Skip to content
Snippets Groups Projects
Verified Commit 0ce0d64f authored by Gabriel Zachmann's avatar Gabriel Zachmann
Browse files

adapt docker swarm proxy setup

parent 7c94835d
No related branches found
No related tags found
No related merge requests found
Pipeline #323682 passed
......@@ -8,7 +8,6 @@ services:
- source: mytoken_config
target: /etc/mytoken/config.yaml
volumes:
- ${MYTOKEN_CERTCHAIN}:/mytoken/certchain.pem:ro
- ${MYTOKEN_GEOIPDB}:/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN:ro
- ${MYTOKEN_LOGS_DIR}:/mytoken/logs
secrets:
......@@ -17,25 +16,13 @@ services:
- ssh_host_ed25519_key
- ssh_host_rsa_key
- db_password
- cert
networks:
- frontend
- backend
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
- target: 2222
published: 2222
mode: host
# environment:
# - WAIT_FOR_NODES=db:3306
- proxy
deploy:
mode: replicated
# replicas: 3
replicas: 2
placement:
max_replicas_per_node: 1
restart_policy:
......@@ -111,7 +98,7 @@ services:
- db_replication_password
deploy:
mode: replicated
# replicas: 3
replicas: 2
placement:
max_replicas_per_node: 1
restart_policy:
......@@ -128,7 +115,43 @@ services:
interval: 15s
timeout: 5s
retries: 6
command: ["/opt/bitnami/scripts/mariadb-galera/entrypoint.sh", "/opt/bitnami/scripts/mariadb-galera/run.sh"]
command: [ "/opt/bitnami/scripts/mariadb-galera/entrypoint.sh", "/opt/bitnami/scripts/mariadb-galera/run.sh" ]
proxy:
image: haproxy
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
configs:
- source: haproxy_config
target: /usr/local/etc/haproxy/haproxy.cfg
secrets:
- cert_full
networks:
- proxy
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
deploy:
mode: replicated
replicas: 2
placement:
max_replicas_per_node: 1
restart_policy:
condition: any
delay: 10s
window: 60s
rollback_config:
parallelism: 1
delay: 15s
update_config:
parallelism: 1
delay: 30s
monitor: 15s
failure_action: rollback
migrate:
image: oidcmytoken/mytoken-migratedb
......@@ -166,14 +189,21 @@ services:
networks:
frontend:
backend:
proxy:
configs:
mytoken_config:
file: ${MYTOKEN_CONFIG_FILE}
haproxy_config:
file: ${HAPROXY_CONFIG_FILE}
secrets:
cert:
file: ${SECRET_CERT}
cert_key:
file: ${SECRET_CERT_KEY}
cert_chain:
file: ${CERT_CHAIN}
cert_full:
file: ${SECRET_CERT_FULL}
mytoken_signing_key:
file: ${SECRET_MYTOKEN_SIGNING_KEY}
db_password:
......
......@@ -6,9 +6,10 @@ DB_DATA_DIR=/home/mytoken/mytoken/db
MYTOKEN_CONFIG_FILE=/home/mytoken/mytoken/config.yaml
MYTOKEN_GEOIPDB=/home/mytoken/mytoken/IP2LOCATION-LITE-DB1.IPV6.BIN
MYTOKEN_LOGS_DIR=/home/mytoken/mytoken/logs
MYTOKEN_CERTCHAIN=/home/mytoken/mytoken/certchain.pem
SECRET_CERT=/home/mytoken/mytoken/cert.key.pem
CERT_CHAIN=/home/mytoken/mytoken/certchain.pem
SECRET_CERT_KEY=/home/mytoken/mytoken/cert.key.pem
SECRET_CERT_FULL=/home/mytoken/mytoken/cert.full.pem
SECRET_MYTOKEN_SIGNING_KEY=/home/mytoken/mytoken/mytoken.signing.key
SECRET_SSH_HOST_ECDSA_KEY=/home/mytoken/mytoken/ssh_host_ecdsa_key
SECRET_SSH_HOST_ED25519_KEY=/home/mytoken/mytoken/ssh_host_ed25519_key
......
......@@ -21,11 +21,11 @@ server:
# Unless false port 80 is redirected to 443
redirect_http: true
# The TLS certificate file
cert: /mytoken/certchain.pem
#cert: /mytoken/certchain.pem
# The TLS certificate key file
key: /run/secrets/cert
#key: /run/secrets/cert
# If behind a load balancer or reverse proxy, set this option. Mytoken will read the client's ip address from this header.
# proxy_header: "X-FORWARDED-FOR"
proxy_header: "X-FORWARDED-FOR"
# Configure the request limits (these are per IP)
request_limits:
# Unless false request limits are enabled
......@@ -177,7 +177,7 @@ features:
enabled: true
# If true the haproxy proxy protocl (https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt) is used to
# receive client information, i.e. the client's ip from the proxy; the proxy must support this
use_proxy_protocol: false
use_proxy_protocol: true
# The ssh private key files of the server
keys:
- /run/secrets/ssh_host_ecdsa_key
......
......@@ -34,7 +34,7 @@ defaults
frontend fe_mytoken
mode http
bind :443 ssl crt /run/secrets/cert alpn h2,http/1.1
bind :443 ssl crt /run/secrets/cert_full alpn h2,http/1.1
bind :80
redirect scheme https code 301 if !{ ssl_fc }
http-response set-header Strict-Transport-Security max-age=63072000
......@@ -52,18 +52,12 @@ frontend fe_mytoken_ssh
tcp-request content accept if { req_ssl_hello_type 1 }
backend be_mytoken
balance roundrobin
option forwardfor
server mytoken_1 mytoken_1:80 check resolvers docker init-addr libc,none
server mytoken_2 mytoken_2:80 check resolvers docker init-addr libc,none
server mytoken_3 mytoken_3:80 check resolvers docker init-addr libc,none
server mytoken mytoken:80 check resolvers docker init-addr libc,none
backend be_mytoken_ssh
mode tcp
balance roundrobin
server mytoken_ssh_1 mytoken_1:2222 check resolvers docker init-addr libc,none send-proxy
server mytoken_ssh_2 mytoken_2:2222 check resolvers docker init-addr libc,none send-proxy
server mytoken_ssh_3 mytoken_3:2222 check resolvers docker init-addr libc,none send-proxy
server mytoken_ssh mytoken:2222 check resolvers docker init-addr libc,none send-proxy
frontend stat
bind :8888
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment