Marc Mintel
e0fae20835
This ensures that the image proxy correctly maps public domains to internal Docker hostnames across different environments (testing, staging, production) without manual configuration of the docker-compose.yml file.
193 lines
8.9 KiB
YAML
193 lines
8.9 KiB
YAML
services:
|
|
klz-app:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
args:
|
|
NEXT_PUBLIC_BASE_URL: ${NEXT_PUBLIC_BASE_URL}
|
|
NEXT_PUBLIC_IMGPROXY_URL: ${NEXT_PUBLIC_IMGPROXY_URL}
|
|
DIRECTUS_URL: ${DIRECTUS_URL}
|
|
image: registry.infra.mintel.me/mintel/klz-cables.com:${IMAGE_TAG:-latest}
|
|
restart: unless-stopped
|
|
networks:
|
|
default:
|
|
infra:
|
|
aliases:
|
|
- klz.localhost
|
|
env_file:
|
|
- ${ENV_FILE:-.env}
|
|
labels:
|
|
- "traefik.enable=true"
|
|
# HTTP ⇒ HTTPS redirect
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.entrypoints=web"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.middlewares=redirect-https"
|
|
# HTTPS router (Standard)
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.tls=${TRAEFIK_TLS:-false}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.service=${PROJECT_NAME:-klz}-app-svc"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}.middlewares=${AUTH_MIDDLEWARE:-klz-ratelimit,klz-forward,klz-compress}"
|
|
|
|
# Public Router (Whitelist for OG Images, Sitemaps, Health)
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && (PathPrefix(`/health`) || PathPrefix(`/sitemap.xml`) || PathPrefix(`/robots.txt`) || PathPrefix(`/manifest.webmanifest`) || PathRegexp(`^/([a-z]{2}/)?api/og`) || PathRegexp(`^/([a-z]{2}/)?opengraph-image$`) || PathRegexp(`^/([a-z]{2}/)?blog/opengraph-image$`) || PathRegexp(`^/sitemap(-[0-9]+)?\\.xml$`))"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls=${TRAEFIK_TLS:-false}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.service=${PROJECT_NAME:-klz}-app-svc"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.middlewares=${AUTH_MIDDLEWARE_UNPROTECTED:-klz-ratelimit,klz-forward,klz-compress}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.priority=2000"
|
|
|
|
- "traefik.http.services.${PROJECT_NAME:-klz}-app-svc.loadbalancer.server.scheme=http"
|
|
- "traefik.http.services.${PROJECT_NAME:-klz}-app-svc.loadbalancer.server.port=3000"
|
|
- "traefik.docker.network=infra"
|
|
- "caddy=http://${TRAEFIK_HOST:-klz.localhost}"
|
|
- "caddy.reverse_proxy={{upstreams 3000}}"
|
|
|
|
# Middleware Definitions
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-compress.compress=true"
|
|
|
|
# Forwarded Headers
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
|
|
|
|
# Authentication Middleware (ForwardAuth)
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.address=http://${PROJECT_NAME:-klz}-gatekeeper:3000/gatekeeper/api/verify"
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For,Cookie"
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.authResponseHeaders=X-Auth-User"
|
|
|
|
# Rate Limit Middleware
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.average=100"
|
|
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.burst=50"
|
|
healthcheck:
|
|
test: [ "CMD", "curl", "-f", "http://127.0.0.1:3000/health" ]
|
|
interval: 15s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 45s
|
|
|
|
klz-gatekeeper:
|
|
profiles: [ "gatekeeper" ]
|
|
image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.12
|
|
restart: unless-stopped
|
|
networks:
|
|
infra:
|
|
aliases:
|
|
- ${PROJECT_NAME:-klz}-gatekeeper
|
|
env_file:
|
|
- ${ENV_FILE:-.env}
|
|
environment:
|
|
PORT: 3000
|
|
PROJECT_NAME: ${PROJECT_NAME:-KLZ Cables}
|
|
PROJECT_COLOR: "#82ed20"
|
|
COOKIE_DOMAIN: ${COOKIE_DOMAIN}
|
|
AUTH_COOKIE_NAME: ${AUTH_COOKIE_NAME:-klz_gatekeeper_session}
|
|
GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD}
|
|
NEXT_PUBLIC_BASE_URL: ${GATEKEEPER_ORIGIN}
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=infra"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.rule=(Host(`${TRAEFIK_HOST:-testing.klz-cables.com}`) && PathPrefix(`/gatekeeper`))"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls=${TRAEFIK_TLS:-false}"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.service=${PROJECT_NAME:-klz}-gatekeeper-svc"
|
|
- "traefik.http.services.${PROJECT_NAME:-klz}-gatekeeper-svc.loadbalancer.server.port=3000"
|
|
- "traefik.docker.network=infra"
|
|
|
|
klz-cms:
|
|
image: registry.infra.mintel.me/mintel/directus:latest
|
|
restart: unless-stopped
|
|
command: [ "node", "cli.js", "start" ]
|
|
env_file:
|
|
- ${ENV_FILE:-.env}
|
|
environment:
|
|
KEY: ${DIRECTUS_KEY}
|
|
SECRET: ${DIRECTUS_SECRET}
|
|
ADMIN_EMAIL: ${DIRECTUS_ADMIN_EMAIL}
|
|
ADMIN_PASSWORD: ${DIRECTUS_ADMIN_PASSWORD}
|
|
DB_CLIENT: 'pg'
|
|
DB_HOST: 'klz-db'
|
|
DB_PORT: '5432'
|
|
DB_DATABASE: ${DIRECTUS_DB_NAME:-directus}
|
|
DB_USER: ${DIRECTUS_DB_USER:-directus}
|
|
DB_PASSWORD: ${DIRECTUS_DB_PASSWORD:-120in09oenaoinsd9iaidon}
|
|
WEBSOCKETS_ENABLED: 'true'
|
|
PUBLIC_URL: ${DIRECTUS_URL:-https://cms.klz-cables.com}
|
|
HOST: '0.0.0.0'
|
|
networks:
|
|
- default
|
|
- infra
|
|
volumes:
|
|
- ./directus/uploads:/directus/uploads
|
|
- ./directus/extensions:/directus/extensions
|
|
- ./directus/schema:/directus/schema
|
|
- ./directus/migrations:/directus/migrations
|
|
healthcheck:
|
|
disable: true
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.rule=Host(`${DIRECTUS_HOST:-cms.klz-cables.com}`)"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.entrypoints=websecure"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.priority=5000"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.tls=true"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.tls.certresolver=le"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-cms.service=${PROJECT_NAME:-klz}-cms-svc"
|
|
- "traefik.http.services.${PROJECT_NAME:-klz}-cms-svc.loadbalancer.server.port=8055"
|
|
- "traefik.docker.network=infra"
|
|
- "caddy=http://${DIRECTUS_HOST:-cms.klz-cables.com}"
|
|
- "caddy.reverse_proxy={{upstreams 8055}}"
|
|
klz-db:
|
|
image: postgres:15-alpine
|
|
restart: unless-stopped
|
|
env_file:
|
|
- ${ENV_FILE:-.env}
|
|
environment:
|
|
POSTGRES_DB: ${DIRECTUS_DB_NAME:-directus}
|
|
POSTGRES_USER: ${DIRECTUS_DB_USER:-directus}
|
|
POSTGRES_PASSWORD: ${DIRECTUS_DB_PASSWORD:-120in09oenaoinsd9iaidon}
|
|
volumes:
|
|
- directus-db-data:/var/lib/postgresql/data
|
|
networks:
|
|
- default
|
|
|
|
klz-imgproxy:
|
|
image: darthsim/imgproxy:latest
|
|
restart: unless-stopped
|
|
networks:
|
|
- default
|
|
- infra
|
|
extra_hosts:
|
|
- "klz.localhost:host-gateway"
|
|
- "cms.klz.localhost:host-gateway"
|
|
- "host.docker.internal:host-gateway"
|
|
environment:
|
|
IMGPROXY_URL_MAPPING: "${IMGPROXY_URL_MAPPING:-http://klz.localhost/:http://klz-app:3000/,http://cms.klz.localhost/:http://klz-cms:8055/}"
|
|
IMGPROXY_USE_ETAG: "true"
|
|
IMGPROXY_MAX_SRC_RESOLUTION: 20
|
|
IMGPROXY_ALLOWED_NETWORKS: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
IMGPROXY_IGNORE_SSL_ERRORS: "true"
|
|
IMGPROXY_DEBUG: "true"
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-imgproxy.rule=Host(`img.${TRAEFIK_HOST:-klz.localhost}`)"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-imgproxy.entrypoints=web"
|
|
- "traefik.http.routers.${PROJECT_NAME:-klz}-imgproxy.service=${PROJECT_NAME:-klz}-imgproxy-svc"
|
|
- "traefik.http.services.${PROJECT_NAME:-klz}-imgproxy-svc.loadbalancer.server.port=8080"
|
|
- "traefik.docker.network=infra"
|
|
- "caddy=http://img.${TRAEFIK_HOST:-klz.localhost}"
|
|
- "caddy.reverse_proxy={{upstreams 8080}}"
|
|
|
|
networks:
|
|
default:
|
|
name: ${PROJECT_NAME:-klz-cables}-internal
|
|
infra:
|
|
external: true
|
|
|
|
volumes:
|
|
directus-db-data:
|
|
external: true
|
|
name: klz-cablescom_directus-db-data
|