From b210382ea6944a155d21e70006cfb1f811ced609 Mon Sep 17 00:00:00 2001 From: drono Date: Wed, 14 Aug 2024 09:52:31 +0300 Subject: [PATCH] Add permanent redirect to https --- .env.traefik.remote | 36 +++++++++---------- client-registry-jempi/docker-compose.api.yml | 10 ++++++ client-registry-jempi/docker-compose.web.yml | 8 +++++ .../docker-compose.yml | 9 +++++ .../docker-compose.yml | 3 ++ .../docker-compose.yml | 10 +++--- monitoring/docker-compose.yml | 10 ++++-- reverse-proxy-traefik/docker-compose.yml | 1 + 8 files changed, 61 insertions(+), 26 deletions(-) diff --git a/.env.traefik.remote b/.env.traefik.remote index c5902e65..bac2e328 100644 --- a/.env.traefik.remote +++ b/.env.traefik.remote @@ -26,35 +26,35 @@ JS_REPORT_PACKAGE_PATH= # KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1 KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation -OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app +OPENHIM_CORE_MEDIATOR_HOSTNAME=domain OPENHIM_MEDIATOR_API_PORT=443/openhimcomms # Reverse Proxy - Nginx REVERSE_PROXY_INSTANCES=1 -DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app -SUBDOMAINS=openhimcomms.,openhimcore.,openhimconsole.,kibana.,reports.,santewww.,santempi.,superset.,keycloak.,grafana.,minio.,jempi-web.,jempi-api. +DOMAIN_NAME=domain +SUBDOMAINS=openhimcomms.domain,openhimcore.domain,openhimconsole.domain,kibana.domain,reports.domain,santewww.domain,santempi.domain,superset.domain,keycloak.domain,grafana.domain,minio.domain,jempi-web.domain,jempi-api.domain STAGING=false INSECURE=false # Identity Access Manager - Keycloak -KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app -KC_GRAFANA_ROOT_URL=https://grafana. -KC_JEMPI_ROOT_URL=https://jempi-web. -KC_SUPERSET_ROOT_URL=https://superset. -KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app -GF_SERVER_DOMAIN=grafana. - -REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api. +KC_FRONTEND_URL=https://keycloak.domain +KC_GRAFANA_ROOT_URL=https://grafana.domain +KC_JEMPI_ROOT_URL=https://jempi-web.domain +KC_SUPERSET_ROOT_URL=https://superset.domain +KC_OPENHIM_ROOT_URL=https://domain + +REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.domain REACT_APP_JEMPI_BASE_API_PORT=443 -OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app -OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms +OPENHIM_CONSOLE_BASE_URL=https://domain +OPENHIM_API_HOST=https://domain/openhimcomms OPENHIM_API_PORT=443/openhimcomms -OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app +OPENHIM_HOST_NAME=domain CERT_RESOLVER=le CA_SERVER=https://acme-v02.api.letsencrypt.org/directory OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease -GF_SERVER_ROOT_URL=https:///grafana -GF_SERVER_DOMAIN= -MINIO_BROWSER_REDIRECT_URL=https:///minio -DOMAIN_NAME_HOST_TRAEFIK= +GF_SERVER_ROOT_URL=https://domain/grafana +GF_SERVER_DOMAIN=domain +MINIO_BROWSER_REDIRECT_URL=https://domain/minio +DOMAIN_NAME_HOST_TRAEFIK=domain +GF_SERVER_SERVE_FROM_SUB_PATH=true diff --git a/client-registry-jempi/docker-compose.api.yml b/client-registry-jempi/docker-compose.api.yml index e216624a..928f2a9c 100644 --- a/client-registry-jempi/docker-compose.api.yml +++ b/client-registry-jempi/docker-compose.api.yml @@ -30,6 +30,13 @@ services: - traefik.http.routers.jempi-api.service=jempi-api - traefik.http.services.jempi-api.loadbalancer.server.port=50000 - traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.jempi-api.entrypoints=websecure + - traefik.http.routers.jempi-api.tls=true + - traefik.http.routers.jempi-api.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.jempi-api.loadbalancer.server.scheme=http + - traefik.http.middlewares.jempi-api-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.jempi-api-redirect.redirectscheme.permanent=true + resources: limits: memory: ${JEMPI_API_MEMORY_LIMIT} @@ -43,6 +50,7 @@ services: jempi: postgres: + jempi-api-kc: image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG} environment: @@ -89,9 +97,11 @@ services: jempi: postgres: + volumes: jempi-shared-data: + networks: reverse-proxy: name: reverse-proxy_public diff --git a/client-registry-jempi/docker-compose.web.yml b/client-registry-jempi/docker-compose.web.yml index 130d57ef..685da0e1 100644 --- a/client-registry-jempi/docker-compose.web.yml +++ b/client-registry-jempi/docker-compose.web.yml @@ -21,6 +21,13 @@ services: - traefik.http.routers.jempi-web.service=jempi-web - traefik.http.services.jempi-web.loadbalancer.server.port=3000 - traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.jempi-web.entrypoints=websecure + - traefik.http.routers.jempi-web.tls=true + - traefik.http.routers.jempi-web.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.jempi-web.loadbalancer.server.scheme=http + - traefik.http.middlewares.jempi-web-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.jempi-web-redirect.redirectscheme.permanent=true + placement: max_replicas_per_node: 1 resources: @@ -34,6 +41,7 @@ services: keycloak: default: + networks: reverse-proxy: name: reverse-proxy_public diff --git a/dashboard-visualiser-superset/docker-compose.yml b/dashboard-visualiser-superset/docker-compose.yml index 36c35097..833dcd41 100644 --- a/dashboard-visualiser-superset/docker-compose.yml +++ b/dashboard-visualiser-superset/docker-compose.yml @@ -9,6 +9,13 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) - traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.port=8088 + - traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.scheme=http + - traefik.http.routers.dashboard-visualiser-superset.entrypoints=websecure + - traefik.http.routers.dashboard-visualiser-superset.tls=true + - traefik.http.routers.dashboard-visualiser-superset.tls.certresolver=${CERT_RESOLVER} + - traefik.http.routers.dashboard-visualiser-superset.middlewares=dashboard-visualiser-superset-redirect + - traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.permanent=true environment: KC_SUPERSET_SSO_ENABLED: ${KC_SUPERSET_SSO_ENABLED} KC_SUPERSET_CLIENT_ID: ${KC_SUPERSET_CLIENT_ID} @@ -46,6 +53,7 @@ services: postgres: default: + configs: superset_config.py: file: ./config/superset_config.py @@ -71,6 +79,7 @@ configs: volumes: superset_home: + networks: clickhouse: name: clickhouse_public diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml index b3d99f88..c81b2884 100644 --- a/identity-access-manager-keycloak/docker-compose.yml +++ b/identity-access-manager-keycloak/docker-compose.yml @@ -55,6 +55,9 @@ services: - traefik.http.routers.identity-access-manager-keycloak.tls=true - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER} - traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure + - traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.permanent=true + networks: reverse-proxy: public: diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 59a1d95e..86b5b88c 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -52,7 +52,7 @@ services: - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`) - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix - - traefik.http.routers.openhimcomms.tls.certresolver=le + - traefik.http.routers.openhimcomms.tls.certresolver=${CERT_RESOLVER-le} - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 - traefik.http.services.openhimcore.loadbalancer.server.scheme=https @@ -61,10 +61,7 @@ services: - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`) - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix - - traefik.http.routers.openhimcore.tls.certresolver=le - - - + - traefik.http.routers.openhimcore.tls.certresolver=${CERT_RESOLVER-le} openhim-console: image: ${OPENHIM_CONSOLE_IMAGE} @@ -97,6 +94,9 @@ services: - traefik.http.routers.openhim-console.tls=true - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`) - traefik.http.services.openhim-console.loadbalancer.server.port=80 + - traefik.http.middlewares.openhim-console-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.openhim-console-redirect.redirectscheme.permanent=true + placement: max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE} resources: diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index 904e4886..38f0ee42 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -10,13 +10,17 @@ services: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.grafana.service=grafana + - traefik.http.services.grafana.loadbalancer.server.port=3000 - traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`) - traefik.http.routers.grafana.tls=true - traefik.http.services.grafana.loadbalancer.server.scheme=http - traefik.http.routers.grafana.entrypoints=websecure - - traefik.http.routers.grafana.tls.certresolver=le + - traefik.http.routers.grafana.tls.certresolver=${CERT_RESOLVER-le} - traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana - traefik.http.routers.grafana.middlewares=grafana-stripprefix + - traefik.http.middlewares.grafana-redirect.redirectscheme.scheme=https + - traefik.http.middlewares.grafana-redirect.redirectscheme.permanent=true + environment: GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER} GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD} @@ -42,8 +46,8 @@ services: GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token" GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo" GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" - GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK} - GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK} + GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN} + GF_SERVER_ROOT_URL: ${GF_SERVER_ROOT_URL} GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH} GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login" configs: diff --git a/reverse-proxy-traefik/docker-compose.yml b/reverse-proxy-traefik/docker-compose.yml index 6fae1279..0aefed3d 100644 --- a/reverse-proxy-traefik/docker-compose.yml +++ b/reverse-proxy-traefik/docker-compose.yml @@ -46,6 +46,7 @@ services: - traefik.http.services.openhim-console.loadbalancer.server.port=8080 - traefik.http.middlewares.to-https.redirectscheme.scheme=https + - traefik.http.middlewares.to-https.redirectscheme.permanent=true - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD} placement: