deploy

docker-compose.yml

@@ -1,4 +1,50 @@
 services:
+  # Varnish sits between Traefik and the application.
+  #
+  # Flow:
+  #   Client -> Traefik -> Varnish -> app
+  #
+  # Traefik keeps TLS + compression; Varnish adds HTTP caching for static assets.
+  varnish:
+    image: varnish:7
+    restart: always
+    networks:
+      - infra
+    depends_on:
+      - app
+    command: >-
+      varnishd
+      -F
+      -f /etc/varnish/default.vcl
+      -s malloc,${VARNISH_CACHE_SIZE:-256m}
+    volumes:
+      - ./varnish/default.vcl:/etc/varnish/default.vcl:ro
+    healthcheck:
+      test: ["CMD-SHELL", "wget --quiet --tries=1 --spider http://localhost:80/health || wget --quiet --tries=1 --spider http://localhost:80/ || true"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+    labels:
+      - "traefik.enable=true"
+      # HTTP → HTTPS redirect (Challenge-Schutz für ALLE)
+      - "traefik.http.routers.klz-cables-web.rule=(Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)) && !PathPrefix(`/.well-known/acme-challenge/`)"
+      - "traefik.http.routers.klz-cables-web.entrypoints=web"
+      - "traefik.http.routers.klz-cables-web.middlewares=redirect-https"
+      # HTTPS router (für ALLE drei Domains)
+      - "traefik.http.routers.klz-cables.rule=Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)"
+      - "traefik.http.routers.klz-cables.entrypoints=websecure"
+      - "traefik.http.routers.klz-cables.tls.certresolver=le"
+      - "traefik.http.routers.klz-cables.tls=true"
+      - "traefik.http.routers.klz-cables.service=klz-cables"
+      - "traefik.http.services.klz-cables.loadbalancer.server.port=80"
+      - "traefik.http.services.klz-cables.loadbalancer.server.scheme=http"
+      # Forwarded Headers (für Apps, die HTTPS erwarten)
+      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
+      # Middlewares anhängen
+      - "traefik.http.routers.klz-cables.middlewares=klz-forward,compress"
+
   app:
     image: registry.infra.mintel.me/mintel/klz-cables.com:latest
     restart: always
@@ -20,26 +66,7 @@ services:
       # Redis (app-spezifischer DB-Index)
       - REDIS_URL=${REDIS_URL:-redis://redis:6379/2}
       - REDIS_KEY_PREFIX=${REDIS_KEY_PREFIX:-klz:}
-    labels:
-      - "traefik.enable=true"
-      # HTTP → HTTPS redirect (Challenge-Schutz für ALLE)
-      - "traefik.http.routers.klz-cables-web.rule=(Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)) && !PathPrefix(`/.well-known/acme-challenge/`)"
-      - "traefik.http.routers.klz-cables-web.entrypoints=web"
-      - "traefik.http.routers.klz-cables-web.middlewares=redirect-https"
-      # HTTPS router (für ALLE drei Domains)
-      - "traefik.http.routers.klz-cables.rule=Host(`klz-cables.com`) || Host(`www.klz-cables.com`) || Host(`staging.klz-cables.com`)"
-      - "traefik.http.routers.klz-cables.entrypoints=websecure"
-      - "traefik.http.routers.klz-cables.tls.certresolver=le"
-      - "traefik.http.routers.klz-cables.tls=true"
-      - "traefik.http.routers.klz-cables.service=klz-cables"
-      - "traefik.http.services.klz-cables.loadbalancer.server.port=3000"
-      - "traefik.http.services.klz-cables.loadbalancer.server.scheme=http"
-      # Forwarded Headers (für Apps, die HTTPS erwarten)
-      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.klz-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
-      # Middlewares anhängen
-      - "traefik.http.routers.klz-cables.middlewares=klz-forward,compress"
 
 networks:
   infra:
-    external: true
+    external: true