Use traefik_tags template
This commit is contained in:
parent
1a61c3ec65
commit
c76e76970d
|
@ -39,6 +39,17 @@ job "immich" {
|
|||
}
|
||||
}
|
||||
sidecar_task {
|
||||
config {
|
||||
args = [
|
||||
"-c",
|
||||
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||
"-l",
|
||||
"${meta.connect.log_level}",
|
||||
"--concurrency",
|
||||
"${meta.connect.proxy_concurrency}",
|
||||
"--disable-hot-restart"
|
||||
]
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
|
@ -62,20 +73,20 @@ job "immich" {
|
|||
}
|
||||
|
||||
tags = [
|
||||
|
||||
"traefik.enable=true",
|
||||
|
||||
# Define a middleware to set custom CSP headers
|
||||
"traefik.http.middlewares.immich-headers.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data: blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
|
||||
"traefik.http.middlewares.immich-headers.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
|
||||
"traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)`)",
|
||||
"traefik.http.routers.immich-share.entrypoints=https",
|
||||
"traefik.http.routers.immich-share.middlewares=immich-headers,security-headers@file,hsts@file,compression@file",
|
||||
|
||||
# Main app router
|
||||
"traefik.http.routers.immich.rule=Host(`immich.example.org`)",
|
||||
"traefik.http.routers.immich.entrypoints=https",
|
||||
"traefik.http.routers.immich.middlewares=immich-headers,security-headers@file,hsts@file,compression@file",
|
||||
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
|
||||
|
||||
"traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.immich-share.entrypoints=https",
|
||||
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
|
||||
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -300,6 +311,17 @@ _EOT
|
|||
sidecar_service {
|
||||
}
|
||||
sidecar_task {
|
||||
config {
|
||||
args = [
|
||||
"-c",
|
||||
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||
"-l",
|
||||
"${meta.connect.log_level}",
|
||||
"--concurrency",
|
||||
"${meta.connect.proxy_concurrency}",
|
||||
"--disable-hot-restart"
|
||||
]
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 50
|
||||
|
|
|
@ -33,36 +33,10 @@ job "[[ .instance ]]" {
|
|||
}
|
||||
|
||||
tags = [
|
||||
"[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",
|
||||
|
||||
# Define a middleware to set custom CSP headers
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
# Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
|
||||
[[- end ]]
|
||||
|
||||
[[- $s := merge .immich.server.share .immich.server .immich . ]]
|
||||
# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $c.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)`)",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s ]]",
|
||||
[[- else ]]
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s ]]",
|
||||
[[- end ]]
|
||||
|
||||
# Main app router
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
|
||||
[[- else ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
|
||||
[[- end ]]
|
||||
[[ template "common/traefik_tags" $c ]]
|
||||
[[- $s := merge $c.share $c ]]
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
|
||||
[[ template "common/traefik_tags" merge $s ]]
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -52,33 +52,19 @@ immich:
|
|||
|
||||
# Controls how Traefik will expose the service
|
||||
traefik:
|
||||
enabled: true
|
||||
|
||||
# Immich needs a specific CSP
|
||||
csp:
|
||||
default-src: "'self'"
|
||||
img-src: "'self' data: blob:"
|
||||
script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
|
||||
style-src: "'self' 'unsafe-inline'"
|
||||
font-src: "'self' data:"
|
||||
worker-src: "'self' blob:"
|
||||
connect-src: "'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org"
|
||||
|
||||
# Override the list of base middlewares as we need to remove rate-limits
|
||||
base_middlewares:
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
- compression@file
|
||||
middlewares: []
|
||||
middlewares:
|
||||
rate-limit: false
|
||||
|
||||
# Use distinct Traefik settings for /share. This can be used for example to restrict the main app to trusted IP but allow /share from anywhere
|
||||
share:
|
||||
traefik:
|
||||
base_middlewares:
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
- compression@file
|
||||
middlewares: []
|
||||
auto_rule: false
|
||||
router: '[[ .instance ]]-share[[ .consul.suffix ]]'
|
||||
|
||||
# Volumes used for data storage
|
||||
volumes:
|
||||
|
|
Loading…
Reference in New Issue