Adapt to new middleware model

bounca.nomad.hcl

@@ -16,31 +16,10 @@ job [[ .instance | toJSON ]] {
 [[ template "common/connect.tpl" $c ]]
 
       tags = [
-        "[[ $c.traefik.instance ]].enable=[[ if $c.traefik.enabled ]]true[[ else ]]false[[ end ]]",
-
-[[- if $c.public.traefik.enabled ]]
-  [[ $p := merge .bounca.public . ]]
-        "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]/public/`)",
-        "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].priority=200",
-        "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].entrypoints=[[ join $p.traefik.entrypoints "," ]]",
-  [[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]]
-        "[[ $p.traefik.instance ]].http.middlewares.[[ .instance ]]-public[[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]",
-        "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ .instance ]]-public[[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $p.traefik ]]",
-  [[- else ]]
-        "[[ $p.traefik.instance ]].http.routers.[[ .instance ]]-public[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $p.traefik ]]",
-  [[- end ]]
-[[- end ]]
-
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .bounca.public_url).Hostname ]]`)
-  [[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]] && PathPrefix(`[[ (urlParse .bounca.public_url).Path ]]`)[[ end ]]",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].priority=100",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
-[[- if not (regexp.Match "^/?$" (urlParse .bounca.public_url).Path) ]]
-        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]][[ .consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse .bounca.public_url).Path ]]",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]][[ .consul.suffix ]]-prefix,[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
-[[- else ]]
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
-[[- end ]]
+[[ $p := merge .bounca.public . ]]
+[[ template "common/traefik_tags" $p ]]
+        "[[ $p.traefik.instance ]].http.routers.[[ $p.traefik.router ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/public`)",
+[[ template "common/traefik_tags" $c ]]
       ]
 
 

example/bounca.nomad.hcl

@@ -23,6 +23,18 @@ job "bounca" {
           }
         }
         sidecar_task {
+          config {
+            args = [
+              "-c",
+              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
+              "-l",
+              "${meta.connect.log_level}",
+              "--concurrency",
+              "${meta.connect.proxy_concurrency}",
+              "--disable-hot-restart"
+            ]
+          }
+
           resources {
             cpu    = 50
             memory = 64
@@ -33,17 +45,23 @@ job "bounca" {
 
 
       tags = [
+
+
         "traefik.enable=true",
-
-        "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public/`)",
-        "traefik.http.routers.bounca-public.priority=200",
         "traefik.http.routers.bounca-public.entrypoints=https",
-        "traefik.http.routers.bounca-public.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
+        "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
+        "traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
 
+        "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
+
+        "traefik.enable=true",
         "traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
-        "traefik.http.routers.bounca.priority=100",
         "traefik.http.routers.bounca.entrypoints=https",
-        "traefik.http.routers.bounca.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,csp-relaxed@file",
+        "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
+        "traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
+
       ]
 
 
@@ -180,6 +198,7 @@ _EOT
         destination = "secrets/.db.env"
       }
 
+
       resources {
         cpu    = 200
         memory = 192

variables.yml

@@ -41,14 +41,14 @@ bounca:
           local_bind_port: 5432
 
   # Traefik settings
-  traefik:
-    enabled: true
+  traefik: {}
 
   # Settings for /public, which can be different from the main interface
   # /public expose certificates and CRL so it should usually be publicly accessible
   public:
     traefik:
-      enabled: true
+      auto_rule: false
+      router: '[[ .instance ]]-public[[ .consul.suffix ]]'
 
   # Resource allocation for the main bounca task
   resources: