From 66cff561f1df64c1151afea2e4098936d0236c8e Mon Sep 17 00:00:00 2001 From: Tanguy NICOLAS Date: Sun, 23 Jun 2024 17:28:21 +0200 Subject: [PATCH] feat: add reverse proxy --- .github/workflows/container.yml | 10 +++++- Dockerfile => Dockerfile.api | 0 Dockerfile.lb | 6 ++++ README.md | 1 + docker-compose.yml | 31 ++++++++++++++++++- infra/nginx/configurations/ctf-manager.conf | 20 ++++++++++++ infra/nginx/includes/allow-cloudflare-ips | 20 ++++++++++++ .../templates/10-variables.conf.template | 3 ++ 8 files changed, 89 insertions(+), 2 deletions(-) rename Dockerfile => Dockerfile.api (100%) create mode 100644 Dockerfile.lb create mode 100644 infra/nginx/configurations/ctf-manager.conf create mode 100644 infra/nginx/includes/allow-cloudflare-ips create mode 100644 infra/nginx/templates/10-variables.conf.template diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 9e4b80f..cb3f91e 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -24,10 +24,18 @@ jobs: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + - name: Build and push LB image + uses: docker/build-push-action@v3 + with: + file: ./Dockerfile.lb + platforms: linux/amd64,linux/arm64/v8 + push: true + tags: ${{ secrets.DOCKER_HUB_USERNAME }}/ctf-manager-api:latest + - name: Build and push API image uses: docker/build-push-action@v3 with: - file: ./Dockerfile + file: ./Dockerfile.api platforms: linux/amd64,linux/arm64/v8 push: true tags: ${{ secrets.DOCKER_HUB_USERNAME }}/ctf-manager:latest \ No newline at end of file diff --git a/Dockerfile b/Dockerfile.api similarity index 100% rename from Dockerfile rename to Dockerfile.api diff --git a/Dockerfile.lb b/Dockerfile.lb new file mode 100644 index 0000000..0f8030f --- /dev/null +++ b/Dockerfile.lb @@ -0,0 +1,6 @@ +FROM nginx:1.26-alpine +RUN rm /etc/nginx/conf.d/default.conf + +COPY ./infra/nginx/includes /etc/nginx/includes/ +COPY ./infra/nginx/templates /etc/nginx/templates/ +COPY ./infra/nginx/configurations /etc/nginx/conf.d/ \ No newline at end of file diff --git a/README.md b/README.md index 8adc912..7e785fe 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ If you use my full setup, with Docker Compose, you need to create `.env` file (t ```shell MONGODB_USERNAME="" MONGODB_PASSWORD="" +MONGODB_URL="" EXTERNAL_IP="" diff --git a/docker-compose.yml b/docker-compose.yml index e2437e7..3fe169c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: container_name: mongodb restart: always ports: - - 27017:27017 + - "27017:27017" # to access with MongoDB Compass environment: MONGO_INITDB_ROOT_USERNAME: "${MONGODB_USERNAME}" MONGO_INITDB_ROOT_PASSWORD: "${MONGODB_PASSWORD}" @@ -31,6 +31,33 @@ services: - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER + api: + image: tanguynicolas/ctf-manager:latest + pull_policy: always + restart: unless-stopped + expose: + - 80 + environment: + - MONGODB_URL=${MONGODB_URL} + - KAFKA_ENABLE=true + - KAFKA_HOSTNAME=kafka + - KAFKA_PORT=9092 + - KAFKA_TOPIC=ctfmanager + depends_on: + - db + - kafka + + lb: + image: tanguynicolas/ctf-manager-lb:latest + pull_policy: always + restart: unless-stopped + ports: + - 80:80 + environment: + - BEARER_TOKEN=${BEARER_TOKEN} + depends_on: + - api + pdc-agent: image: grafana/pdc-agent restart: always @@ -42,6 +69,8 @@ services: - "${GCLOUD_HOSTED_GRAFANA_ID}" - "-cluster" - "${GCLOUD_PDC_CLUSTER}" + depends_on: + - db volumes: mongodb_data: diff --git a/infra/nginx/configurations/ctf-manager.conf b/infra/nginx/configurations/ctf-manager.conf new file mode 100644 index 0000000..3893f68 --- /dev/null +++ b/infra/nginx/configurations/ctf-manager.conf @@ -0,0 +1,20 @@ +server { + listen 80 default_server; + server_name api.tintamarre.info; + + include includes/allow-cloudflare-ips; + deny all; + + location / { + if ($http_authorization != "Bearer $bearer_token") { + return 401; + } + + proxy_pass http://api:80; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/infra/nginx/includes/allow-cloudflare-ips b/infra/nginx/includes/allow-cloudflare-ips new file mode 100644 index 0000000..75c0545 --- /dev/null +++ b/infra/nginx/includes/allow-cloudflare-ips @@ -0,0 +1,20 @@ +# From local +allow 127.0.0.1; +allow 172.20.0.1; + +# From Cloudflare +allow 173.245.48.0/20; +allow 103.21.244.0/22; +allow 103.22.200.0/22; +allow 103.31.4.0/22; +allow 141.101.64.0/18; +allow 108.162.192.0/18; +allow 190.93.240.0/20; +allow 188.114.96.0/20; +allow 197.234.240.0/22; +allow 198.41.128.0/17; +allow 162.158.0.0/15; +allow 104.16.0.0/13; +allow 104.24.0.0/14; +allow 172.64.0.0/13; +allow 131.0.72.0/22; \ No newline at end of file diff --git a/infra/nginx/templates/10-variables.conf.template b/infra/nginx/templates/10-variables.conf.template new file mode 100644 index 0000000..2f87802 --- /dev/null +++ b/infra/nginx/templates/10-variables.conf.template @@ -0,0 +1,3 @@ +map $host $bearer_token { + default "${BEARER_TOKEN}"; +} \ No newline at end of file