Adapt to new middleware model
This commit is contained in:
parent
6099d860a4
commit
32455660c7
|
|
@ -55,19 +55,23 @@ job "unifi" {
|
|||
tags = [
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.unifi.rule=Host(`unifi.example.org`)",
|
||||
"traefik.http.routers.unifi.entrypoints=https",
|
||||
"traefik.http.routers.unifi.middlewares=rate-limit-std@file,security-headers@file,compression@file,csp-relaxed@file",
|
||||
"traefik.http.routers.unifi.rule=Host(`unifi.example.org`)",
|
||||
"traefik.http.middlewares.csp-unifi.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.unifi.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-unifi",
|
||||
|
||||
|
||||
# Note : no Host as inform requests are sent without. But it's binded to the dedicated entrypoint anyway
|
||||
"traefik.http.routers.unifi-inform.rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))",
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.unifi-inform.entrypoints=unifi-inform",
|
||||
"traefik.http.routers.unifi-inform.rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))",
|
||||
"traefik.http.routers.unifi-inform.middlewares=rate-limit-std@file,inflight-std@file",
|
||||
"traefik.http.routers.unifi-portal.rule=Host(`unifi-portal.example.org`) && PathPrefix(`/guest`)",
|
||||
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.unifi-portal.entrypoints=unifi-portal",
|
||||
"traefik.http.routers.unifi-portal.tls=true",
|
||||
"traefik.http.routers.unifi-portal.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file"
|
||||
"traefik.http.routers.unifi-portal.rule=Host(`unifi-portal.example.org`) && PathPrefix(`/guest`)",
|
||||
"traefik.http.middlewares.csp-unifi-portal.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.unifi-portal.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-unifi-portal",
|
||||
|
||||
]
|
||||
}
|
||||
|
|
@ -77,9 +81,11 @@ job "unifi" {
|
|||
port = "stun"
|
||||
|
||||
tags = [
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.consulcatalog.connect=false",
|
||||
"traefik.udp.routers.unifi-stun.entrypoints=unifi-stun",
|
||||
"traefik.consulcatalog.connect=false"
|
||||
|
||||
]
|
||||
}
|
||||
service {
|
||||
|
|
|
|||
|
|
@ -33,21 +33,8 @@ job "[[ .instance ]]" {
|
|||
|
||||
tags = [
|
||||
[[ template "common/traefik_tags" $c ]]
|
||||
|
||||
# Note : no Host as inform requests are sent without. But it's binded to the dedicated entrypoint anyway
|
||||
[[- $i := merge .unifi.inform . ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-inform[[ .consul.suffix ]].rule=(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-inform[[ .consul.suffix ]].entrypoints=[[ join $i.traefik.entrypoints "," ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-inform[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $i ]]",
|
||||
|
||||
[[- $p := merge .unifi.guest_portal . ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].rule=Host(`
|
||||
[[- (urlParse .unifi.guest_portal.public_url).Hostname -]]
|
||||
`) && PathPrefix(`/guest`)",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].entrypoints=[[ join $p.traefik.entrypoints "," ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].tls=true",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-portal[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $p ]]"
|
||||
|
||||
[[ template "common/traefik_tags" merge .unifi.inform . ]]
|
||||
[[ template "common/traefik_tags" merge .unifi.guest_portal . ]]
|
||||
]
|
||||
}
|
||||
|
||||
|
|
@ -56,9 +43,7 @@ job "[[ .instance ]]" {
|
|||
port = "stun"
|
||||
|
||||
tags = [
|
||||
"[[ $c.traefik.instance ]].enable=true",
|
||||
"[[ $c.traefik.instance ]].udp.routers.[[ .instance ]]-stun[[ .consul.suffix ]].entrypoints=[[ join .unifi.stun.traefik.entrypoints "," ]]",
|
||||
"[[ $c.traefik.instance ]].consulcatalog.connect=false"
|
||||
[[ template "common/traefik_tags" merge .unifi.stun . ]]
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -63,16 +63,13 @@ unifi:
|
|||
#entrypoints:
|
||||
# - https
|
||||
|
||||
# Override the default base_middleware to remove the inflight-std@file middleware
|
||||
base_middlewares:
|
||||
- rate-limit-std@file
|
||||
- security-headers@file
|
||||
- compression@file
|
||||
- csp-relaxed@file
|
||||
|
||||
# List of additional middlewares to load
|
||||
#middlewares:
|
||||
# - ip-trusted@file
|
||||
middlewares:
|
||||
# Tune inflight and rate-limit as the controller can require a high number of requests
|
||||
inflight:
|
||||
- inflightreq.amount=300
|
||||
rate-limit:
|
||||
- ratelimit.average=100
|
||||
- ratelimit.burst=200
|
||||
|
||||
# Volumes
|
||||
volumes:
|
||||
|
|
@ -89,35 +86,54 @@ unifi:
|
|||
# Traefik settings
|
||||
traefik:
|
||||
|
||||
# Traefik router name
|
||||
router: inform
|
||||
|
||||
# Use a custom rule for the inform service
|
||||
rule: '(Path(`/inform`) && Method(`POST`)) || (PathPrefix(`/dl/firmware-cached`) && (Method(`GET`) || Method(`HEAD`)))'
|
||||
|
||||
# We do not want Traefik to strip the /inform prefix
|
||||
strip_prefix: false
|
||||
|
||||
# List of entrypoints where the inform endpoint will be exposed.
|
||||
# Note : this should be a list of dedicated entrypoint, as there's no Host header sent with the requests
|
||||
# This entrypoint must also listen on port 8080
|
||||
entrypoints:
|
||||
- unifi-inform
|
||||
|
||||
# Override the base middlewares list to remove hsts@file as we're on http
|
||||
# Also remove security headers and csp as they have no meaning here
|
||||
base_middlewares:
|
||||
- rate-limit-std@file
|
||||
- inflight-std@file
|
||||
# There's no need to add CSP headers here
|
||||
csp: false
|
||||
|
||||
# List of additional middleware to load
|
||||
middlewares: []
|
||||
# Also, as the inform endpoint is using plain http, remove useless middlewares
|
||||
# We also disable compression until Traefik stops compressing when no Accept-Encoding is sent
|
||||
middlewares:
|
||||
hsts: false
|
||||
security: false
|
||||
proto: false
|
||||
compression: false
|
||||
|
||||
# The guest portal
|
||||
guest_portal:
|
||||
|
||||
# Public URL where the guest portal will be reachable
|
||||
public_url: https://unifi-portal.example.org:8843/
|
||||
public_url: https://unifi-portal.example.org:8843/guest
|
||||
|
||||
# Traefik settings
|
||||
traefik:
|
||||
|
||||
# Name of the router
|
||||
router: portal
|
||||
|
||||
# Do not strip prefix in the auto generated rule
|
||||
strip_prefix: false
|
||||
|
||||
# List of entrypoints on which the service will be exposed
|
||||
# Note: UniFi doesn't allow custommisation of the port, this entrypoint must be listening on port 8843
|
||||
entrypoints:
|
||||
- unifi-portal
|
||||
|
||||
# List of middlewares to load
|
||||
middlewares: []
|
||||
middlewares: {}
|
||||
|
||||
# The STUN service
|
||||
stun:
|
||||
|
|
@ -125,6 +141,12 @@ unifi:
|
|||
# Traefik settings
|
||||
traefik:
|
||||
|
||||
# Stun is an UDP service
|
||||
proto: udp
|
||||
|
||||
# Name of the router
|
||||
router: stun
|
||||
|
||||
# List of entrypoints the STUN service wil be exposed on
|
||||
# Note: This must be UDP entrypoints !
|
||||
entrypoints:
|
||||
|
|
|
|||
Loading…
Reference in New Issue