Add traefik

.gitignore

@@ -1,2 +1,9 @@
 ### Deploy ###
 .env
+
+# traefik specific
+certificates.yml
+*.pem
+*.cert
+.vscode
+traefik/config/tls-cert/*

docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3'
 services:
   pisces-db:
     image: postgres:14.4
@@ -127,6 +126,7 @@ services:
     depends_on:
       - pisces-web
     restart: "always"
+
   scorpio-db:
     image: postgres:14.4
     volumes:
@@ -136,6 +136,7 @@ services:
     restart: "always"
     environment:
       - POSTGRES_PASSWORD=${SCORPIO_DB_PASS}
+
   scorpio-web:
     build: 
       context: ./scorpio
@@ -205,6 +206,7 @@ services:
     depends_on:
       - scorpio-web
     restart: "always"
+
   argo-db:
     image: postgres:14.4
     volumes:
@@ -214,6 +216,7 @@ services:
     restart: "always"
     environment:
       - POSTGRES_PASSWORD=${ARGO_DB_PASS}
+
   argo-web:
     environment:
       - DJANGO_PORT=${ARGO_PORT}
@@ -244,6 +247,16 @@ services:
     hostname: argo.library.pitt.edu
     volumes:
       - ./argo:/code
+    labels:
+      - traefik.port=8001  
+      - traefik.enable=true
+      # Entry Point for https
+      - traefik.http.routers.argo-web-https.rule=Host(`${ARGO_DNS}`)
+      - traefik.http.routers.argo-web-https.entrypoints=web,websecure
+      - traefik.http.routers.argo-web-https.tls=true
+      - traefik.http.routers.argo-web-https.service=argo-web-https
+      - traefik.http.services.argo-web-https.loadbalancer.server.port=8001
+
     networks:
       - astraeus-interop
     ports:
@@ -260,6 +273,7 @@ services:
       - astraeus-interop
     environment:
       - POSTGRES_PASSWORD=${RB_DB_PASS}
+
   request-broker-web:
     environment:
       - DJANGO_DEBUG=${DJANGO_DEBUG}
@@ -276,7 +290,8 @@ services:
       - AS_USERNAME=${AS_USERNAME}
       - AS_PASSWORD=${AS_PASSWORD}
       - AS_REPO_ID=${AS_REPO_ID}
-      - AEON_API_KEY=${RB_AEON_API_KEY}
+      - AEON_APIKEY=${RB_AEON_API_KEY}
+      - AEON_BASEURL=${RB_AEON_BASEURL}
       - EMAIL_HOST=${EMAIL_HOST}
       - EMAIL_PORT=${EMAIL_PORT}
       - EMAIL_HOST_USER=${EMAIL_HOST_USER}
@@ -302,13 +317,22 @@ services:
     hostname: requestbroker.library.pitt.edu
     volumes:
       - ./request_broker:/code
+    labels:
+      - traefik.port=8000
+      - traefik.enable=true
+      ## expose available RB Api end entries
+      - "traefik.http.routers.request-broker-web.rule=(Host(`${RB_DNS}`) && PathRegexp(`^/api/(.*)$`))"
+      - traefik.http.routers.request-broker-web.entrypoints=web,websecure
+      - traefik.http.routers.request-broker-web.tls=true
+      - traefik.http.services.request-broker-web.loadbalancer.server.port=8000
     networks:
       - astraeus-interop
     ports:
       - "${RB_PORT:-8000}:${RB_PORT:-8000}"
     depends_on:
       - request-broker-db
     restart: "always"
+
   dimes-web:
     build: 
       context: ./dimes
@@ -320,10 +344,17 @@ services:
         - REACT_APP_MINIMAP_KEY=${REACT_APP_MINIMAP_KEY}
         - REACT_APP_S3_BASEURL=${REACT_APP_S3_BASEURL}
         - REACT_APP_EMAIL=${REACT_APP_EMAIL}
-        - REACT_APP_RECAPCHA_SITE_KEY=${REACT_APP_RECAPCHA_SITE_KEY}
+        - REACT_APP_CAPTCHA_SITE_KEY=${REACT_APP_CAPTCHA_SITE_KEY}
         - REACT_APP_AEON_URL=${REACT_APP_AEON_URL}
     networks:
       - astraeus-interop
+    labels:
+      - traefik.port=80
+      - traefik.enable=true
+      - traefik.http.routers.dimes-web-https.rule=Host(`${RM_DNS}`)
+      - traefik.http.routers.dimes-web-https.entrypoints=web,websecure
+      - traefik.http.routers.dimes-web-https.tls=true
+      - traefik.http.services.dimes-web-https.loadbalancer.server.port=80
     ports:
       - 3000:80
     stdin_open: true
@@ -357,6 +388,49 @@ services:
       - 9200:9200
     restart: "always"
 
+  traefik:
+    image: traefik:v3.1
+    container_name: traefik
+    hostname: "traefik"
+    command:
+      ##- --log.level=DEBUG
+      - --log.level=INFO
+      - --providers.docker
+      - --api
+      - --api.insecure   # only for testing environment
+      - --providers.docker.exposedbydefault=false
+      #entrypoints
+      - --entryPoints.web.address=:80
+      - --entryPoints.websecure.address=:443  
+      #cert
+      - --providers.file.directory=/etc/traefik/config #dynamic config
+      - --providers.file.watch=true   ## reload any changes
+      #just apply a generic redirect non-secure instead of configuring every container
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+    networks:
+      - astraeus-interop
+    ports:
+      - "80:80"  #encrypt uses this port 
+      - "443:443"  
+      - "8080:8080" 
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro 
+      - ${CONFIG_PATH}/config/certificates.yml:/etc/traefik/config/certificates.yml:ro
+      - ${CONFIG_PATH}/config/tls-cert/:/etc/tls-cert/
+
+    labels:
+      - "traefik.port=8080"
+      - "traefik.enable=true"
+      # dashboard 
+      - traefik.http.routers.api.entrypoints=websecure
+      - traefik.http.routers.api.rule=Host(`${DASHBOARD_HOST}`)
+      - traefik.http.routers.api.tls=true 
+      - traefik.http.routers.api.service=api@internal  #forward requests to api service
+      - traefik.http.services.dashboard.loadbalancer.server.port=8080
+    restart: always #always restart traefik
+
 volumes:
   piscesdbvolume:
   scorpiodbvolume:

env.template

@@ -6,4 +6,10 @@ PISCES_DB_PASS=piscespasswordhere # database password used in postgres container
 SCORPIO_DB_PASS=scorpiopasswordhere # database password used in postgres container, fed to scorpio and scorpio cron
 ARGO_DB_PASS=piscespasswordhere # database password used in postgres container, fed to argo and argo cron
 REQUEST_BROKER_DB_PASS=rbpasswordhere # database password used in postgres container, fed to request broker
+RB_DJANGO_ALLOWED_HOSTS = ['request-broker-web','localhost','requestbroker.library.pitt.edu']
+REACT_APP_CAPTCHA_SITE_KEY = captchasitekeyvalue # the correct name from old env varible REACT_APP_RECAPTCHA_SITE_KEY 
 
+#Traefik variables
+CONFIG_PATH=./traefik
+DASHBOARD_HOST=dashboard.docker.localhost
+RM_DNS = 'myreadingroom.library.pitt.edu'

traefik/config/certificates.yml

@@ -0,0 +1,17 @@
+#Dynamic configuration
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+  certificates:
+    - certFile: /etc/tls-cert/cert.pem
+      keyFile: /etc/tls-cert/privkey.pem
+
+

traefik/config/tls-cert/sample-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC3jCCAcYCAQAwgYAxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJwYTETMBEGA1UE
+BwwKcGl0dHNidXJnaDENMAsGA1UECgwEcGl0dDEMMAoGA1UECwwDdWxzMREwDwYD
+VQQDDAh0ZXN0aGVyZTEfMB0GCSqGSIb3DQEJARYQdGVzdDQ1NkBwaXR0LmVkdTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpYqZxKG7UrEKzNzZcRrgzC
+BgDc7roOGMwK7dY9kAOr1aZxXyTlSO1sgdXrzqK5n6IUjFyAsegkYjNzxpP7kkLd
+6rhDy8eZF6VSQt5ERuYzg6WE3eHwlNS+rhTVbI7JXnjxpFVcLChFnuEt0d6nTNby
+5pJfDjG5bxtaOXI1F2sxS/wW9nyqn5ApNBgzEYxDyrPbEtym305ioFun1exY/9AY
+HJNYjJi5YlPVS8+S1+u2emr/2QcwVixD+rikgDXETHBlUzO9ncOV0eUVUhH0i0yt
+QNIrM6wcNF8me9+y4i6WL/Pb8SWNG8Cr/5usFCCmlzbwBzW6HqFTYak5qO2OJX0C
+AwEAAaAYMBYGCSqGSIb3DQEJBzEJDAd0ZXN0YWJjMA0GCSqGSIb3DQEBCwUAA4IB
+AQBQtmJcd8ZQ6Tw6vesoLR3IrnWPlN6l9eoqhBJr7wxe549ufg4d4loIYN+VLZaK
+hbOPQ+neBa1XT5p4X/mtnNdzeRc1zBO+YwfcsDnON30PSKjUYvjnmckS6857mNLt
+zvD2tOlmvWTvfmYSZManSydyYAr595hCBglVGytyNazVcFpWLMNAJT27RsyUw5cs
+KOX8X+nlxjkwnGLmxeBmCFDb+5W8fG70CxRs/J7OPD+xhXcU3J9RLkdQ+ty7n/qV
+4QTKv/sADx67MBZ9e0La+yx4wvUoAVvUuDPuSnlaOa9HV2bm1R3ra7w1j8GmNYWQ
+x8Hf38vGnJUCfpNKwfDfb3XX
+-----END CERTIFICATE REQUEST-----

traefik/config/tls-cert/sample-private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAulipnEobtSsQrM3NlxGuDMIGANzuug4YzArt1j2QA6vVpnFf
+JOVI7WyB1evOormfohSMXICx6CRiM3PGk/uSQt3quEPLx5kXpVJC3kRG5jODpYTd
+4fCU1L6uFNVsjsleePGkVVwsKEWe4S3R3qdM1vLmkl8OMblvG1o5cjUXazFL/Bb2
+fKqfkCk0GDMRjEPKs9sS3KbfTmKgW6fV7Fj/0Bgck1iMmLliU9VLz5LX67Z6av/Z
+BzBWLEP6uKSANcRMcGVTM72dw5XR5RVSEfSLTK1A0iszrBw0XyZ737LiLpYv89vx
+JY0bwKv/m6wUIKaXNvAHNboeoVNhqTmo7Y4lfQIDAQABAoIBAAwjbGD23tktRffL
+rCG0EB9aoCN8QLyz4F+iMp3rAq+KiO8/oU/484grskVqB9rHtqNLLV11MKGLhS4O
+05eeIofihsCcAfEtgsHNGvf5gJjMMD4e6okmL7uv9Az9XgXrDhFYxDifOW0iI9hN
+MMeNJE84IVbVhEou5xLkDKvo026y+cutViODRERyfUvtaA4DCN9PXqkHSzpEW9Co
+WYb6teeFjmQDffx4wb7uoi+6AL9ruzqsM8Pf4bJ9OuRXZCdufkB7gMeOzB8OeBYS
+HOEgVDQ/39s/g8lEbXDd7CWcN+YMxFVZrzpLKUd3v35scz+JZpuNa6zUvwH31HAY
+mTTS/+ECgYEA7ss68KDmReSVuPr2816/+Q0xyI5lvnhoZPkTVuUd10WtAE/OfTQl
+bkLhTwTcWasbls8EUrA0OeyuESl0iZXOBUZaftXIDqcGTowh3xzzipE1H4fXDRuD
+fqBkGLmF+96ogl1Uwdvg8SHHkSFxGimzDCOw1QHQvgmT20e9IDOgsFkCgYEAx8X9
+b4eb01xfvpy+MBU5C/p7HgaoBEIA0s0hxJIKeNKmuRqWtpVoGrQpOzI0dLEx2PiL
+x5RaOX154oJHBWMtKr3BmAlPlsvPMI9zAJXSzuzB8X039si2h/j3N7NvrDAbHDhw
+Phna925RNuCoYFRXYUfleLWJFGQ+/aj3FsNj2cUCgYBkbSAqluCBQHMfSpyVGaIO
+8degCxMLGcR9wqq5fr4gDPOHEAk9arLbPlFXVCn/pBCESif9RpGQUtOZ8B9Mxa3R
+Vhc1BF+QmfnzCsgr9xcNjagTzKNKpemVVYsDQvLwTGH+AZZluT1O6+/sP247nJHq
+ZxA1ZQAPDCQcsnz9j/jicQKBgHPNm5nZPEULWRz/c2ggBU+iRVgkd6TwNdX8v0RZ
+e+SKB8dpWFBCz3QbV4NPGQVD6idh/HUW1C5bRBo/drfyw63xDZX6X76EKnh1zy5Z
+qzf0GoDIG3bc5qJvea86PtPLlwuG09nL1xhzRHTRSgl9GqHzsVuFsA64BaO5HHJ/
+lRQZAoGBAK7s2s3upUB9ooL805OhrKdK30wm4ieu7i6kPvwt1dedj+Nx96q+U4vN
+JByokqIaCsaUiuOYV0jOJnefbZyklcBq2TNLmMlgg2dYuFDDeKYKTP5XSeHyG+ly
+fz8GZDIqpKXS5oUF/mMr5NrTYVBGuK4fR3+AYHJ4G+ld0MwURigk
+-----END RSA PRIVATE KEY-----