diff --git a/README.md b/README.md index 21dfae33c..a6c241833 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,11 @@ This project contains the code for running Alfresco Content Services (ACS) with Compose](https://docs.docker.com/compose) or on [Kubernetes](https://kubernetes.io) using [Helm Charts](https://helm.sh). +:warning: The [Docker Compose](./docker-compose/docker-compose.yml) deployment +has moved from a custom NGINX based proxy to Traefik based proxy. +Please read the [documentation](./docs/docker-compose#alfresco-proxy-proxy) for +more details. + User docs available at: [https://alfresco.github.io/acs-deployment/](https://alfresco.github.io/acs-deployment/) ## License diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index 3b12cd455..8d8557180 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -59,6 +59,16 @@ services: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 -XX:MaxRAM=1900m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -108,6 +118,8 @@ services: image: quay.io/alfresco/alfresco-share:7.1.1.10 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -118,6 +130,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/.*$`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -159,18 +178,30 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.2.0 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g @@ -189,6 +220,13 @@ services: -XX:MaxRAM=1g ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index c3dfc56f8..eb318c20a 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -60,6 +60,16 @@ services: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 -XX:MaxRAM=1900m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -109,6 +119,8 @@ services: image: quay.io/alfresco/alfresco-share:7.2.2.4 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -119,6 +131,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -163,6 +182,15 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -170,20 +198,30 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.3.0 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g @@ -202,6 +240,13 @@ services: -XX:MaxRAM=1g ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index 125e4b8f5..6cf240822 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -56,6 +56,16 @@ services: -Ddsync.service.uris=http://localhost:9090/alfresco -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -69,7 +79,7 @@ services: http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file ports: - "8095:8095" - links: + depends_on: - activemq transform-core-aio: image: alfresco/alfresco-transform-core-aio:3.1.2 @@ -83,7 +93,7 @@ services: http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file ports: - "8090:8090" - links: + depends_on: - activemq shared-file-store: image: quay.io/alfresco/alfresco-shared-file-store:2.1.2 @@ -102,6 +112,8 @@ services: image: quay.io/alfresco/alfresco-share:7.3.2.1 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -111,6 +123,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -155,6 +174,14 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -162,20 +189,30 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g @@ -193,6 +230,13 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index 79edba35b..f4a3cd99b 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -56,6 +56,16 @@ services: -Ddsync.service.uris=http://localhost:9090/alfresco -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 @@ -102,6 +112,8 @@ services: image: quay.io/alfresco/alfresco-share:7.4.2.1 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -111,6 +123,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -156,6 +175,14 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:8.3.0 mem_limit: 128m @@ -163,20 +190,30 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g @@ -194,6 +231,13 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/community-docker-compose.yml b/docker-compose/community-docker-compose.yml index 399ba502c..96949de08 100644 --- a/docker-compose/community-docker-compose.yml +++ b/docker-compose/community-docker-compose.yml @@ -47,6 +47,14 @@ services: -DlocalTransform.core-aio.url=http://transform-core-aio:8090/ -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + transform-core-aio: image: alfresco/alfresco-transform-core-aio:5.1.4 mem_limit: 1536m @@ -60,6 +68,8 @@ services: image: docker.io/alfresco/alfresco-share:23.3.0 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -69,6 +79,14 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" + postgres: image: postgres:14.4 mem_limit: 512m @@ -111,6 +129,15 @@ services: mem_limit: 128m environment: APP_BASE_SHARE_URL: "http://localhost:8080/aca/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.aca.rule=PathPrefix(`/content-app`)" + - "traefik.http.middlewares.acaroot.stripprefix.prefixes=/content-app" + - "traefik.http.middlewares.acaforceslash.redirectregex.regex=^(.*/content-app)$$" + - "traefik.http.middlewares.acaforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.acachain.chain.middlewares=acaforceslash,acaroot" + - "traefik.http.routers.aca.middlewares=acachain@docker" + control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 mem_limit: 128m @@ -118,22 +145,28 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" + proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - environment: - DISABLE_PROMETHEUS: "true" - DISABLE_SYNCSERVICE: "true" - DISABLE_ADW: "true" - ENABLE_CONTENT_APP: "true" - depends_on: - - alfresco - - content-app - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - content-app - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index c5f4e9299..979e4b2f7 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -64,6 +64,16 @@ services: timeout: 3s retries: 3 start_period: 1m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 @@ -110,6 +120,8 @@ services: image: quay.io/alfresco/alfresco-share:23.3.0 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -119,6 +131,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -198,6 +217,14 @@ services: APP_CONFIG_PLUGIN_PROCESS_SERVICE: "false" APP_CONFIG_PLUGIN_MICROSOFT_ONLINE: "false" APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 mem_limit: 128m @@ -205,16 +232,30 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - depends_on: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:4.0.1 mem_limit: 1g @@ -232,6 +273,13 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docs/docker-compose/README.md b/docs/docker-compose/README.md index de14b167f..2a62f7d79 100644 --- a/docs/docker-compose/README.md +++ b/docs/docker-compose/README.md @@ -16,7 +16,7 @@ graph TB subgraph "Docker Compose (enterprise)" direction TB Client("👥 Clients") - proxy("nginx reverse proxy") + proxy("Traefik reverse proxy") acs("Alfresco Content Services") sync("Alfresco Sync Service") @@ -81,7 +81,7 @@ graph TB subgraph "Docker Compose (community)" direction TB Client("👥 Users") - proxy("nginx reverse proxy") + proxy("Traefik reverse proxy") acs("Alfresco Content Services") ass("Alfresco Search Services") pg[("PostgreSQL")] @@ -178,14 +178,6 @@ others. If Docker is running on your local machine, the IP address will be just _localhost_. -If you're using the [Docker -Toolbox](https://docs.docker.com/toolbox/toolbox_install_windows), run the -following command to find the IP address: - -```bash -docker-machine ip -``` - ## Configure The provided Docker compose file provides some default configuration, the @@ -395,38 +387,20 @@ share: ### Alfresco Proxy (proxy) -| Property | Description | Default value | -|--------------------|------------------------------------------------------------------|------------------------------------| -| ADW_URL | Digital Workspace URL inside network. | `http://digital-workspace` | -| CONTROL_CENTER_URL | Control Center URL inside network. | `http://control-center` | -| REPO_URL | Repository URL inside network. | `http://alfresco:8080` | -| SHARE_URL | Share URL inside network. | `http://share:8080` | -| SYNCSERVICE_URL | Sync service URL inside network. | `http://sync-service:9090` | -| ACCESS_LOG | Sets the `access_log` value. Set to `off` to switch off logging. | | -| USE_SSL | `false` | Enables ssl use if set to `"true"` | -| DOMAIN | Set domain value for ssl certificate | n/a | +We used to maintain and ship a ustom nginx image for Alfresco docker compose +deployments. This image is now deprecated and replaced by Traefik. Traefik is a +modern HTTP reverse proxy and load balancer that makes deploying microservices +easy. In particular it makes dynamic configuration easy and integrates with +docker compose using +[labels](https://docs.docker.com/reference/compose-file/deploy/#labels). -If USE_SSL set to true provide ssl cert in ssl/cert.crt and ssl/cert.key +Please refer to Traefik documentation for more information on how to configure +it: -```yml -alfresco-proxy: - image: alfresco/alfresco-acs-nginx:3.2.0 - depends_on: - - alfresco - - digital-workspace - ports: - - "443:443" # when USE_SSL="true" -# - "8080:8080" # default - links: - - digital-workspace - - alfresco - - share - volumes: - - ${PWD}/ssl/:/etc/nginx/ssl/ # when USE_SSL="true" - environment: - USE_SSL: "true" - DOMAIN: "domain.com" # when USE_SSL="true" -``` +* [Traefik routers](https://doc.traefik.io/traefik/routing/routers/) +* [Traefik services](https://doc.traefik.io/traefik/routing/services/) +* [Traefik middlewares](https://doc.traefik.io/traefik/middlewares/overview/) +* [Traefik TLS](https://doc.traefik.io/traefik/https/tls/) ## Customise @@ -470,4 +444,3 @@ The list below shows the location of the publicly available `Dockerfile` for the * [solr6](https://github.com/Alfresco/SearchServices/blob/master/search-services/packaging/src/docker/Dockerfile) * [transform-core-aio](https://github.com/Alfresco/alfresco-transform-core/blob/master/engines/aio/Dockerfile) * [activemq](https://github.com/Alfresco/alfresco-docker-activemq/blob/master/Dockerfile) -* [proxy](https://github.com/Alfresco/acs-ingress/blob/master/Dockerfile) diff --git a/docs/helm/autoscaling.md b/docs/helm/autoscaling.md index c159cc23e..7cc1f2f9e 100644 --- a/docs/helm/autoscaling.md +++ b/docs/helm/autoscaling.md @@ -205,7 +205,7 @@ broker the jolokia restAPI which ActiveMQ normally provides is not available. In order to use the KEDA and scale based on message queues size you will need to use the [Cloudwatch scaler](https://keda.sh/docs/latest/scalers/aws-cloudwatch/) , create your own -[scaledobject](https://keda.sh/docs/latest/concepts/scaling-deployments/#scaledobject-spec) +[scaledobject](https://keda.sh/docs/2.14/concepts/scaling-deployments/#scaledobject-spec) using [Cloudwatch scaler](https://keda.sh/docs/latest/scalers/aws-cloudwatch/) as a `trigger` leveraging one of the [AWS authentication provider](https://keda.sh/docs/2.14/authentication-providers/) and disable the diff --git a/test/postman/docker-compose/acs-test-docker-compose-collection.json b/test/postman/docker-compose/acs-test-docker-compose-collection.json index 3cabbe492..461e1d099 100644 --- a/test/postman/docker-compose/acs-test-docker-compose-collection.json +++ b/test/postman/docker-compose/acs-test-docker-compose-collection.json @@ -695,7 +695,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ], @@ -769,7 +769,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoNoauthProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ], @@ -842,7 +842,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoFeedProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ],