/traefik:master into master Reviewed-on: coop-cloud/traefik#45 Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>	2024-01-12 20:48:03 +00:00
Chris (wolcen) Thompson	e3c1df83fa	chore(security): update traefik to 2.10.7 Addresses two CVE fixes from 2.10.6	2024-01-11 21:47:59 -05:00
Chris (wolcen) Thompson	998190f684	feat: add distinct version for wildcard key secret	2024-01-11 21:47:50 -05:00
Chris (wolcen) Thompson	cd92c909ba	docs: correct secret insertion examples	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	64351c27d1	fix: deprecation warning - handled by redirect under web already	2024-01-11 21:47:04 -05:00
Chris (wolcen) Thompson	f4b05fd87f	Bump file revisions for wildcard support	2024-01-11 21:45:32 -05:00
Chris (wolcen) Thompson	3c5333ba71	feat: add support for wildcard certs via secrets	2024-01-11 21:45:05 -05:00
3wc	5f2fd0bf37	chore: publish 2.4.3+v2.10.5 release	2023-10-16 13:16:09 +01:00
3wc	ac3a47fe8c	chore: publish 2.4.2+v2.10.4 release	2023-07-25 17:19:22 +01:00
Philipp Rothmann	1e02f358ed	chore: publish 2.4.1+v2.10.3 release	2023-07-10 09:51:42 +02:00
Philipp Rothmann	6cdcc25384	chore: publish 2.4.0+v2.10.1 release	2023-05-25 13:40:08 +02:00
Philipp Rothmann	d2b7b671f5	feat: use host mode port networking	2023-05-25 13:34:35 +02:00
Philipp Rothmann	c9d80df34d	feat: enable public facing metrics	2023-05-25 13:34:34 +02:00