From 0ae02ba73be634b55fed7075309060d3aff84c25 Mon Sep 17 00:00:00 2001 From: Marc Mintel Date: Fri, 6 Feb 2026 23:16:52 +0100 Subject: [PATCH] fix(analytics): bypass gatekeeper and middleware for tracking endpoints --- docker-compose.yml | 23 ++++++++++++++++------- middleware.ts | 2 +- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6f74545c..3cfc4657 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,19 +28,24 @@ services: - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/.well-known/acme-challenge/`)" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.entrypoints=web" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.middlewares=redirect-https" - # HTTPS router - - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=Host(`${TRAEFIK_HOST}`)" + # HTTPS router (Protected) + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/stats`, `/errors`)" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.entrypoints=websecure" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls.certresolver=le" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls=true" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.service=${PROJECT_NAME:-klz-cables}" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-compress}" + + # HTTPS router (Unprotected - for Analytics & Errors) + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/stats`, `/errors`)" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.entrypoints=websecure" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls.certresolver=le" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls=true" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.service=${PROJECT_NAME:-klz-cables}" + - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,compress" + - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.port=80" - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.scheme=http" - # Forwarded Headers - - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Proto=https" - - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on" - # Middlewares - - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-compress}" - "traefik.docker.network=infra" # Gatekeeper Router (to show the login page) @@ -50,6 +55,10 @@ services: - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true" - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.service=${PROJECT_NAME:-klz-cables}-gatekeeper" + # Forwarded Headers + - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on" + # Middleware Definitions - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-ratelimit.ratelimit.average=100" - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-ratelimit.ratelimit.burst=50" diff --git a/middleware.ts b/middleware.ts index 3ea8cb5e..2e6df81b 100644 --- a/middleware.ts +++ b/middleware.ts @@ -62,5 +62,5 @@ export default function middleware(request: NextRequest) { export const config = { // Match only internationalized pathnames - matcher: ['/((?!api|_next|_vercel|health|.*\\..*).*)', '/', '/(de|en)/:path*'], + matcher: ['/((?!api|_next|_vercel|stats|errors|health|.*\\..*).*)', '/', '/(de|en)/:path*'], };