Merge branch 'main' into next

author: Alex Auvolat <alex@adnab.me> 2023-04-25 12:34:26 +0200
committer: Alex Auvolat <alex@adnab.me> 2023-04-25 12:34:26 +0200
commit: fa78d806e3ae40031e80eebb86e4eb1756d7baea (patch)
tree: 144662fb430c484093f6f9a585a2441c2ff26494 /doc/book/cookbook/reverse-proxy.md
parent: 654999e254e6c1f46bb5d668bc1230f226575716 (diff)
parent: a16eb7e4b8344d2f58c09a249b7b1bd17d339a35 (diff)
download: garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.tar.gz
garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.zip
1 files changed, 152 insertions, 30 deletions
diff --git a/doc/book/cookbook/reverse-proxy.md b/doc/book/cookbook/reverse-proxy.md
index c8fde28d..9c833ad0 100644
--- a/doc/book/cookbook/reverse-proxy.md
+++ b/doc/book/cookbook/reverse-proxy.md
@@ -168,40 +168,65 @@ Here is [a basic configuration file](https://doc.traefik.io/traefik/https/acme/#
 
 ### Add Garage service
 
-To add Garage on Traefik you should declare a new service using its IP address (or hostname) and port:
+To add Garage on Traefik you should declare two new services using its IP
+address (or hostname) and port, these are used for the S3, and web components
+of Garage:
 
 ```toml
 [http.services]
-  [http.services.my_garage_service.loadBalancer]
-    [[http.services.my_garage_service.loadBalancer.servers]]
+  [http.services.garage-s3-service.loadBalancer]
+    [[http.services.garage-s3-service.loadBalancer.servers]]
       url = "http://xxx.xxx.xxx.xxx"
       port = 3900
+
+  [http.services.garage-web-service.loadBalancer]
+    [[http.services.garage-web-service.loadBalancer.servers]]
+      url = "http://xxx.xxx.xxx.xxx"
+      port = 3902
 ```
 
 It's possible to declare multiple Garage servers as back-ends:
 
 ```toml
 [http.services]
-    [[http.services.my_garage_service.loadBalancer.servers]]
+    [[http.services.garage-s3-service.loadBalancer.servers]]
       url = "http://xxx.xxx.xxx.xxx"
       port = 3900
-    [[http.services.my_garage_service.loadBalancer.servers]]
+    [[http.services.garage-s3-service.loadBalancer.servers]]
       url = "http://yyy.yyy.yyy.yyy"
       port = 3900
-    [[http.services.my_garage_service.loadBalancer.servers]]
+    [[http.services.garage-s3-service.loadBalancer.servers]]
       url = "http://zzz.zzz.zzz.zzz"
       port = 3900
+
+    [[http.services.garage-web-service.loadBalancer.servers]]
+      url = "http://xxx.xxx.xxx.xxx"
+      port = 3902
+    [[http.services.garage-web-service.loadBalancer.servers]]
+      url = "http://yyy.yyy.yyy.yyy"
+      port = 3902
+    [[http.services.garage-web-service.loadBalancer.servers]]
+      url = "http://zzz.zzz.zzz.zzz"
+      port = 3902
 ```
 
 Traefik can remove unhealthy servers automatically with [a health check configuration](https://doc.traefik.io/traefik/routing/services/#health-check):
 
 ```
 [http.services]
-  [http.services.my_garage_service.loadBalancer]
-    [http.services.my_garage_service.loadBalancer.healthCheck]
-      path = "/"
-      interval = "60s"
-      timeout = "5s"
+  [http.services.garage-s3-service.loadBalancer]
+    [http.services.garage-s3-service.loadBalancer.healthCheck]
+      path = "/health"
+      port = "3903"
+      #interval = "15s"
+      #timeout = "2s"
+
+  [http.services.garage-web-service.loadBalancer]
+    [http.services.garage-web-service.loadBalancer.healthCheck]
+      path = "/health"
+      port = "3903"
+      #interval = "15s"
+      #timeout = "2s"
 ```
 
 ### Adding a website
@@ -210,10 +235,15 @@ To add a new website, add the following declaration to your Traefik configuratio
 
 ```toml
 [http.routers]
+  [http.routers.garage-s3]
+    rule = "Host(`s3.example.org`)"
+    service = "garage-s3-service"
+    entryPoints = ["websecure"]
+
   [http.routers.my_website]
     rule = "Host(`yoururl.example.org`)"
-    service = "my_garage_service"
-    entryPoints = ["web"]
+    service = "garage-web-service"
+    entryPoints = ["websecure"]
 ```
 
 Enable HTTPS access to your website with the following configuration section ([documentation](https://doc.traefik.io/traefik/https/overview/)):
@@ -226,7 +256,7 @@ Enable HTTPS access to your website with the following configuration section ([d
 ...
 ```
 
-### Adding gzip compression
+### Adding compression
 
 Add the following configuration section [to compress response](https://doc.traefik.io/traefik/middlewares/http/compress/) using [gzip](https://developer.mozilla.org/en-US/docs/Glossary/GZip_compression) before sending them to the client:
 
@@ -234,10 +264,10 @@ Add the following configuration section [to compress response](https://doc.traef
 [http.routers]
   [http.routers.my_website]
     ...
-    middlewares = ["gzip_compress"]
+    middlewares = ["compression"]
     ...
 [http.middlewares]
-  [http.middlewares.gzip_compress.compress]
+  [http.middlewares.compression.compress]
 ```
 
 ### Add caching response
@@ -262,27 +292,54 @@ Traefik's caching middleware is only available on [entreprise version](https://d
     entryPoint = "web"
 
 [http.routers]
+  [http.routers.garage-s3]
+    rule = "Host(`s3.example.org`)"
+    service = "garage-s3-service"
+    entryPoints = ["websecure"]
+
   [http.routers.my_website]
     rule = "Host(`yoururl.example.org`)"
-    service = "my_garage_service"
-    middlewares = ["gzip_compress"]
+    service = "garage-web-service"
+    middlewares = ["compression"]
     entryPoints = ["websecure"]
 
 [http.services]
-  [http.services.my_garage_service.loadBalancer]
-    [http.services.my_garage_service.loadBalancer.healthCheck]
-      path = "/"
-      interval = "60s"
-      timeout = "5s"
-    [[http.services.my_garage_service.loadBalancer.servers]]
+  [http.services.garage-s3-service.loadBalancer]
+    [http.services.garage-s3-service.loadBalancer.healthCheck]
+      path = "/health"
+      port = "3903"
+      #interval = "15s"
+      #timeout = "2s"
+
+  [http.services.garage-web-service.loadBalancer]
+    [http.services.garage-web-service.loadBalancer.healthCheck]
+      path = "/health"
+      port = "3903"
+      #interval = "15s"
+      #timeout = "2s"
+
+    [[http.services.garage-s3-service.loadBalancer.servers]]
+      url = "http://xxx.xxx.xxx.xxx"
+      port = 3900
+    [[http.services.garage-s3-service.loadBalancer.servers]]
+      url = "http://yyy.yyy.yyy.yyy"
+      port = 3900
+    [[http.services.garage-s3-service.loadBalancer.servers]]
+      url = "http://zzz.zzz.zzz.zzz"
+      port = 3900
+
+    [[http.services.garage-web-service.loadBalancer.servers]]
       url = "http://xxx.xxx.xxx.xxx"
-    [[http.services.my_garage_service.loadBalancer.servers]]
+      port = 3902
+    [[http.services.garage-web-service.loadBalancer.servers]]
       url = "http://yyy.yyy.yyy.yyy"
-    [[http.services.my_garage_service.loadBalancer.servers]]
+      port = 3902
+    [[http.services.garage-web-service.loadBalancer.servers]]
       url = "http://zzz.zzz.zzz.zzz"
+      port = 3902
 
 [http.middlewares]
-  [http.middlewares.gzip_compress.compress]
+  [http.middlewares.compression.compress]
 ```
 
 ## Caddy
@@ -291,18 +348,83 @@ Your Caddy configuration can be as simple as:
 
 ```caddy
 s3.garage.tld, *.s3.garage.tld {
-	reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900
+	reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900 {
+        health_uri       /health
+        health_port      3903
+        #health_interval 15s
+        #health_timeout  5s
+    }
 }
 
 *.web.garage.tld {
-	reverse_proxy localhost:3902 192.168.1.2:3900 example.tld:3900
+	reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 {
+        health_uri       /health
+        health_port      3903
+        #health_interval 15s
+        #health_timeout  5s
+    }
 }
 
 admin.garage.tld {
-	reverse_proxy localhost:3903
+	reverse_proxy localhost:3903 {
+        health_uri       /health
+        health_port      3903
+        #health_interval 15s
+        #health_timeout  5s
+    }
 }
 ```
 
 But at the same time, the `reverse_proxy` is very flexible.
 For a production deployment, you should [read its documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) as it supports features like DNS discovery of upstreams, load balancing with checks, streaming parameters, etc.
 
+### On-demand TLS
+
+Caddy supports a technique called
+[on-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls), by
+which one can configure the webserver to provision TLS certificates when a
+client first connects to it.
+
+In order to prevent an attack vector whereby domains are simply pointed at your
+webserver and certificates are requested for them - Caddy can be configured to
+ask Garage if a domain is authorized for web hosting, before it then requests
+a TLS certificate.
+
+This 'check' endpoint, which is on the admin port (3903 by default), can be
+configured in Caddy's global section as follows:
+
+```caddy
+{
+	...
+	on_demand_tls {
+		ask http://localhost:3903/check
+		interval 2m
+		burst 5
+	}
+	...
+}
+```
+
+The host section can then be configured with (note that this uses the web
+endpoint instead):
+
+```caddy
+# For a specific set of subdomains
+*.web.garage.tld {
+	tls {
+		on_demand
+	}
+
+	reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
+}
+
+# Accept all domains on HTTPS
+# Never configure this without global section above
+https:// {
+	tls {
+		on_demand
+	}
+
+	reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
+}
+```
author	Alex Auvolat <alex@adnab.me>	2023-04-25 12:34:26 +0200
committer	Alex Auvolat <alex@adnab.me>	2023-04-25 12:34:26 +0200
commit	fa78d806e3ae40031e80eebb86e4eb1756d7baea (patch)
tree	144662fb430c484093f6f9a585a2441c2ff26494 /doc/book/cookbook/reverse-proxy.md
parent	654999e254e6c1f46bb5d668bc1230f226575716 (diff)
parent	a16eb7e4b8344d2f58c09a249b7b1bd17d339a35 (diff)
download	garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.tar.gz garage-fa78d806e3ae40031e80eebb86e4eb1756d7baea.zip