Add TLS termination point and varnish for quicker responses
This commit is contained in:
parent
310d4756c4
commit
3b8f4346be
28
base.yml
28
base.yml
|
@ -4,6 +4,8 @@ networks:
|
||||||
frontend:
|
frontend:
|
||||||
driver: overlay
|
driver: overlay
|
||||||
attachable: true
|
attachable: true
|
||||||
|
cache:
|
||||||
|
driver: overlay
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
cf_op:
|
cf_op:
|
||||||
|
@ -40,7 +42,29 @@ services:
|
||||||
- cf_op
|
- cf_op
|
||||||
volumes:
|
volumes:
|
||||||
- 'haproxysock:/haproxy:rw' ## Telegraf monitoring
|
- 'haproxysock:/haproxy:rw' ## Telegraf monitoring
|
||||||
ports:
|
|
||||||
- '443:443'
|
|
||||||
networks:
|
networks:
|
||||||
- frontend
|
- frontend
|
||||||
|
- cache
|
||||||
|
|
||||||
|
varnish:
|
||||||
|
image: localhost:5000/varnish
|
||||||
|
deploy: *gt2
|
||||||
|
logging: *json-log
|
||||||
|
tmpfs: /usr/local/var/varnish
|
||||||
|
networks:
|
||||||
|
- cache
|
||||||
|
|
||||||
|
hitch:
|
||||||
|
image: zazukoians/hitch
|
||||||
|
deploy: *gt2
|
||||||
|
logging: *json-log
|
||||||
|
secrets:
|
||||||
|
- source: ssl_master
|
||||||
|
environment:
|
||||||
|
HITCH_PEM: '/run/secrets/ssl_master'
|
||||||
|
HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
|
||||||
|
HITCH_CIPHER: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
|
||||||
|
ports:
|
||||||
|
- '443:443'
|
||||||
|
networks:
|
||||||
|
- cache
|
||||||
|
|
|
@ -33,9 +33,8 @@ resolvers dockerdns
|
||||||
|
|
||||||
frontend https
|
frontend https
|
||||||
mode http
|
mode http
|
||||||
bind *:443 ssl crt /run/secrets/ssl_master ciphers EECDH+AESGCM:EDH+AESGCM ca-file /run/secrets/cf_op verify required
|
bind *:80
|
||||||
|
|
||||||
acl secure dst_port eq 443
|
|
||||||
acl is_cf req.hdr_ip(x-forwarded-for) -m found
|
acl is_cf req.hdr_ip(x-forwarded-for) -m found
|
||||||
acl dav url_beg /.well-known/carddav /.well-known/caldav
|
acl dav url_beg /.well-known/carddav /.well-known/caldav
|
||||||
acl root url /
|
acl root url /
|
||||||
|
@ -44,14 +43,14 @@ frontend https
|
||||||
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
|
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
|
||||||
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
|
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
|
||||||
|
|
||||||
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
|
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:2096
|
||||||
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
|
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:2096
|
||||||
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
|
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:2096
|
||||||
acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
|
acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443 or -i webgit.redxen.eu:2096
|
||||||
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
|
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:2096
|
||||||
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
|
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu:2096
|
||||||
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443
|
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096 or -i www.redxen.eu:2096
|
||||||
acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443
|
acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443 or -i znc.redxen.eu:2096
|
||||||
|
|
||||||
acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
|
acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
|
||||||
|
|
||||||
|
@ -60,8 +59,8 @@ frontend https
|
||||||
redirect location /index.html code 301 if homepage root
|
redirect location /index.html code 301 if homepage root
|
||||||
redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
|
redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
|
||||||
|
|
||||||
http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
|
http-response replace-header Set-Cookie (.*) \1;\ Secure
|
||||||
http-response add-header X-Forwarded-Proto https if secure
|
http-response add-header X-Forwarded-Proto https
|
||||||
|
|
||||||
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
|
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
|
||||||
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
|
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
|
|
@ -0,0 +1,3 @@
|
||||||
|
FROM varnish
|
||||||
|
|
||||||
|
COPY varnish.vcl /etc/varnish/default.vcl
|
|
@ -0,0 +1,10 @@
|
||||||
|
vcl 4.0;
|
||||||
|
|
||||||
|
backend default {
|
||||||
|
.host = "haproxy";
|
||||||
|
.port = "80";
|
||||||
|
.max_connections = 300;
|
||||||
|
.first_byte_timeout = 300s;
|
||||||
|
.connect_timeout = 5s;
|
||||||
|
.between_bytes_timeout = 2s;
|
||||||
|
}
|
Reference in New Issue