From 3ac01887cc3a1d9d27483f3d8b3798f8fde810b2 Mon Sep 17 00:00:00 2001
From: Jack Morgan <jackmorgannz@gmail.com>
Date: Thu, 5 Aug 2021 13:15:58 +1200
Subject: [PATCH] Create proxy with HTTPS for UCCSER websites

---
 .gitignore         |  1 +
 README.md          | 43 +++++++++++++++++++++++++++++++++++++++++--
 create-certs.sh    |  4 ++++
 docker-compose.yml | 36 ++++++++++++++++++++++++++++++++++++
 traefik.yml        | 37 +++++++++++++++++++++++++++++++++++++
 5 files changed, 119 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100755 create-certs.sh
 create mode 100644 docker-compose.yml
 create mode 100644 traefik.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ab5116e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+certs/*
diff --git a/README.md b/README.md
index c457610..766276c 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,41 @@
-# uccser-development-proxy
-Proxy for working on UCCSER websites
+# UCCSER Development Proxy
+
+This proxy is used when working on the following UCCSER websites:
+
+- [CS Unplugged](https://github.com/uccser/cs-unplugged)
+- [CS Field Guide](https://github.com/uccser/cs-field-guide)
+- [codeWOF](https://github.com/uccser/codewof)
+- [DTHM for Kaiako](https://github.com/uccser/dthm4kaiako)
+
+This proxy allows multiple systems to run on your development environment simultaneously.
+
+# Setup
+
+You will need to have the following tools installed to run this proxy:
+
+- Docker
+- Docker Compose
+- [mkcert](https://github.com/FiloSottile/mkcert)
+
+Once these tools have been installed, then run `./create-certs.sh`.
+The script will create SSL certificates for all our websites.
+The script will finish with telling you when the certificates expire, where you will be required to rerun this setup.
+
+# Usage
+
+To run the proxy, run `docker-compose up -d` in this project directory.
+Docker will run the proxy in the background.
+
+You can view the dashboard of the proxy by opening a browser and going to `proxy.localhost` in your preferred web browser.
+
+To view logs of the proxy, run `docker-compose logs -f traefik`.
+
+Do shutdown the proxy, run `docker-compose down`.
+If you get a error when running this command, saying `ERROR: error while removing network: network uccser-development-proxy`, then one of our website systems is likely still running.
+The proxy will be shutdown, but the network will remain active.
+If you wish to remove the network, you will need to end all UCCSER website systems first.
+
+# Notes
+
+The proxy binds to ports 80 and 443.
+If you are trying to run other systems that wish to bind to these ports, you will need to shutdown the proxy.
diff --git a/create-certs.sh b/create-certs.sh
new file mode 100755
index 0000000..6dd9081
--- /dev/null
+++ b/create-certs.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+mkcert -install
+mkdir certs
+mkcert -key-file certs/key.pem -cert-file certs/cert.pem proxy.localhost cs-unplugged.localhost *.cs-unplugged.localhost cs-field-guide.localhost *.cs-field-guide.localhost codewof.localhost *.codewof.localhost dthm4kaiako.localhost *.dthm4kaiako.localhost
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..6fcc04f
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,36 @@
+version: "3.8"
+
+services:
+    traefik:
+        image: traefik:v2.4.13
+        container_name: uccser-development-proxy
+        ports:
+            # HTTP/HTTPS ports
+            - "80:80"
+            - "443:443"
+        environment:
+            - TZ=Pacific/Auckland
+        volumes:
+            # So that Traefik can listen to the Docker events
+            - /var/run/docker.sock:/var/run/docker.sock:ro
+            # Map certificates into the container
+            - ./certs:/etc/traefik/:z
+            # Map static config into the container
+            - ./traefik.yml:/etc/traefik/traefik.yml:ro
+        networks:
+            - uccser-development-proxy
+        labels:
+            # General labels
+            - "traefik.enable=true"
+            - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+            # HTTPS
+            - "traefik.http.routers.traefik.entryPoints=web-secure"
+            - "traefik.http.routers.traefik.service=traefik"
+            - "traefik.http.routers.traefik.rule=Host(`proxy.localhost`)"
+            - "traefik.http.routers.traefik.tls=true"
+
+networks:
+    uccser-development-proxy:
+        driver: bridge
+        # Set name so not scoped with stack name
+        name: uccser-development-proxy
diff --git a/traefik.yml b/traefik.yml
new file mode 100644
index 0000000..cf5889d
--- /dev/null
+++ b/traefik.yml
@@ -0,0 +1,37 @@
+# Defines openings for incoming requests
+entryPoints:
+  web:
+    address: ":80"
+    # Global redirect from HTTP to HTTPS
+    http:
+      redirections:
+        entryPoint:
+          to: web-secure
+          scheme: https
+  web-secure:
+    address: ":443"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+  file:
+    directory: "/etc/traefik/"
+    watch: true
+
+tls:
+  certificates:
+    - certFile: "/etc/traefik/cert.pem"
+      keyFile: "/etc/traefik/key.pem"
+
+log:
+  level: INFO
+  format: common
+
+global:
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: true