From 14428cdb61622b6646efd611b18e0dc367ce53de Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 15:35:14 +0200 Subject: [PATCH 01/27] replace nginx image by traefik --- docker-compose/docker-compose.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index c5f4e9299..9e68f8c4d 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -206,15 +206,18 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" ports: - "8080:8080" - depends_on: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true sync-service: image: quay.io/alfresco/service-sync:4.0.1 mem_limit: 1g From dbdfa8e7d4945e05c81bdc698413c72c0a9478be Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 15:46:52 +0200 Subject: [PATCH 02/27] add alfresco router --- docker-compose/docker-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 9e68f8c4d..000d65760 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -64,6 +64,11 @@ services: timeout: 3s retries: 3 start_period: 1m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 From 87fc792a0caccf2cb20fddafe3a6482eb03b1153 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 17:14:50 +0200 Subject: [PATCH 03/27] add share router --- docker-compose/docker-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 000d65760..3ab126d88 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -124,6 +124,11 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + postgres: image: postgres:14.4 mem_limit: 512m From 8253b7091809dce2b5a430234d39a3f1c16fb7df Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 17:17:26 +0200 Subject: [PATCH 04/27] add share CSRF config --- docker-compose/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 3ab126d88..bd10c165d 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -115,6 +115,8 @@ services: image: quay.io/alfresco/alfresco-share:23.3.0 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- From 8f8482dc28bc217a8c5f02c5f624bf229c365dac Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 17:19:39 +0200 Subject: [PATCH 05/27] add adf apps routers --- docker-compose/docker-compose.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index bd10c165d..48d4b48bd 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -210,6 +210,10 @@ services: APP_CONFIG_PLUGIN_PROCESS_SERVICE: "false" APP_CONFIG_PLUGIN_MICROSOFT_ONLINE: "false" APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 mem_limit: 128m @@ -217,6 +221,10 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.acc.middlewares=adfroot@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m @@ -230,6 +238,8 @@ services: - "8080:8080" - "8888:8888" privileged: true + labels: + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" sync-service: image: quay.io/alfresco/service-sync:4.0.1 mem_limit: 1g From abc78b5478763ec19dfe01af4113e091ca6659c8 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 17:26:48 +0200 Subject: [PATCH 06/27] add docker socket to traefik container --- docker-compose/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 48d4b48bd..c62295198 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -240,6 +240,8 @@ services: privileged: true labels: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:4.0.1 mem_limit: 1g From bb7bb54bd0fd5fdf34197e33d67131d545b3ecce Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 19 Sep 2024 17:36:21 +0200 Subject: [PATCH 07/27] fix acc router --- docker-compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index c62295198..4e70602dd 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -223,7 +223,7 @@ services: BASE_PATH: ./ labels: - "traefik.enable=true" - - "traefik.http.routers.acc.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - "traefik.http.routers.acc.middlewares=adfroot@docker" proxy: image: traefik:v3.1.3 From 4f7d807246919b586bfd0fbc03d682f96323c42f Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 20 Sep 2024 09:27:24 +0200 Subject: [PATCH 08/27] secure solr api (older acs) --- docker-compose/docker-compose.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 4e70602dd..b1023f41e 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -67,8 +67,9 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 @@ -130,7 +131,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -240,6 +242,7 @@ services: privileged: true labels: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: From f0cbcf61f63449a7f93a8ac6a48a3937a7330c5f Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 20 Sep 2024 09:37:08 +0200 Subject: [PATCH 09/27] filter prometheus by client IP (default localhost only) --- docker-compose/docker-compose.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index b1023f41e..5e2df0dcd 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -67,9 +67,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" - - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 @@ -243,6 +245,7 @@ services: labels: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: From b98e998bf73467b7644be83b0e4babc25a6d292a Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 15:49:36 +0200 Subject: [PATCH 10/27] replicate traefik changes to 7.4 docker compose file --- docker-compose/7.4.N-docker-compose.yml | 50 ++++++++++++++++++++----- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index 79edba35b..c7dc47c66 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -56,6 +56,14 @@ services: -Ddsync.service.uris=http://localhost:9090/alfresco -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:4.1.4 @@ -102,6 +110,8 @@ services: image: quay.io/alfresco/alfresco-share:7.4.2.1 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -111,6 +121,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + postgres: image: postgres:14.4 mem_limit: 512m @@ -156,6 +173,10 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:8.3.0 mem_limit: 128m @@ -163,20 +184,29 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.routers.acc.middlewares=adfroot@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + labels: + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g From ec6015dbeb8524f36b1620d3d4bbab40dae3c5e0 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 15:53:23 +0200 Subject: [PATCH 11/27] replicate traefik changes to 7.3 docker compose file --- docker-compose/7.3.N-docker-compose.yml | 49 ++++++++++++++++++++----- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index 125e4b8f5..fa17162bb 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -56,6 +56,14 @@ services: -Ddsync.service.uris=http://localhost:9090/alfresco -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -102,6 +110,8 @@ services: image: quay.io/alfresco/alfresco-share:7.3.2.1 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -111,6 +121,12 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -155,6 +171,10 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -162,20 +182,29 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.routers.acc.middlewares=adfroot@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + labels: + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g From 008fc6e4a3527ba100fc3c38e4b6c1f0a5c10660 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 16:04:46 +0200 Subject: [PATCH 12/27] replicate traefik changes to 7.2 docker compose file --- docker-compose/7.2.N-docker-compose.yml | 49 ++++++++++++++++++++----- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index c3dfc56f8..85453c90f 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -60,6 +60,14 @@ services: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 -XX:MaxRAM=1900m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -109,6 +117,8 @@ services: image: quay.io/alfresco/alfresco-share:7.2.2.4 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -119,6 +129,12 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -163,6 +179,10 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -170,20 +190,29 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.routers.acc.middlewares=adfroot@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.3.0 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + labels: + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g From 834a2f8fcba5f22e5119821f41feeb05c99e0237 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 16:07:05 +0200 Subject: [PATCH 13/27] replicate traefik changes to 7.1 docker compose file --- docker-compose/7.1.N-docker-compose.yml | 43 ++++++++++++++++++++----- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index 3b12cd455..d7dc08ab2 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -59,6 +59,14 @@ services: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 -XX:MaxRAM=1900m + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m image: quay.io/alfresco/alfresco-transform-router:2.1.2 @@ -108,6 +116,8 @@ services: image: quay.io/alfresco/alfresco-share:7.1.1.10 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -118,6 +128,12 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -159,18 +175,29 @@ services: APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.routers.adw.middlewares=adfroot@docker" proxy: - image: alfresco/alfresco-acs-nginx:3.2.0 + image: traefik:v3.1.3 mem_limit: 128m - depends_on: - - alfresco - - digital-workspace + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" ports: - "8080:8080" - links: - - digital-workspace - - alfresco - - share + - "8888:8888" + privileged: true + labels: + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + volumes: + - /var/run/docker.sock:/var/run/docker.sock sync-service: image: quay.io/alfresco/service-sync:3.11.3 mem_limit: 1g From 38912d0f531866669fb3991669b253c4e39201b9 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 17:44:26 +0200 Subject: [PATCH 14/27] fix function name in in prometheus router --- docker-compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 5e2df0dcd..8dcbde4a6 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -70,7 +70,7 @@ services: - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m From 74470b4c90daae713675068bdf1097e9f41974c1 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 17:45:21 +0200 Subject: [PATCH 15/27] fix AOS requests routing --- docker-compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 8dcbde4a6..6fb45c2a1 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -66,7 +66,7 @@ services: start_period: 1m labels: - "traefik.enable=true" - - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" From 35adab122650001e162c1f1a91240014d39c9d75 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 17:46:39 +0200 Subject: [PATCH 16/27] fix share proxied url regex --- docker-compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 6fb45c2a1..e388f09d5 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -133,7 +133,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:14.4 From 6c76ef5e9b5592ede1beed1bcf8cf7b7d7d89a4d Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 17:47:19 +0200 Subject: [PATCH 17/27] update postman tests to accept traefik behaviour (no 403) --- .../docker-compose/acs-test-docker-compose-collection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/postman/docker-compose/acs-test-docker-compose-collection.json b/test/postman/docker-compose/acs-test-docker-compose-collection.json index 3cabbe492..7fcd61fd7 100644 --- a/test/postman/docker-compose/acs-test-docker-compose-collection.json +++ b/test/postman/docker-compose/acs-test-docker-compose-collection.json @@ -695,7 +695,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);;", "});", "" ], From f90745e678d51e2ed467fc5dc1ce883caddbcb69 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 18:02:04 +0200 Subject: [PATCH 18/27] propagate fixes (prometheus,proxied urls & aos routing) to other compose files --- docker-compose/7.1.N-docker-compose.yml | 8 ++++---- docker-compose/7.2.N-docker-compose.yml | 8 ++++---- docker-compose/7.3.N-docker-compose.yml | 8 ++++---- docker-compose/7.4.N-docker-compose.yml | 9 ++++----- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index d7dc08ab2..36f4d24b6 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -61,11 +61,11 @@ services: -XX:MaxRAM=1900m labels: - "traefik.enable=true" - - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -132,7 +132,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/.*$`)" - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:13.3 diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index 85453c90f..5995a731c 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -62,11 +62,11 @@ services: -XX:MaxRAM=1900m labels: - "traefik.enable=true" - - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -133,7 +133,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:13.3 diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index fa17162bb..f7121e4a9 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -58,11 +58,11 @@ services: -XX:MaxRAMPercentage=80 labels: - "traefik.enable=true" - - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -125,7 +125,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" postgres: image: postgres:14.4 diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index c7dc47c66..7307ab2b8 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -58,11 +58,11 @@ services: -XX:MaxRAMPercentage=80 labels: - "traefik.enable=true" - - "traefik.http.routers.alfresco.rule=PathPrefix(`/alfresco`)" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - - "traefik.http.routers.alfrescomicrometer.rule=PathRegex(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -125,9 +125,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" - postgres: image: postgres:14.4 mem_limit: 512m From 6868311143e10785bdc7e8ad2e4935be2a7b669e Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 18:47:34 +0200 Subject: [PATCH 19/27] fixup --- .../docker-compose/acs-test-docker-compose-collection.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/postman/docker-compose/acs-test-docker-compose-collection.json b/test/postman/docker-compose/acs-test-docker-compose-collection.json index 7fcd61fd7..461e1d099 100644 --- a/test/postman/docker-compose/acs-test-docker-compose-collection.json +++ b/test/postman/docker-compose/acs-test-docker-compose-collection.json @@ -695,7 +695,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoProxyStatusCodeTest\", function () {", - " pm.expect(pm.response.code).to.be.oneOf([401,403]);;", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ], @@ -769,7 +769,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoNoauthProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ], @@ -842,7 +842,7 @@ "pm.globals.get(\"url\");", "", "pm.test(\"searchAlfrescoFeedProxyStatusCodeTest\", function () {", - " pm.response.to.have.status(403);", + " pm.expect(pm.response.code).to.be.oneOf([401,403]);", "});", "" ], From 05571024fc965b3ea2b407ffba9e92ec1b5d23ad Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 19:26:34 +0200 Subject: [PATCH 20/27] add syncservice configuration --- docker-compose/7.1.N-docker-compose.yml | 7 +++++++ docker-compose/7.2.N-docker-compose.yml | 8 ++++++++ docker-compose/7.3.N-docker-compose.yml | 11 +++++++++-- docker-compose/7.4.N-docker-compose.yml | 7 +++++++ docker-compose/docker-compose.yml | 7 +++++++ 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index 36f4d24b6..452b87593 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -196,6 +196,8 @@ services: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -216,6 +218,11 @@ services: -XX:MaxRAM=1g ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index 5995a731c..b2fd960c4 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -211,6 +211,9 @@ services: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" + volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -231,6 +234,11 @@ services: -XX:MaxRAM=1g ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index f7121e4a9..dd381eeea 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -77,7 +77,7 @@ services: http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file ports: - "8095:8095" - links: + depends_on: - activemq transform-core-aio: image: alfresco/alfresco-transform-core-aio:3.1.2 @@ -91,7 +91,7 @@ services: http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file ports: - "8090:8090" - links: + depends_on: - activemq shared-file-store: image: quay.io/alfresco/alfresco-shared-file-store:2.1.2 @@ -203,6 +203,8 @@ services: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -222,6 +224,11 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index 7307ab2b8..afd055cfd 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -204,6 +204,8 @@ services: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -223,6 +225,11 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index e388f09d5..ed4d1cd66 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -246,6 +246,8 @@ services: - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -265,6 +267,11 @@ services: -XX:MaxRAMPercentage=80 ports: - "9090:9090" + labels: + - "traefik.enable=true" + - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" + - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: driver_opts: From 8a102888f8fde1fc792048d4dac70d85f928da6a Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 23 Sep 2024 19:51:42 +0200 Subject: [PATCH 21/27] reorder labels top allow disabling exposing containers by default --- docker-compose/7.1.N-docker-compose.yml | 12 ++++++------ docker-compose/7.2.N-docker-compose.yml | 13 ++++++------- docker-compose/7.3.N-docker-compose.yml | 12 ++++++------ docker-compose/7.4.N-docker-compose.yml | 12 ++++++------ docker-compose/docker-compose.yml | 12 ++++++------ 5 files changed, 30 insertions(+), 31 deletions(-) diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index 452b87593..60d8dab69 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -64,8 +64,10 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -178,6 +180,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace" - "traefik.http.routers.adw.middlewares=adfroot@docker" proxy: image: traefik:v3.1.3 @@ -188,16 +191,11 @@ services: - "--entrypoints.web.address=:8080" - "--entryPoints.traefik.address=:8888" - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - "8888:8888" privileged: true - labels: - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" - - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -222,6 +220,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index b2fd960c4..82d7bf024 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -65,8 +65,10 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -182,6 +184,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 @@ -203,17 +206,11 @@ services: - "--entrypoints.web.address=:8080" - "--entryPoints.traefik.address=:8888" - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - "8888:8888" privileged: true - labels: - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" - - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -238,6 +235,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index dd381eeea..c4d817df2 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -61,8 +61,10 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -174,6 +176,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 @@ -195,16 +198,11 @@ services: - "--entrypoints.web.address=:8080" - "--entryPoints.traefik.address=:8888" - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - "8888:8888" privileged: true - labels: - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" - - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -228,6 +226,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index afd055cfd..8c8007065 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -61,7 +61,9 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: @@ -175,6 +177,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:8.3.0 @@ -196,16 +199,11 @@ services: - "--entrypoints.web.address=:8080" - "--entryPoints.traefik.address=:8888" - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - "8888:8888" privileged: true - labels: - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" - - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -229,6 +227,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index ed4d1cd66..c06cfa563 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -69,8 +69,10 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" + - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" transform-router: mem_limit: 512m @@ -217,6 +219,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - "traefik.http.routers.adw.middlewares=adfroot@docker" control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 @@ -238,16 +241,11 @@ services: - "--entrypoints.web.address=:8080" - "--entryPoints.traefik.address=:8888" - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - "8888:8888" privileged: true - labels: - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" - - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" volumes: - /var/run/docker.sock:/var/run/docker.sock sync-service: @@ -271,6 +269,8 @@ services: - "traefik.enable=true" - "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)" - "traefik.http.services.sync-service.loadbalancer.server.port=9090" + - "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)" + - "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1" - "traefik.http.routers.syncservice.middlewares=syncservice@docker" volumes: shared-file-store-volume: From 865b8955f57e437e4e62b373e32e01c61186d0cf Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 25 Sep 2024 10:22:47 +0200 Subject: [PATCH 22/27] apply traefik config to community compose --- docker-compose/community-docker-compose.yml | 55 +++++++++++++++------ 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/docker-compose/community-docker-compose.yml b/docker-compose/community-docker-compose.yml index 399ba502c..191ef96c6 100644 --- a/docker-compose/community-docker-compose.yml +++ b/docker-compose/community-docker-compose.yml @@ -47,6 +47,14 @@ services: -DlocalTransform.core-aio.url=http://transform-core-aio:8090/ -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + labels: + - "traefik.enable=true" + - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" + - "traefik.http.services.alfresco.loadbalancer.server.port=8080" + - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" + - "traefik.http.middlewares.fakeauth.basicauth.users=test:" + - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + transform-core-aio: image: alfresco/alfresco-transform-core-aio:5.1.4 mem_limit: 1536m @@ -60,6 +68,8 @@ services: image: docker.io/alfresco/alfresco-share:23.3.0 mem_limit: 1g environment: + CSRF_FILTER_ORIGIN: http://localhost:8080 + CSRF_FILTER_REFERER: http://localhost:8080/share/.* REPO_HOST: "alfresco" REPO_PORT: "8080" JAVA_OPTS: >- @@ -69,6 +79,13 @@ services: -Dalfresco.port=8080 -Dalfresco.context=alfresco -Dalfresco.protocol=http + labels: + - "traefik.enable=true" + - "traefik.http.routers.share.rule=PathPrefix(`/share`)" + - "traefik.http.services.share.loadbalancer.server.port=8080" + - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" + - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + postgres: image: postgres:14.4 mem_limit: 512m @@ -111,6 +128,12 @@ services: mem_limit: 128m environment: APP_BASE_SHARE_URL: "http://localhost:8080/aca/#/preview/s" + labels: + - "traefik.enable=true" + - "traefik.http.routers.adw.rule=PathPrefix(`/content-app`)" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/content-app,/admin" + - "traefik.http.routers.adw.middlewares=adfroot@docker" + control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 mem_limit: 128m @@ -118,22 +141,24 @@ services: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" BASE_PATH: ./ + labels: + - "traefik.enable=true" + - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" + - "traefik.http.routers.acc.middlewares=adfroot@docker" + proxy: - image: alfresco/alfresco-acs-nginx:3.4.2 + image: traefik:v3.1.3 mem_limit: 128m - environment: - DISABLE_PROMETHEUS: "true" - DISABLE_SYNCSERVICE: "true" - DISABLE_ADW: "true" - ENABLE_CONTENT_APP: "true" - depends_on: - - alfresco - - content-app - - control-center + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:8080" + - "--entryPoints.traefik.address=:8888" + - "--accesslog=true" + - "--providers.docker.exposedByDefault=false" ports: - "8080:8080" - links: - - content-app - - alfresco - - share - - control-center + - "8888:8888" + privileged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock From 2b672444acc3af7cb432861d9a6c52d9ff8a77b1 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 27 Sep 2024 15:41:55 +0200 Subject: [PATCH 23/27] fix adf rediction issues and bad share middleware --- docker-compose/docker-compose.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index c06cfa563..979e4b2f7 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -69,8 +69,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" @@ -136,7 +136,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -219,8 +220,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 mem_limit: 128m @@ -231,7 +235,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - - "traefik.http.routers.acc.middlewares=adfroot@docker" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m From 65e071df4e2911c603c64a9cf17b4c734c967611 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 27 Sep 2024 16:56:19 +0200 Subject: [PATCH 24/27] propagate fixes to other compose files --- docker-compose/7.1.N-docker-compose.yml | 14 ++++++++----- docker-compose/7.2.N-docker-compose.yml | 21 ++++++++++++++------ docker-compose/7.3.N-docker-compose.yml | 20 +++++++++++++------ docker-compose/7.4.N-docker-compose.yml | 20 +++++++++++++------ docker-compose/community-docker-compose.yml | 22 ++++++++++++++------- 5 files changed, 67 insertions(+), 30 deletions(-) diff --git a/docker-compose/7.1.N-docker-compose.yml b/docker-compose/7.1.N-docker-compose.yml index 60d8dab69..8d8557180 100644 --- a/docker-compose/7.1.N-docker-compose.yml +++ b/docker-compose/7.1.N-docker-compose.yml @@ -64,8 +64,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" @@ -135,7 +135,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/.*$`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -180,8 +181,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m diff --git a/docker-compose/7.2.N-docker-compose.yml b/docker-compose/7.2.N-docker-compose.yml index 82d7bf024..eb318c20a 100644 --- a/docker-compose/7.2.N-docker-compose.yml +++ b/docker-compose/7.2.N-docker-compose.yml @@ -65,8 +65,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" @@ -136,7 +136,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:13.3 mem_limit: 512m @@ -184,8 +185,12 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -196,7 +201,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - - "traefik.http.routers.acc.middlewares=adfroot@docker" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m diff --git a/docker-compose/7.3.N-docker-compose.yml b/docker-compose/7.3.N-docker-compose.yml index c4d817df2..6cf240822 100644 --- a/docker-compose/7.3.N-docker-compose.yml +++ b/docker-compose/7.3.N-docker-compose.yml @@ -61,8 +61,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" @@ -128,7 +128,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -176,8 +177,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:7.9.0 mem_limit: 128m @@ -188,7 +192,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - - "traefik.http.routers.acc.middlewares=adfroot@docker" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m diff --git a/docker-compose/7.4.N-docker-compose.yml b/docker-compose/7.4.N-docker-compose.yml index 8c8007065..f4a3cd99b 100644 --- a/docker-compose/7.4.N-docker-compose.yml +++ b/docker-compose/7.4.N-docker-compose.yml @@ -61,8 +61,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" - "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8" - "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)" - "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker" @@ -128,7 +128,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 mem_limit: 512m @@ -177,8 +178,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace,/admin" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$" + - "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace" + - "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot" + - "traefik.http.routers.adw.middlewares=adwchain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:8.3.0 mem_limit: 128m @@ -189,7 +193,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - - "traefik.http.routers.acc.middlewares=adfroot@docker" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: image: traefik:v3.1.3 mem_limit: 128m diff --git a/docker-compose/community-docker-compose.yml b/docker-compose/community-docker-compose.yml index 191ef96c6..96949de08 100644 --- a/docker-compose/community-docker-compose.yml +++ b/docker-compose/community-docker-compose.yml @@ -52,8 +52,8 @@ services: - "traefik.http.routers.alfresco.rule=PathPrefix(`/`)" - "traefik.http.services.alfresco.loadbalancer.server.port=8080" - "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/.*$`)" - - "traefik.http.middlewares.fakeauth.basicauth.users=test:" - - "traefik.http.routers.solrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:" + - "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker" transform-core-aio: image: alfresco/alfresco-transform-core-aio:5.1.4 @@ -84,7 +84,8 @@ services: - "traefik.http.routers.share.rule=PathPrefix(`/share`)" - "traefik.http.services.share.loadbalancer.server.port=8080" - "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)" - - "traefik.http.routers.proxiedsolrapideny.middlewares=fakeauth@docker" + - "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:" + - "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker" postgres: image: postgres:14.4 @@ -130,9 +131,12 @@ services: APP_BASE_SHARE_URL: "http://localhost:8080/aca/#/preview/s" labels: - "traefik.enable=true" - - "traefik.http.routers.adw.rule=PathPrefix(`/content-app`)" - - "traefik.http.middlewares.adfroot.stripprefix.prefixes=/content-app,/admin" - - "traefik.http.routers.adw.middlewares=adfroot@docker" + - "traefik.http.routers.aca.rule=PathPrefix(`/content-app`)" + - "traefik.http.middlewares.acaroot.stripprefix.prefixes=/content-app" + - "traefik.http.middlewares.acaforceslash.redirectregex.regex=^(.*/content-app)$$" + - "traefik.http.middlewares.acaforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.acachain.chain.middlewares=acaforceslash,acaroot" + - "traefik.http.routers.aca.middlewares=acachain@docker" control-center: image: quay.io/alfresco/alfresco-control-center:9.0.0 @@ -144,7 +148,11 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.acc.rule=PathPrefix(`/admin`)" - - "traefik.http.routers.acc.middlewares=adfroot@docker" + - "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$" + - "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/" + - "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot" + - "traefik.http.routers.acc.middlewares=accchain@docker" proxy: image: traefik:v3.1.3 From 730d75a8948dea504421d7df0412daf7ebcebedb Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 27 Sep 2024 17:18:00 +0200 Subject: [PATCH 25/27] update doc --- README.md | 5 ++++ docs/docker-compose/README.md | 47 +++++++++++------------------------ 2 files changed, 19 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 21dfae33c..a6c241833 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,11 @@ This project contains the code for running Alfresco Content Services (ACS) with Compose](https://docs.docker.com/compose) or on [Kubernetes](https://kubernetes.io) using [Helm Charts](https://helm.sh). +:warning: The [Docker Compose](./docker-compose/docker-compose.yml) deployment +has moved from a custom NGINX based proxy to Traefik based proxy. +Please read the [documentation](./docs/docker-compose#alfresco-proxy-proxy) for +more details. + User docs available at: [https://alfresco.github.io/acs-deployment/](https://alfresco.github.io/acs-deployment/) ## License diff --git a/docs/docker-compose/README.md b/docs/docker-compose/README.md index de14b167f..b27a5b457 100644 --- a/docs/docker-compose/README.md +++ b/docs/docker-compose/README.md @@ -16,7 +16,7 @@ graph TB subgraph "Docker Compose (enterprise)" direction TB Client("👥 Clients") - proxy("nginx reverse proxy") + proxy("Traefik reverse proxy") acs("Alfresco Content Services") sync("Alfresco Sync Service") @@ -81,7 +81,7 @@ graph TB subgraph "Docker Compose (community)" direction TB Client("👥 Users") - proxy("nginx reverse proxy") + proxy("Traefik reverse proxy") acs("Alfresco Content Services") ass("Alfresco Search Services") pg[("PostgreSQL")] @@ -395,38 +395,20 @@ share: ### Alfresco Proxy (proxy) -| Property | Description | Default value | -|--------------------|------------------------------------------------------------------|------------------------------------| -| ADW_URL | Digital Workspace URL inside network. | `http://digital-workspace` | -| CONTROL_CENTER_URL | Control Center URL inside network. | `http://control-center` | -| REPO_URL | Repository URL inside network. | `http://alfresco:8080` | -| SHARE_URL | Share URL inside network. | `http://share:8080` | -| SYNCSERVICE_URL | Sync service URL inside network. | `http://sync-service:9090` | -| ACCESS_LOG | Sets the `access_log` value. Set to `off` to switch off logging. | | -| USE_SSL | `false` | Enables ssl use if set to `"true"` | -| DOMAIN | Set domain value for ssl certificate | n/a | +We used to maintain and ship a ustom nginx image for Alfresco docker compose +deployments. This image is now deprecated and replaced by Traefik. Traefik is a +modern HTTP reverse proxy and load balancer that makes deploying microservices +easy. In particular it makes dynamic configuration easy and integrates with +docker compose using +[labels](https://docs.docker.com/reference/compose-file/deploy/#labels). -If USE_SSL set to true provide ssl cert in ssl/cert.crt and ssl/cert.key +Please refer to Traefik documentation for more information on how to configure +it: -```yml -alfresco-proxy: - image: alfresco/alfresco-acs-nginx:3.2.0 - depends_on: - - alfresco - - digital-workspace - ports: - - "443:443" # when USE_SSL="true" -# - "8080:8080" # default - links: - - digital-workspace - - alfresco - - share - volumes: - - ${PWD}/ssl/:/etc/nginx/ssl/ # when USE_SSL="true" - environment: - USE_SSL: "true" - DOMAIN: "domain.com" # when USE_SSL="true" -``` +* [Traefik routers](https://doc.traefik.io/traefik/routing/routers/) +* [Traefik services](https://doc.traefik.io/traefik/routing/services/) +* [Traefik middlewares](https://doc.traefik.io/traefik/middlewares/overview/) +* [Traefik TLS](https://doc.traefik.io/traefik/https/tls/) ## Customise @@ -470,4 +452,3 @@ The list below shows the location of the publicly available `Dockerfile` for the * [solr6](https://github.com/Alfresco/SearchServices/blob/master/search-services/packaging/src/docker/Dockerfile) * [transform-core-aio](https://github.com/Alfresco/alfresco-transform-core/blob/master/engines/aio/Dockerfile) * [activemq](https://github.com/Alfresco/alfresco-docker-activemq/blob/master/Dockerfile) -* [proxy](https://github.com/Alfresco/acs-ingress/blob/master/Dockerfile) From 2028a314ba7c8d09e86d3561b2e38352eb37f368 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 27 Sep 2024 17:27:41 +0200 Subject: [PATCH 26/27] Looks like Docker Toolbox is no more --- docs/docker-compose/README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/docker-compose/README.md b/docs/docker-compose/README.md index b27a5b457..2a62f7d79 100644 --- a/docs/docker-compose/README.md +++ b/docs/docker-compose/README.md @@ -178,14 +178,6 @@ others. If Docker is running on your local machine, the IP address will be just _localhost_. -If you're using the [Docker -Toolbox](https://docs.docker.com/toolbox/toolbox_install_windows), run the -following command to find the IP address: - -```bash -docker-machine ip -``` - ## Configure The provided Docker compose file provides some default configuration, the From 71303bde8450241cc37ff0c64bd413ef43074927 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 27 Sep 2024 17:28:09 +0200 Subject: [PATCH 27/27] KEDA retired /latest path from their doc --- docs/helm/autoscaling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/helm/autoscaling.md b/docs/helm/autoscaling.md index c159cc23e..7cc1f2f9e 100644 --- a/docs/helm/autoscaling.md +++ b/docs/helm/autoscaling.md @@ -205,7 +205,7 @@ broker the jolokia restAPI which ActiveMQ normally provides is not available. In order to use the KEDA and scale based on message queues size you will need to use the [Cloudwatch scaler](https://keda.sh/docs/latest/scalers/aws-cloudwatch/) , create your own -[scaledobject](https://keda.sh/docs/latest/concepts/scaling-deployments/#scaledobject-spec) +[scaledobject](https://keda.sh/docs/2.14/concepts/scaling-deployments/#scaledobject-spec) using [Cloudwatch scaler](https://keda.sh/docs/latest/scalers/aws-cloudwatch/) as a `trigger` leveraging one of the [AWS authentication provider](https://keda.sh/docs/2.14/authentication-providers/) and disable the