diff options
author | Alex Auvolat <alex@adnab.me> | 2023-04-25 12:34:26 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2023-04-25 12:34:26 +0200 |
commit | fa78d806e3ae40031e80eebb86e4eb1756d7baea (patch) | |
tree | 144662fb430c484093f6f9a585a2441c2ff26494 /doc/book/cookbook/reverse-proxy.md | |
parent | 654999e254e6c1f46bb5d668bc1230f226575716 (diff) | |
parent | a16eb7e4b8344d2f58c09a249b7b1bd17d339a35 (diff) | |
download | garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.tar.gz garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.zip |
Merge branch 'main' into next
Diffstat (limited to 'doc/book/cookbook/reverse-proxy.md')
-rw-r--r-- | doc/book/cookbook/reverse-proxy.md | 182 |
1 files changed, 152 insertions, 30 deletions
diff --git a/doc/book/cookbook/reverse-proxy.md b/doc/book/cookbook/reverse-proxy.md index c8fde28d..9c833ad0 100644 --- a/doc/book/cookbook/reverse-proxy.md +++ b/doc/book/cookbook/reverse-proxy.md @@ -168,40 +168,65 @@ Here is [a basic configuration file](https://doc.traefik.io/traefik/https/acme/# ### Add Garage service -To add Garage on Traefik you should declare a new service using its IP address (or hostname) and port: +To add Garage on Traefik you should declare two new services using its IP +address (or hostname) and port, these are used for the S3, and web components +of Garage: ```toml [http.services] - [http.services.my_garage_service.loadBalancer] - [[http.services.my_garage_service.loadBalancer.servers]] + [http.services.garage-s3-service.loadBalancer] + [[http.services.garage-s3-service.loadBalancer.servers]] url = "http://xxx.xxx.xxx.xxx" port = 3900 + + [http.services.garage-web-service.loadBalancer] + [[http.services.garage-web-service.loadBalancer.servers]] + url = "http://xxx.xxx.xxx.xxx" + port = 3902 ``` It's possible to declare multiple Garage servers as back-ends: ```toml [http.services] - [[http.services.my_garage_service.loadBalancer.servers]] + [[http.services.garage-s3-service.loadBalancer.servers]] url = "http://xxx.xxx.xxx.xxx" port = 3900 - [[http.services.my_garage_service.loadBalancer.servers]] + [[http.services.garage-s3-service.loadBalancer.servers]] url = "http://yyy.yyy.yyy.yyy" port = 3900 - [[http.services.my_garage_service.loadBalancer.servers]] + [[http.services.garage-s3-service.loadBalancer.servers]] url = "http://zzz.zzz.zzz.zzz" port = 3900 + + [[http.services.garage-web-service.loadBalancer.servers]] + url = "http://xxx.xxx.xxx.xxx" + port = 3902 + [[http.services.garage-web-service.loadBalancer.servers]] + url = "http://yyy.yyy.yyy.yyy" + port = 3902 + [[http.services.garage-web-service.loadBalancer.servers]] + url = "http://zzz.zzz.zzz.zzz" + port = 3902 ``` Traefik can remove unhealthy servers automatically with [a health check configuration](https://doc.traefik.io/traefik/routing/services/#health-check): ``` [http.services] - [http.services.my_garage_service.loadBalancer] - [http.services.my_garage_service.loadBalancer.healthCheck] - path = "/" - interval = "60s" - timeout = "5s" + [http.services.garage-s3-service.loadBalancer] + [http.services.garage-s3-service.loadBalancer.healthCheck] + path = "/health" + port = "3903" + #interval = "15s" + #timeout = "2s" + + [http.services.garage-web-service.loadBalancer] + [http.services.garage-web-service.loadBalancer.healthCheck] + path = "/health" + port = "3903" + #interval = "15s" + #timeout = "2s" ``` ### Adding a website @@ -210,10 +235,15 @@ To add a new website, add the following declaration to your Traefik configuratio ```toml [http.routers] + [http.routers.garage-s3] + rule = "Host(`s3.example.org`)" + service = "garage-s3-service" + entryPoints = ["websecure"] + [http.routers.my_website] rule = "Host(`yoururl.example.org`)" - service = "my_garage_service" - entryPoints = ["web"] + service = "garage-web-service" + entryPoints = ["websecure"] ``` Enable HTTPS access to your website with the following configuration section ([documentation](https://doc.traefik.io/traefik/https/overview/)): @@ -226,7 +256,7 @@ Enable HTTPS access to your website with the following configuration section ([d ... ``` -### Adding gzip compression +### Adding compression Add the following configuration section [to compress response](https://doc.traefik.io/traefik/middlewares/http/compress/) using [gzip](https://developer.mozilla.org/en-US/docs/Glossary/GZip_compression) before sending them to the client: @@ -234,10 +264,10 @@ Add the following configuration section [to compress response](https://doc.traef [http.routers] [http.routers.my_website] ... - middlewares = ["gzip_compress"] + middlewares = ["compression"] ... [http.middlewares] - [http.middlewares.gzip_compress.compress] + [http.middlewares.compression.compress] ``` ### Add caching response @@ -262,27 +292,54 @@ Traefik's caching middleware is only available on [entreprise version](https://d entryPoint = "web" [http.routers] + [http.routers.garage-s3] + rule = "Host(`s3.example.org`)" + service = "garage-s3-service" + entryPoints = ["websecure"] + [http.routers.my_website] rule = "Host(`yoururl.example.org`)" - service = "my_garage_service" - middlewares = ["gzip_compress"] + service = "garage-web-service" + middlewares = ["compression"] entryPoints = ["websecure"] [http.services] - [http.services.my_garage_service.loadBalancer] - [http.services.my_garage_service.loadBalancer.healthCheck] - path = "/" - interval = "60s" - timeout = "5s" - [[http.services.my_garage_service.loadBalancer.servers]] + [http.services.garage-s3-service.loadBalancer] + [http.services.garage-s3-service.loadBalancer.healthCheck] + path = "/health" + port = "3903" + #interval = "15s" + #timeout = "2s" + + [http.services.garage-web-service.loadBalancer] + [http.services.garage-web-service.loadBalancer.healthCheck] + path = "/health" + port = "3903" + #interval = "15s" + #timeout = "2s" + + [[http.services.garage-s3-service.loadBalancer.servers]] + url = "http://xxx.xxx.xxx.xxx" + port = 3900 + [[http.services.garage-s3-service.loadBalancer.servers]] + url = "http://yyy.yyy.yyy.yyy" + port = 3900 + [[http.services.garage-s3-service.loadBalancer.servers]] + url = "http://zzz.zzz.zzz.zzz" + port = 3900 + + [[http.services.garage-web-service.loadBalancer.servers]] url = "http://xxx.xxx.xxx.xxx" - [[http.services.my_garage_service.loadBalancer.servers]] + port = 3902 + [[http.services.garage-web-service.loadBalancer.servers]] url = "http://yyy.yyy.yyy.yyy" - [[http.services.my_garage_service.loadBalancer.servers]] + port = 3902 + [[http.services.garage-web-service.loadBalancer.servers]] url = "http://zzz.zzz.zzz.zzz" + port = 3902 [http.middlewares] - [http.middlewares.gzip_compress.compress] + [http.middlewares.compression.compress] ``` ## Caddy @@ -291,18 +348,83 @@ Your Caddy configuration can be as simple as: ```caddy s3.garage.tld, *.s3.garage.tld { - reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900 + reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900 { + health_uri /health + health_port 3903 + #health_interval 15s + #health_timeout 5s + } } *.web.garage.tld { - reverse_proxy localhost:3902 192.168.1.2:3900 example.tld:3900 + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 { + health_uri /health + health_port 3903 + #health_interval 15s + #health_timeout 5s + } } admin.garage.tld { - reverse_proxy localhost:3903 + reverse_proxy localhost:3903 { + health_uri /health + health_port 3903 + #health_interval 15s + #health_timeout 5s + } } ``` But at the same time, the `reverse_proxy` is very flexible. For a production deployment, you should [read its documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) as it supports features like DNS discovery of upstreams, load balancing with checks, streaming parameters, etc. +### On-demand TLS + +Caddy supports a technique called +[on-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls), by +which one can configure the webserver to provision TLS certificates when a +client first connects to it. + +In order to prevent an attack vector whereby domains are simply pointed at your +webserver and certificates are requested for them - Caddy can be configured to +ask Garage if a domain is authorized for web hosting, before it then requests +a TLS certificate. + +This 'check' endpoint, which is on the admin port (3903 by default), can be +configured in Caddy's global section as follows: + +```caddy +{ + ... + on_demand_tls { + ask http://localhost:3903/check + interval 2m + burst 5 + } + ... +} +``` + +The host section can then be configured with (note that this uses the web +endpoint instead): + +```caddy +# For a specific set of subdomains +*.web.garage.tld { + tls { + on_demand + } + + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 +} + +# Accept all domains on HTTPS +# Never configure this without global section above +https:// { + tls { + on_demand + } + + reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 +} +``` |