-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to caddy webserver #268
Conversation
Could it be possible to use http and not https with it ? Is it configurable ? |
It will be nice to have a solution to the SSL certificate issue, nice proposal. I'll try it ASAP (can't today). I'm wondering if this one would justify a communication on the mailing list. A priori, this shouldn't matter a great deal to change the reverse-proxy technology. But maybe some people have the docker compo in production and would have some unforeseen impact. |
Thanks for the proposal Emilien. "Caddy shines in its simplicity, automatic HTTPS, and intuitive configuration syntax, making it great for beginners and small to medium-sized projects. On the other hand, Traefik excels in its dynamic configuration capabilities, extensive plugin ecosystem, and strong community support, making it more suitable for larger and complex containerized environments." from https://stackshare.io/stackups/caddy-vs-traefik Also saw a YT video showing Traefik outperformed Caddy in a test. Apart from that, I'm a bit sad to see traefik go away. |
I'm not sure we care about performance, for the docker-compose. It's not the advised production setup anyway
Will you really be missing the configuration ? I quite like Traefik, once configured, but hate the config part. More seriously, I had gotten used to it and I'm rather bothered by having to learn yet another similar tool. But if it can help solve the SSL certificate issue for local deployments, I'm in. |
But... I'm thinking, if the aim is to generate self-signed certificate on startup, it should be fairly easy to replace the traefik-me-certificate-downloader service by a service that would auto-generate the certificates. And keep traefik. What do you think ? I also believe it should be possible to simplify our configuration for traefik. It should be possible to get something simpler for the routing at least, I don't like the way we list all possible services, it doesn't match with Traefik phylosophy) |
I want to remind everyone that I'm using a project built on top of caddy called https://github.com/lucaslorentz/caddy-docker-proxy. This project has existed for almost 6 years now and is here to stay: lucaslorentz/caddy-docker-proxy/releases?page=4. But this is because I have wanted to keep the same ability to configure the web server from docker labels. It may not be what we really want, maybe a simple file would be much better. We would just use the containers names for configuring where to send the requests to, that would work too. I'm wondering about that because docker labels are not necessary the ideal way to configure a web server and can make the configuration more difficult to work with.
Sure, but "one off" containers in docker has always been the source of confusion or problems, it's not supported by Docker. You need to hack a logic to check that everything went well, otherwise the container will keep repeating the same actions once the full docker composition is restarted. Sometimes this hack doesn't work well, so the container keep doing the same actions over and over anyway.
You can't really change how traefik was made, in my opinion the configuration is awful to work with. |
Indeed. In the end, how many services are configured behind the proxy ? Only security-proxy and static ? We are not really using the dynamic service discovery thing, actually, are we ? Static config could probably do the job |
c135b6f
to
f141c1f
Compare
I had some time to tackle this PR again! I have taken into account the feedback. What's new?
Additional finding about Caddy
SummaryPlease give me some feedback about these new changes. I'm confident that it's these were the remaining changes to greatly improve the docker composition of geOrchestra. I was wondering if I should write a migration guide? A basic one for people that already have the docker composition for geOrchestra 23 with Traefik. Or if we don't care because we consider that this docker composition is for development only. |
Thanks for this great contribution Emilien. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks Emilien. The config is indeed much leaner.
CAn you please also remove the 2 traefik*.yml files in resources/ ?
Second test : FF + Gateway : Some config needs to be updated, still can't login by now Git diffSorry for whitespaces Subject: [PATCH] feat: add data api to docker
---
Index: config/console/console.properties
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>ISO-8859-1
===================================================================
diff --git a/config/console/console.properties b/config/console/console.properties
--- a/config/console/console.properties (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/console/console.properties (date 1717771250977)
@@ -311,7 +311,7 @@
#saslEnabled=false
# Activates extractor data
-# if set to true, enable layer extraction in analytics part
+# if set to true, enable layer extraction in analytics part
# default: false
# extractorappEnabled=false
@@ -330,4 +330,4 @@
# Activates area of competence
# if set to true, enable competence area in the account form and in organization page
# default: false
-# competenceAreaEnabled=false
\ No newline at end of file
+# competenceAreaEnabled=false
Index: config/gateway/application.yaml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/config/gateway/application.yaml b/config/gateway/application.yaml
--- a/config/gateway/application.yaml (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/gateway/application.yaml (date 1717773358202)
@@ -24,4 +24,4 @@
- PreserveHostHeader
filter:
secure-headers:
- referrer-policy: strict-origin
\ No newline at end of file
+ referrer-policy: strict-origin
Index: config/gateway/gateway.yaml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/config/gateway/gateway.yaml b/config/gateway/gateway.yaml
--- a/config/gateway/gateway.yaml (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/gateway/gateway.yaml (date 1717773212110)
@@ -7,7 +7,7 @@
georchestra:
gateway:
# Redirection URL after a successful logout : Defaults to /?logout
- # logoutUrl : "/?logout"
+ # logoutUrl : "/?logout"
default-headers:
# Default security headers to append to proxied requests
proxy: true
@@ -24,11 +24,6 @@
- "/proxy/?url=*"
anonymous: true
services:
- header:
- target: ${georchestra.gateway.services.header.target}
- access-rules:
- - intercept-url: /header/**
- anonymous: true
datafeeder:
target: ${georchestra.gateway.services.datafeeder.target}
headers:
@@ -37,13 +32,13 @@
access-rules:
- intercept-url: /datafeeder/**
anonymous: false
- allowed-roles: SUPERUSER,DATAFEEDER
+ allowed-roles: SUPERUSER,IMPORT
import:
target: ${georchestra.gateway.services.import.target}
access-rules:
- intercept-url: /import/**
anonymous: false
- allowed-roles: SUPERUSER,DATAFEEDER
+ allowed-roles: SUPERUSER,IMPORT
console:
target: ${georchestra.gateway.services.console.target}
access-rules:
Index: config/gateway/routes.yaml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/config/gateway/routes.yaml b/config/gateway/routes.yaml
--- a/config/gateway/routes.yaml (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/gateway/routes.yaml (date 1717771625812)
@@ -10,7 +10,7 @@
predicates:
- Path=/
filters:
- - RedirectTo=308, /header
+ - RedirectTo=308, /datahub
- id: header
uri: ${georchestra.gateway.services.header.target}
predicates:
Index: config/gateway/security.yaml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/config/gateway/security.yaml b/config/gateway/security.yaml
--- a/config/gateway/security.yaml (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/gateway/security.yaml (date 1717773059943)
@@ -24,6 +24,12 @@
orgs:
rdn: ${ldapOrgsRdn:ou=orgs}
protectedRoles: ADMINISTRATOR, GN_.*, ORGADMIN, REFERENT, USER, SUPERUSER
+
+spring:
+ webflux:
+ static-path-pattern: /login/**
+
+
# uncomment for oauth 2.0
#spring:
# security:
Index: resources/caddy/etc/Caddyfile
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/resources/caddy/etc/Caddyfile b/resources/caddy/etc/Caddyfile
--- a/resources/caddy/etc/Caddyfile (revision f11be9ea2edd1cf06c6d2760e912b0035cd5c96a)
+++ b/resources/caddy/etc/Caddyfile (date 1717770377133)
@@ -43,7 +43,7 @@
}
handle {
- reverse_proxy proxy:8080
+ reverse_proxy gateway:8080
header {
Access-Control-Allow-Origin *
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Index: config/datahub/conf/default.toml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/config/datahub/conf/default.toml b/config/datahub/conf/default.toml
--- a/config/datahub/conf/default.toml (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/datahub/conf/default.toml (date 1717771250989)
@@ -69,7 +69,7 @@
# Optional; specify a GeoJSON object to be used as filter: all records contained inside the geometry will be boosted on top,
# all records which do not intersect with the geometry will be shown with lower priority; can be specified as URL or inline
# Note: if the GeoJSON object contains multiple features, only the geometry of the first one will be kept!
-filter_geometry_url = "/console/account/areaofcompetence"
+# filter_geometry_url = "/console/account/areaofcompetence"
# filter_geometry_data = '{ "coordinates": [...], "type": "Polygon" }'
# The advanced search filters available to the user can be customized with this setting.
Index: docker-compose.yml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/docker-compose.yml b/docker-compose.yml
--- a/docker-compose.yml (revision f11be9ea2edd1cf06c6d2760e912b0035cd5c96a)
+++ b/docker-compose.yml (date 1717770101546)
@@ -14,6 +14,7 @@
datafeeder_postgis_data:
esdata:
georchestra_datadir:
+ rabbitmq_data:
secrets:
slapd_password:
@@ -79,30 +80,19 @@
- ldap_config:/etc/ldap
restart: always
- proxy:
- image: georchestra/security-proxy:latest
- healthcheck:
- test: ["CMD-SHELL", "curl -s -f http://localhost:8080/_static/bootstrap_3.0.0/css/bootstrap-theme.min.css >/dev/null || exit 1"]
- interval: 30s
- timeout: 10s
- retries: 10
+ gateway:
+ image: georchestra/gateway:latest
depends_on:
- ldap:
- condition: service_healthy
- database:
- condition: service_healthy
+ - database
volumes:
- georchestra_datadir:/etc/georchestra
environment:
- - JAVA_OPTIONS=-Dorg.eclipse.jetty.annotations.AnnotationParser.LEVEL=OFF
- - XMS=256M
- - XMX=1G
+ - JAVA_TOOL_OPTIONS=-Dgeorchestra.datadir=/etc/georchestra
env_file:
- .envs-common
- .envs-ldap
- .envs-hosts
- .envs-database-georchestra
- restart: always
cas:
image: georchestra/cas:latest
@@ -186,6 +176,8 @@
condition: service_healthy
database:
condition: service_healthy
+ rabbitmq:
+ condition: service_healthy
volumes:
- georchestra_datadir:/etc/georchestra
environment:
@@ -195,6 +187,7 @@
env_file:
- .envs-common
- .envs-ldap
+ - .envs-rabbitmq
- .envs-database-georchestra
- .envs-hosts
restart: always
@@ -401,5 +394,20 @@
volumes:
- georchestra_datadir:/etc/georchestra
restart: always
+
+ rabbitmq:
+ image: docker.io/bitnami/rabbitmq:3.12
+ healthcheck:
+ test: rabbitmq-diagnostics -q ping && rabbitmq-diagnostics -q check_local_alarms
+ interval: 60s
+ timeout: 30s
+ retries: 3
+ env_file:
+ - .envs-rabbitmq
+ environment:
+ - RABBITMQ_LOGS=-
+ volumes:
+ - 'rabbitmq_data:/bitnami/rabbitmq/mnesia'
+ restart: always
-
+
Index: config/cas/config/cas.properties
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>ISO-8859-1
===================================================================
diff --git a/config/cas/config/cas.properties b/config/cas/config/cas.properties
--- a/config/cas/config/cas.properties (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/cas/config/cas.properties (date 1717769175467)
@@ -6,7 +6,7 @@
cas.theme.param-name=georchestra
cas.theme.default-theme-name=georchestra
-cas.service-registry.initFromJson=false
+cas.service-registry.core.init-from-json=false
cas.service-registry.json.location=file:/etc/georchestra/cas/services
#uncomment if getting 302 redirects on cas.{css,js} behind nginx/apache
#server.forward-headers-strategy=FRAMEWORK
@@ -47,7 +47,7 @@
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org
-cas.authn.oidc.jwks.jwks-file=file:///tmp/keystore.jwksdown
+cas.authn.oidc.jwks.file-system.jwks-file=file:///tmp/keystore.jwksdown
cas.authn.saml-idp.core.entity-id=https://${FQDN}/idp
-cas.authn.saml-idp.metadata.location=file:///tmp/
+cas.authn.saml-idp.metadata.file-system.location=file:///tmp/
Index: config/default.properties
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>ISO-8859-1
===================================================================
diff --git a/config/default.properties b/config/default.properties
--- a/config/default.properties (revision 05119872450ec875ccfc6f58fcd8da65c1d3e37d)
+++ b/config/default.properties (date 1717770607745)
@@ -83,13 +83,13 @@
# rabbitmq server domain name
rabbitmqHost=${RABBITMQ_HOST}
-# rabbitmq user
+# rabbitmq user
rabbitmqUser=${RABBITMQ_USERNAME}
-# rabbitmq password
+# rabbitmq password
rabbitmqPassword=${RABBITMQ_PASSWORD}
-# rabbitmq port
+# rabbitmq port
rabbitmqPort=${RABBITMQ_PORT}
### LDAP properties
@@ -144,10 +144,10 @@
# Listening port of the SMTP server
smtpPort=${SMTPPORT}
-# Activates analytics
+# Activates analytics
# WARNING : When using the geOrchestra gateway, analytics should be disabled
-# if set to true, the analytics app will be enabled (https://github.com/georchestra/georchestra/tree/master/analytics)
+# if set to true, the analytics app will be enabled (https://github.com/georchestra/georchestra/tree/master/analytics)
# console will add all links to analytics and also execute XHR requests
# header will diplay analytics app
# default: true
-# analyticsEnabled=true
+analyticsEnabled=false
Login response from gateway
|
Hi, any news on this one ? Switching off traefik seems quite desirable. I believe the main issue is Chrome support for caddy's self-signed certificate ? |
I tested it again. Didn't have any issue with the certificate generated by caddy, looks like Chrome had no issue with it. But apparently needs a fix, in the config: https://georchestra-127-0-1-1.traefik.me/ is giving me a 503 error and so are any path to the apps (e.g. https://georchestra-127-0-1-1.traefik.me/console/) |
Hello jean, I haven't had the time to look into improving or at least checking if it fully works. I expect to do so before 2025. |
Hi Emilien, |
OK I have wanted to spend a little time on this PR in this Friday afternoon. So I have just validated that I have fixed the logging feature by removing the final slash "redirect" because this is now handled in the gateway since georchestra/georchestra-gateway#109 There is just "import" container (datafeeder) that doesn't seem to redirect correctly. Well need to fix that into the docker image, for now there is a single workaround for that. This PR is now ready to be merged! I didn't see any other issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and working except for browsers installed through snap which have their own certificate trust store.
Could create security risk if the root cert is leaked.
traefik.me seems down. maybe we should switch to https://nip.io? |
* switch to caddy webserver * switching to classic caddy service * adapt .gitignore * add return line end of file Caddyfile * fix wording in README.md * remove traefik.yml ressources * switch to gateway + add caddy binary to gitignore * remove redirection because now handled in gateway + redirect just import * add more comments * remove -> ignore * can keep cas path uncommented since it doesn't hurt anything * migrate from traefik.me to nip.io * add note about snap and security caddy trust * add warning icon for fnecas
Introduction
Traefik has been the source of multiple problems, #214 in particular, and is not a friendly web server to work with.
This pull request propose to switch from Traefik to Caddy webserver: https://caddyserver.com/
Caddy by itself is mature and has existed since 2015, the same year when Traefik launched.
Also, Caddy is so much simpler to work with, take a look at the documentation: https://caddyserver.com/docs/quick-starts/caddyfile
Benefits of this pull request
Overall: Way simpler docker-compose.yml and fewer services to run!
From 160 lines to 60 lines in the
docker-compose.override.yml
file, overall easier maintainability.Caddy is so much simpler to configure than Traefik, take a look at their tutorial: https://caddyserver.com/docs/quick-starts/caddyfile
This drops the automatic traefik.me certificate component and uses a self-signed TLS certificate.
Fixes Directory name needs to be named "docker" #214
caddy trust
. It is documented through this PR.Fixes Migrate away from georchestra-127-0-1-1.traefik.me in the traefik docker compose file #219
file_server
./favicon.ico
,/crossdomain.xml
and/robots.txt
works out of the box!.envs-common
and this gets propagated to every service including the web server.On ssllabs.com you get an
A
grade!What this pull request does not change
And there is no need to add complicated stuff in the Traefik for Let's Encrypt to be activated, Caddy will try Let's Encrypt out of the box.
(potential) downsides of this pull request
But the user can easily trust the self-signed TLS certificate using
caddy trust
! It is documented in this PR.TODO (missing)
Fixes