Adapt to new middleware model
This commit is contained in:
parent
6986b74c98
commit
9d8cff3214
|
@ -16,31 +16,10 @@ job [[ .instance | toJSON ]] {
|
|||
[[ template "common/connect.tpl" $c ]]
|
||||
|
||||
tags = [
|
||||
"[[ $c.traefik.instance ]].enable=[[ if $c.traefik.enabled ]]true[[ else ]]false[[ end ]]",
|
||||
|
||||
[[- if $c.public.traefik.enabled ]]
|
||||
[[ $p := merge .bounca.public . ]]
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]/public/`)",
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].priority=200",
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].entrypoints=[[ join $p.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]]
|
||||
"[[ $p.traefik.instance ]].http.middlewares.[[ .instance ]]-public[[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]",
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ .instance ]]-public[[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $p.traefik ]]",
|
||||
[[- else ]]
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $p.traefik ]]",
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`)
|
||||
[[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]] && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]`)[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]]
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]][[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
|
||||
[[- else ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
|
||||
[[- end ]]
|
||||
[[ $p := merge .bounca.public . ]]
|
||||
[[ template "common/traefik_tags" $p ]]
|
||||
"[[ $p.traefik.instance ]].http.routers.[[ $p.traefik.router ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/public`)",
|
||||
[[ template "common/traefik_tags" $c ]]
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -23,6 +23,18 @@ job "bounca" {
|
|||
}
|
||||
}
|
||||
sidecar_task {
|
||||
config {
|
||||
args = [
|
||||
"-c",
|
||||
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||
"-l",
|
||||
"${meta.connect.log_level}",
|
||||
"--concurrency",
|
||||
"${meta.connect.proxy_concurrency}",
|
||||
"--disable-hot-restart"
|
||||
]
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
memory = 64
|
||||
|
@ -33,17 +45,23 @@ job "bounca" {
|
|||
|
||||
|
||||
tags = [
|
||||
|
||||
|
||||
"traefik.enable=true",
|
||||
|
||||
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public/`)",
|
||||
"traefik.http.routers.bounca-public.priority=200",
|
||||
"traefik.http.routers.bounca-public.entrypoints=https",
|
||||
"traefik.http.routers.bounca-public.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
||||
|
||||
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
||||
"traefik.http.routers.bounca.priority=100",
|
||||
"traefik.http.routers.bounca.entrypoints=https",
|
||||
"traefik.http.routers.bounca.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
|
||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
||||
|
||||
]
|
||||
|
||||
|
||||
|
@ -180,6 +198,7 @@ _EOT
|
|||
destination = "secrets/.db.env"
|
||||
}
|
||||
|
||||
|
||||
resources {
|
||||
cpu = 200
|
||||
memory = 192
|
||||
|
|
|
@ -41,14 +41,14 @@ bounca:
|
|||
local_bind_port: 5432
|
||||
|
||||
# Traefik settings
|
||||
traefik:
|
||||
enabled: true
|
||||
traefik: {}
|
||||
|
||||
# Settings for /public, which can be different from the main interface
|
||||
# /public expose certificates and CRL so it should usually be publicly accessible
|
||||
public:
|
||||
traefik:
|
||||
enabled: true
|
||||
auto_rule: false
|
||||
router: '[[ .instance ]]-public[[ .consul.suffix ]]'
|
||||
|
||||
# Resource allocation for the main bounca task
|
||||
resources:
|
||||
|
|
Loading…
Reference in New Issue
Block a user