aboutsummaryrefslogtreecommitdiff
path: root/doc/book/cookbook/reverse-proxy.md
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2023-04-25 12:34:26 +0200
committerAlex Auvolat <alex@adnab.me>2023-04-25 12:34:26 +0200
commitfa78d806e3ae40031e80eebb86e4eb1756d7baea (patch)
tree144662fb430c484093f6f9a585a2441c2ff26494 /doc/book/cookbook/reverse-proxy.md
parent654999e254e6c1f46bb5d668bc1230f226575716 (diff)
parenta16eb7e4b8344d2f58c09a249b7b1bd17d339a35 (diff)
downloadgarage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.tar.gz
garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.zip
Merge branch 'main' into next
Diffstat (limited to 'doc/book/cookbook/reverse-proxy.md')
-rw-r--r--doc/book/cookbook/reverse-proxy.md182
1 files changed, 152 insertions, 30 deletions
diff --git a/doc/book/cookbook/reverse-proxy.md b/doc/book/cookbook/reverse-proxy.md
index c8fde28d..9c833ad0 100644
--- a/doc/book/cookbook/reverse-proxy.md
+++ b/doc/book/cookbook/reverse-proxy.md
@@ -168,40 +168,65 @@ Here is [a basic configuration file](https://doc.traefik.io/traefik/https/acme/#
### Add Garage service
-To add Garage on Traefik you should declare a new service using its IP address (or hostname) and port:
+To add Garage on Traefik you should declare two new services using its IP
+address (or hostname) and port, these are used for the S3, and web components
+of Garage:
```toml
[http.services]
- [http.services.my_garage_service.loadBalancer]
- [[http.services.my_garage_service.loadBalancer.servers]]
+ [http.services.garage-s3-service.loadBalancer]
+ [[http.services.garage-s3-service.loadBalancer.servers]]
url = "http://xxx.xxx.xxx.xxx"
port = 3900
+
+ [http.services.garage-web-service.loadBalancer]
+ [[http.services.garage-web-service.loadBalancer.servers]]
+ url = "http://xxx.xxx.xxx.xxx"
+ port = 3902
```
It's possible to declare multiple Garage servers as back-ends:
```toml
[http.services]
- [[http.services.my_garage_service.loadBalancer.servers]]
+ [[http.services.garage-s3-service.loadBalancer.servers]]
url = "http://xxx.xxx.xxx.xxx"
port = 3900
- [[http.services.my_garage_service.loadBalancer.servers]]
+ [[http.services.garage-s3-service.loadBalancer.servers]]
url = "http://yyy.yyy.yyy.yyy"
port = 3900
- [[http.services.my_garage_service.loadBalancer.servers]]
+ [[http.services.garage-s3-service.loadBalancer.servers]]
url = "http://zzz.zzz.zzz.zzz"
port = 3900
+
+ [[http.services.garage-web-service.loadBalancer.servers]]
+ url = "http://xxx.xxx.xxx.xxx"
+ port = 3902
+ [[http.services.garage-web-service.loadBalancer.servers]]
+ url = "http://yyy.yyy.yyy.yyy"
+ port = 3902
+ [[http.services.garage-web-service.loadBalancer.servers]]
+ url = "http://zzz.zzz.zzz.zzz"
+ port = 3902
```
Traefik can remove unhealthy servers automatically with [a health check configuration](https://doc.traefik.io/traefik/routing/services/#health-check):
```
[http.services]
- [http.services.my_garage_service.loadBalancer]
- [http.services.my_garage_service.loadBalancer.healthCheck]
- path = "/"
- interval = "60s"
- timeout = "5s"
+ [http.services.garage-s3-service.loadBalancer]
+ [http.services.garage-s3-service.loadBalancer.healthCheck]
+ path = "/health"
+ port = "3903"
+ #interval = "15s"
+ #timeout = "2s"
+
+ [http.services.garage-web-service.loadBalancer]
+ [http.services.garage-web-service.loadBalancer.healthCheck]
+ path = "/health"
+ port = "3903"
+ #interval = "15s"
+ #timeout = "2s"
```
### Adding a website
@@ -210,10 +235,15 @@ To add a new website, add the following declaration to your Traefik configuratio
```toml
[http.routers]
+ [http.routers.garage-s3]
+ rule = "Host(`s3.example.org`)"
+ service = "garage-s3-service"
+ entryPoints = ["websecure"]
+
[http.routers.my_website]
rule = "Host(`yoururl.example.org`)"
- service = "my_garage_service"
- entryPoints = ["web"]
+ service = "garage-web-service"
+ entryPoints = ["websecure"]
```
Enable HTTPS access to your website with the following configuration section ([documentation](https://doc.traefik.io/traefik/https/overview/)):
@@ -226,7 +256,7 @@ Enable HTTPS access to your website with the following configuration section ([d
...
```
-### Adding gzip compression
+### Adding compression
Add the following configuration section [to compress response](https://doc.traefik.io/traefik/middlewares/http/compress/) using [gzip](https://developer.mozilla.org/en-US/docs/Glossary/GZip_compression) before sending them to the client:
@@ -234,10 +264,10 @@ Add the following configuration section [to compress response](https://doc.traef
[http.routers]
[http.routers.my_website]
...
- middlewares = ["gzip_compress"]
+ middlewares = ["compression"]
...
[http.middlewares]
- [http.middlewares.gzip_compress.compress]
+ [http.middlewares.compression.compress]
```
### Add caching response
@@ -262,27 +292,54 @@ Traefik's caching middleware is only available on [entreprise version](https://d
entryPoint = "web"
[http.routers]
+ [http.routers.garage-s3]
+ rule = "Host(`s3.example.org`)"
+ service = "garage-s3-service"
+ entryPoints = ["websecure"]
+
[http.routers.my_website]
rule = "Host(`yoururl.example.org`)"
- service = "my_garage_service"
- middlewares = ["gzip_compress"]
+ service = "garage-web-service"
+ middlewares = ["compression"]
entryPoints = ["websecure"]
[http.services]
- [http.services.my_garage_service.loadBalancer]
- [http.services.my_garage_service.loadBalancer.healthCheck]
- path = "/"
- interval = "60s"
- timeout = "5s"
- [[http.services.my_garage_service.loadBalancer.servers]]
+ [http.services.garage-s3-service.loadBalancer]
+ [http.services.garage-s3-service.loadBalancer.healthCheck]
+ path = "/health"
+ port = "3903"
+ #interval = "15s"
+ #timeout = "2s"
+
+ [http.services.garage-web-service.loadBalancer]
+ [http.services.garage-web-service.loadBalancer.healthCheck]
+ path = "/health"
+ port = "3903"
+ #interval = "15s"
+ #timeout = "2s"
+
+ [[http.services.garage-s3-service.loadBalancer.servers]]
+ url = "http://xxx.xxx.xxx.xxx"
+ port = 3900
+ [[http.services.garage-s3-service.loadBalancer.servers]]
+ url = "http://yyy.yyy.yyy.yyy"
+ port = 3900
+ [[http.services.garage-s3-service.loadBalancer.servers]]
+ url = "http://zzz.zzz.zzz.zzz"
+ port = 3900
+
+ [[http.services.garage-web-service.loadBalancer.servers]]
url = "http://xxx.xxx.xxx.xxx"
- [[http.services.my_garage_service.loadBalancer.servers]]
+ port = 3902
+ [[http.services.garage-web-service.loadBalancer.servers]]
url = "http://yyy.yyy.yyy.yyy"
- [[http.services.my_garage_service.loadBalancer.servers]]
+ port = 3902
+ [[http.services.garage-web-service.loadBalancer.servers]]
url = "http://zzz.zzz.zzz.zzz"
+ port = 3902
[http.middlewares]
- [http.middlewares.gzip_compress.compress]
+ [http.middlewares.compression.compress]
```
## Caddy
@@ -291,18 +348,83 @@ Your Caddy configuration can be as simple as:
```caddy
s3.garage.tld, *.s3.garage.tld {
- reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900
+ reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900 {
+ health_uri /health
+ health_port 3903
+ #health_interval 15s
+ #health_timeout 5s
+ }
}
*.web.garage.tld {
- reverse_proxy localhost:3902 192.168.1.2:3900 example.tld:3900
+ reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 {
+ health_uri /health
+ health_port 3903
+ #health_interval 15s
+ #health_timeout 5s
+ }
}
admin.garage.tld {
- reverse_proxy localhost:3903
+ reverse_proxy localhost:3903 {
+ health_uri /health
+ health_port 3903
+ #health_interval 15s
+ #health_timeout 5s
+ }
}
```
But at the same time, the `reverse_proxy` is very flexible.
For a production deployment, you should [read its documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) as it supports features like DNS discovery of upstreams, load balancing with checks, streaming parameters, etc.
+### On-demand TLS
+
+Caddy supports a technique called
+[on-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls), by
+which one can configure the webserver to provision TLS certificates when a
+client first connects to it.
+
+In order to prevent an attack vector whereby domains are simply pointed at your
+webserver and certificates are requested for them - Caddy can be configured to
+ask Garage if a domain is authorized for web hosting, before it then requests
+a TLS certificate.
+
+This 'check' endpoint, which is on the admin port (3903 by default), can be
+configured in Caddy's global section as follows:
+
+```caddy
+{
+ ...
+ on_demand_tls {
+ ask http://localhost:3903/check
+ interval 2m
+ burst 5
+ }
+ ...
+}
+```
+
+The host section can then be configured with (note that this uses the web
+endpoint instead):
+
+```caddy
+# For a specific set of subdomains
+*.web.garage.tld {
+ tls {
+ on_demand
+ }
+
+ reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
+}
+
+# Accept all domains on HTTPS
+# Never configure this without global section above
+https:// {
+ tls {
+ on_demand
+ }
+
+ reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
+}
+```