Add permanent redirect to https

.env.traefik.remote

@@ -26,35 +26,35 @@ JS_REPORT_PACKAGE_PATH=
 # KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
 KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation
 
-OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_CORE_MEDIATOR_HOSTNAME=domain
 OPENHIM_MEDIATOR_API_PORT=443/openhimcomms
 
 # Reverse Proxy - Nginx
 REVERSE_PROXY_INSTANCES=1
-DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
-SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
+DOMAIN_NAME=domain
+SUBDOMAINS=openhimcomms.domain,openhimcore.domain,openhimconsole.domain,kibana.domain,reports.domain,santewww.domain,santempi.domain,superset.domain,keycloak.domain,grafana.domain,minio.domain,jempi-web.domain,jempi-api.domain
 STAGING=false
 INSECURE=false
 
 # Identity Access Manager - Keycloak
-KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
-KC_GRAFANA_ROOT_URL=https://grafana.<domain>
-KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
-KC_SUPERSET_ROOT_URL=https://superset.<domain>
-KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
-GF_SERVER_DOMAIN=grafana.<domain>
-
-REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
+KC_FRONTEND_URL=https://keycloak.domain
+KC_GRAFANA_ROOT_URL=https://grafana.domain
+KC_JEMPI_ROOT_URL=https://jempi-web.domain
+KC_SUPERSET_ROOT_URL=https://superset.domain
+KC_OPENHIM_ROOT_URL=https://domain
+
+REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.domain
 REACT_APP_JEMPI_BASE_API_PORT=443
-OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
-OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
+OPENHIM_CONSOLE_BASE_URL=https://domain
+OPENHIM_API_HOST=https://domain/openhimcomms
 OPENHIM_API_PORT=443/openhimcomms
-OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_HOST_NAME=domain
 CERT_RESOLVER=le
 CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
 OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
 OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
-GF_SERVER_ROOT_URL=https://<domain>/grafana
-GF_SERVER_DOMAIN=<domain>
-MINIO_BROWSER_REDIRECT_URL=https://<domain>/minio
-DOMAIN_NAME_HOST_TRAEFIK=<domain>
+GF_SERVER_ROOT_URL=https://domain/grafana
+GF_SERVER_DOMAIN=domain
+MINIO_BROWSER_REDIRECT_URL=https://domain/minio
+DOMAIN_NAME_HOST_TRAEFIK=domain
+GF_SERVER_SERVE_FROM_SUB_PATH=true

client-registry-jempi/docker-compose.api.yml

@@ -30,6 +30,13 @@ services:
         - traefik.http.routers.jempi-api.service=jempi-api
         - traefik.http.services.jempi-api.loadbalancer.server.port=50000
         - traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.jempi-api.entrypoints=websecure
+        - traefik.http.routers.jempi-api.tls=true
+        - traefik.http.routers.jempi-api.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.services.jempi-api.loadbalancer.server.scheme=http
+        - traefik.http.middlewares.jempi-api-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.jempi-api-redirect.redirectscheme.permanent=true
+
       resources:
         limits:
           memory: ${JEMPI_API_MEMORY_LIMIT}
@@ -43,6 +50,7 @@ services:
       jempi:
       postgres:
 
+
   jempi-api-kc:
     image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG}
     environment:
@@ -89,9 +97,11 @@ services:
       jempi:
       postgres:
 
+
 volumes:
   jempi-shared-data:
 
+
 networks:
   reverse-proxy:
     name: reverse-proxy_public

client-registry-jempi/docker-compose.web.yml

@@ -21,6 +21,13 @@ services:
         - traefik.http.routers.jempi-web.service=jempi-web
         - traefik.http.services.jempi-web.loadbalancer.server.port=3000
         - traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.jempi-web.entrypoints=websecure
+        - traefik.http.routers.jempi-web.tls=true
+        - traefik.http.routers.jempi-web.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.services.jempi-web.loadbalancer.server.scheme=http
+        - traefik.http.middlewares.jempi-web-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.jempi-web-redirect.redirectscheme.permanent=true
+
       placement:
         max_replicas_per_node: 1
       resources:
@@ -34,6 +41,7 @@ services:
       keycloak:
       default:
 
+
 networks:
   reverse-proxy:
     name: reverse-proxy_public

dashboard-visualiser-superset/docker-compose.yml

@@ -9,6 +9,13 @@ services:
         - traefik.docker.network=reverse-proxy-traefik_public
         - traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
         - traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.port=8088
+        - traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.scheme=http
+        - traefik.http.routers.dashboard-visualiser-superset.entrypoints=websecure
+        - traefik.http.routers.dashboard-visualiser-superset.tls=true
+        - traefik.http.routers.dashboard-visualiser-superset.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.routers.dashboard-visualiser-superset.middlewares=dashboard-visualiser-superset-redirect
+        - traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.permanent=true
     environment:
       KC_SUPERSET_SSO_ENABLED: ${KC_SUPERSET_SSO_ENABLED}
       KC_SUPERSET_CLIENT_ID: ${KC_SUPERSET_CLIENT_ID}
@@ -46,6 +53,7 @@ services:
       postgres:
       default:
 
+
 configs:
   superset_config.py:
     file: ./config/superset_config.py
@@ -71,6 +79,7 @@ configs:
 volumes:
   superset_home:
 
+
 networks:
   clickhouse:
     name: clickhouse_public

identity-access-manager-keycloak/docker-compose.yml

@@ -55,6 +55,9 @@ services:
         - traefik.http.routers.identity-access-manager-keycloak.tls=true
         - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
         - traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure
+        - traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.permanent=true
+
     networks:
       reverse-proxy:
       public:

interoperability-layer-openhim/docker-compose.yml

@@ -52,7 +52,7 @@ services:
         - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`)
         - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms
         - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix
-        - traefik.http.routers.openhimcomms.tls.certresolver=le
+        - traefik.http.routers.openhimcomms.tls.certresolver=${CERT_RESOLVER-le}
         - traefik.http.routers.openhimcore.service=openhimcore
         - traefik.http.services.openhimcore.loadbalancer.server.port=5000
         - traefik.http.services.openhimcore.loadbalancer.server.scheme=https
@@ -61,10 +61,7 @@ services:
         - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`)
         - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore
         - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
-        - traefik.http.routers.openhimcore.tls.certresolver=le
-
-
-
+        - traefik.http.routers.openhimcore.tls.certresolver=${CERT_RESOLVER-le}
 
   openhim-console:
     image: ${OPENHIM_CONSOLE_IMAGE}
@@ -97,6 +94,9 @@ services:
         - traefik.http.routers.openhim-console.tls=true
         - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
         - traefik.http.services.openhim-console.loadbalancer.server.port=80
+        - traefik.http.middlewares.openhim-console-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.openhim-console-redirect.redirectscheme.permanent=true
+
       placement:
         max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}
       resources:

monitoring/docker-compose.yml

@@ -10,13 +10,17 @@ services:
         - traefik.enable=true
         - traefik.docker.network=reverse-proxy-traefik_public
         - traefik.http.routers.grafana.service=grafana
+        - traefik.http.services.grafana.loadbalancer.server.port=3000
         - traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
         - traefik.http.routers.grafana.tls=true
         - traefik.http.services.grafana.loadbalancer.server.scheme=http
         - traefik.http.routers.grafana.entrypoints=websecure
-        - traefik.http.routers.grafana.tls.certresolver=le
+        - traefik.http.routers.grafana.tls.certresolver=${CERT_RESOLVER-le}
         - traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
         - traefik.http.routers.grafana.middlewares=grafana-stripprefix
+        - traefik.http.middlewares.grafana-redirect.redirectscheme.scheme=https
+        - traefik.http.middlewares.grafana-redirect.redirectscheme.permanent=true
+
     environment:
       GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
       GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
@@ -42,8 +46,8 @@ services:
       GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token"
       GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
-      GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK}
-      GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK}
+      GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
+      GF_SERVER_ROOT_URL: ${GF_SERVER_ROOT_URL}
       GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
       GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
     configs:

reverse-proxy-traefik/docker-compose.yml

@@ -46,6 +46,7 @@ services:
         - traefik.http.services.openhim-console.loadbalancer.server.port=8080
 
         - traefik.http.middlewares.to-https.redirectscheme.scheme=https
+        - traefik.http.middlewares.to-https.redirectscheme.permanent=true
         - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD}
 
       placement: