fix: traefik routing rules and define missing compress middleware

.gitea/workflows/deploy.yml

@@ -29,6 +29,8 @@ jobs:
       image_tag:        ${{ steps.determine.outputs.image_tag }}
       env_file:         ${{ steps.determine.outputs.env_file }}
       traefik_host:     ${{ steps.determine.outputs.traefik_host }}
+      traefik_host_rule: ${{ steps.determine.outputs.traefik_host_rule }}
+      primary_host:     ${{ steps.determine.outputs.primary_host }}
       next_public_base_url: ${{ steps.determine.outputs.next_public_base_url }}
       directus_url:     ${{ steps.determine.outputs.directus_url }}
       directus_host:    ${{ steps.determine.outputs.directus_host }}
@@ -115,11 +117,22 @@ jobs:
             TARGET="skip"
           fi
 
+          if [[ "$TRAEFIK_HOST" == *","* ]]; then
+            # Convert "a.com, b.com" to "Host(`a.com`) || Host(`b.com`)"
+            TRAEFIK_HOST_RULE=$(echo "$TRAEFIK_HOST" | sed "s/, / /g" | sed "s/,/ /g" | awk '{for(i=1;i<=NF;i++) printf "Host(`%s`)%s", $i, (i==NF?"":" || ")}')
+            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | xargs)
+          else
+            TRAEFIK_HOST_RULE="Host(\`$TRAEFIK_HOST\`)"
+            PRIMARY_HOST="$TRAEFIK_HOST"
+          fi
+
           {
             echo "target=$TARGET"
             echo "image_tag=$IMAGE_TAG"
             echo "env_file=$ENV_FILE"
             echo "traefik_host=$TRAEFIK_HOST"
+            echo "traefik_host_rule=$TRAEFIK_HOST_RULE"
+            echo "primary_host=$PRIMARY_HOST"
             echo "next_public_base_url=$NEXT_PUBLIC_BASE_URL"
             echo "directus_url=$DIRECTUS_URL"
             echo "directus_host=$DIRECTUS_HOST"
@@ -229,7 +242,7 @@ jobs:
       TARGET:               ${{ needs.prepare.outputs.target }}
       IMAGE_TAG:            ${{ needs.prepare.outputs.image_tag }}
       ENV_FILE:             ${{ needs.prepare.outputs.env_file }}
-      TRAEFIK_HOST:         ${{ needs.prepare.outputs.traefik_host }}
+      TRAEFIK_HOST:         ${{ needs.prepare.outputs.primary_host }}
       NEXT_PUBLIC_BASE_URL:          ${{ needs.prepare.outputs.next_public_base_url }}
       NEXT_PUBLIC_UMAMI_WEBSITE_ID:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.TESTING_NEXT_PUBLIC_UMAMI_WEBSITE_ID  || secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID) }}
       UMAMI_API_ENDPOINT:  ${{ needs.prepare.outputs.target == 'production' && secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL  || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.TESTING_NEXT_PUBLIC_UMAMI_SCRIPT_URL  || secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL) }}
@@ -300,12 +313,11 @@ jobs:
 
           TARGET=$TARGET
           SENTRY_ENVIRONMENT=$TARGET
-          IMAGE_TAG=$IMAGE_TAG
-          TRAEFIK_HOST=$TRAEFIK_HOST
-          ENV_FILE=$ENV_FILE
-          AUTH_MIDDLEWARE=$( [[ "$TARGET" == "production" ]] && echo "compress" || echo "${PROJECT_NAME}-auth,compress" )
+          AUTH_MIDDLEWARE=$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-compress" )
           PROJECT_NAME=$PROJECT_NAME
           COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+          TRAEFIK_HOST=$TRAEFIK_HOST
+          TRAEFIK_HOST_RULE='${{ needs.prepare.outputs.traefik_host_rule }}'
           EOF
 
           # 1. Cleanup and Create Directories on server BEFORE SCP

docker-compose.yml

@@ -25,31 +25,34 @@ services:
     labels:
       - "traefik.enable=true"
       # HTTP ⇒ HTTPS redirect
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/.well-known/acme-challenge/`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)}"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.entrypoints=web"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-web.middlewares=redirect-https"
       # HTTPS router (Protected)
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/stats`, `/errors`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)}"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.tls=true"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.service=${PROJECT_NAME:-klz-cables}"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-compress}"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${AUTH_MIDDLEWARE:-${PROJECT_NAME:-klz-cables}-compress}"
 
       # HTTPS router (Unprotected - for Analytics & Errors)
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/stats`, `/errors`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.rule=${TRAEFIK_HOST_RULE:-Host(`klz-cables.com`)} && PathPrefix(`/stats`, `/errors`)"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.tls=true"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.service=${PROJECT_NAME:-klz-cables}"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,compress"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-unprotected.middlewares=${PROJECT_NAME:-klz-cables}-ratelimit,${PROJECT_NAME:-klz-cables}-forward,${PROJECT_NAME:-klz-cables}-compress"
 
       - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.port=80"
       - "traefik.http.services.${PROJECT_NAME:-klz-cables}.loadbalancer.server.scheme=http"
       - "traefik.docker.network=infra"
 
+      # Middleware Definitions
+      - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-compress.compress=true"
+
       # Gatekeeper Router (to show the login page)
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST:-klz-cables.com}`)"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true"
@@ -79,7 +82,7 @@ services:
       PORT: 3000
       COOKIE_DOMAIN: ${COOKIE_DOMAIN}
       AUTH_COOKIE_NAME: klz_gatekeeper_session
-      NEXT_PUBLIC_BASE_URL: https://gatekeeper.${TRAEFIK_HOST}
+      NEXT_PUBLIC_BASE_URL: https://gatekeeper.${TRAEFIK_HOST:-klz-cables.com}
       GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD:-klz2026}
     labels:
       - "traefik.enable=true"