TLS and traefik.me instead of localhost

Author: dannylamb

.gitignore

@@ -85,4 +85,8 @@ docker-compose.env.yml
 
 #===================
 # User overrides for building custom image from the codebase directory.
-Dockerfile
+Dockerfile
+
+#===================
+# User provided certs for TLS.
+certs

Makefile

@@ -243,10 +243,20 @@ endif
 		$(REPOSITORY)/drupal:$(TAG) -r \
 		'echo password_hash(md5("$(MATOMO_USER_PASS)"), PASSWORD_DEFAULT) . "\n";'
 
+# Helper function to generate keys for the user to use in their docker-compose.env.yml
+.PHONY: download-default-certs
+.SILENT: download-default-certs
+download-default-certs:
+	mkdir -p certs
+	curl http://traefik.me/cert.pem -o certs/cert.pem
+	curl http://traefik.me/chain.pem -o certs/chain.pem
+	curl http://traefik.me/fullchain.pem -o certs/fullchain.pem
+	curl http://traefik.me/privkey.pem -o certs/privkey.pem
+
 # Destroys everything beware!
 .PHONY: clean
 .SILENT: clean
 clean:
 	-docker-compose down -v
 	sudo rm -fr codebase
-	git clean -xffd .
+	git clean -xffd .

docker-compose.blazegraph.yml

@@ -16,10 +16,11 @@ services:
       default:
         # Allow services to use the edge name to reference this service.
         aliases:
-          - blazegraph.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+          - blazegraph.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+          - blazegraph-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
       gateway: # Do not expose in production.
     labels:
       - traefik.enable=true
       - traefik.http.services.${COMPOSE_PROJECT_NAME-isle-dc}-blazegraph.loadbalancer.server.port=80
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-blazegraph_http.service=${COMPOSE_PROJECT_NAME-isle-dc}-blazegraph
-      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-blazegraph_http.entrypoints=http
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-blazegraph_http.entrypoints=http

docker-compose.cantaloupe.yml

@@ -15,9 +15,15 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.services.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe.loadbalancer.server.port=80
+      - traefik.http.middlewares.cantaloupe-redirectscheme.redirectscheme.scheme=https
+      - traefik.http.middlewares.cantaloupe-redirectscheme.redirectscheme.permanent=true
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_http.service=${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_http.entrypoints=http
-      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost`) && PathPrefix(`/cantaloupe`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`) && PathPrefix(`/cantaloupe`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_http.middlewares=cantaloupe-redirectscheme
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_https.entrypoints=https
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_https.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`) && PathPrefix(`/cantaloupe`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-cantaloupe_https.tls=true
     networks:
       default:
-      gateway:
+      gateway:

docker-compose.demo.yml

@@ -36,4 +36,4 @@ services:
       # On a production site you may not want to take this approach but instead refer to each of the cores
       # data directories specifically and maintain the configuration as part of a customized image, where 
       # in your configuration is Solr managed under source control somewhere.
-      - solr-data:/opt/solr/server/solr
+      - solr-data:/opt/solr/server/solr

docker-compose.drupal.yml

@@ -13,12 +13,19 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.services.${COMPOSE_PROJECT_NAME-isle-dc}-drupal.loadbalancer.server.port=80
+      - traefik.http.middlewares.drupal-redirectscheme.redirectscheme.scheme=https
+      - traefik.http.middlewares.drupal-redirectscheme.redirectscheme.permanent=true
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_http.service=${COMPOSE_PROJECT_NAME-isle-dc}-drupal
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_http.entrypoints=http
-      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_http.middlewares=drupal-redirectscheme
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_https.entrypoints=https
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_https.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-drupal_https.tls=true
     networks:
       default:
         # Allow services (like Matomo) to use the edge name to reference this service in addition to `drupal`.
         aliases:
-            - islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
-      gateway:
+            - islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+            - islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
+      gateway:

docker-compose.fcrepo.yml

@@ -21,7 +21,8 @@ services:
           # used for display as well. This means this service edge name must
           # also be used in the default network for access by the `drupal`
           # service.
-          - fcrepo.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+          - fcrepo.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+          - fcrepo-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
       gateway: # May want to disable in production if you wish to hide Fedora REST API from the internet.
     labels:
       # Do not expose in production.

docker-compose.local.yml

@@ -19,11 +19,12 @@ services:
     image: ${REPOSITORY:-islandora}/drupal:${TAG:-latest}
     environment:
       # Use the edge name so the Drush on the host machine can access it.
-      DRUPAL_DEFAULT_DB_HOST: database.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+      DRUPAL_DEFAULT_DB_HOST: database.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
     volumes:
       - ./codebase:/var/www/drupal
       - drupal-sites-data:/var/www/drupal/web/sites/default/files
       - solr-data:/opt/solr/server/solr
+      - ./certs/fullchain.pem:/usr/local/share/ca-certificates/fullchain.pem
     depends_on:
       # Requires a the very minimum a database.
       - database
@@ -52,5 +53,6 @@ services:
         # name in settings.php so Drush on the host machine can be used in the
         # codebase folder.
         aliases:
-            - database.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
-      gateway:
+            - database.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+            - database-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
+      gateway:

docker-compose.matomo.yml

@@ -19,10 +19,16 @@ services:
       # Do not expose in production over http, setup https.
       - traefik.enable=true
       - traefik.http.services.${COMPOSE_PROJECT_NAME-isle-dc}-matomo.loadbalancer.server.port=80
+      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME-isle-dc}-matomo-redirectscheme.redirectscheme.scheme=https
+      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME-isle-dc}-matomo-redirectscheme.redirectscheme.permanent=true
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.service=${COMPOSE_PROJECT_NAME-isle-dc}-matomo
       - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.entrypoints=http
-      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost`) && PathPrefix(`/matomo`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`) && PathPrefix(`/matomo`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.middlewares=${COMPOSE_PROJECT_NAME-isle-dc}-matomo-redirectscheme
       - traefik.http.middlewares.${COMPOSE_PROJECT_NAME-isle-dc}-matomo-stripprefix.stripprefix.prefixes=/matomo
       - traefik.http.middlewares.${COMPOSE_PROJECT_NAME-isle-dc}-matomo-customrequestheaders.headers.customrequestheaders.X-Forwarded-Uri=/matomo
       - traefik.http.middlewares.${COMPOSE_PROJECT_NAME-isle-dc}-matomo.chain.middlewares=${COMPOSE_PROJECT_NAME-isle-dc}-matomo-stripprefix,${COMPOSE_PROJECT_NAME-isle-dc}-matomo-customrequestheaders
-      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_http.middlewares=${COMPOSE_PROJECT_NAME-isle-dc}-matomo
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_https.entrypoints=https
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_https.rule=Host(`islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}`,`islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}`) && PathPrefix(`/matomo`)
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_https.tls=true
+      - traefik.http.routers.${COMPOSE_PROJECT_NAME-isle-dc}-matomo_https.middlewares=${COMPOSE_PROJECT_NAME-isle-dc}-matomo

docker-compose.sample.env.yml

@@ -70,10 +70,10 @@ services:
       # If creating sub-sites you must specify each of these as the defaults would cause odd issues where it pulls
       # content from the main site rather than the sub site.
       #
-      DRUPAL_DEFAULT_CANTALOUPE_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost/cantaloupe/iiif/2
-      DRUPAL_DEFAULT_FCREPO_HOST: fcrepo.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
-      DRUPAL_DEFAULT_MATOMO_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost/matomo/
-      DRUPAL_DEFAULT_SITE_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+      DRUPAL_DEFAULT_CANTALOUPE_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}/cantaloupe/iiif/2
+      DRUPAL_DEFAULT_FCREPO_HOST: fcrepo.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+      DRUPAL_DEFAULT_MATOMO_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}/matomo/
+      DRUPAL_DEFAULT_SITE_URL: http://islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
       #
       # Salt for one-time login links, cancel links, form tokens, etc, if deploying multiple
       # instances of the site this must be set the same for all instances.
@@ -275,7 +275,7 @@ services:
       #
       # Must be exactly the same as DRUPAL_DEFAULT_SITE_URL without the protocol.
       # 
-      MATOMO_SITE_HOST: islandora.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+      MATOMO_SITE_HOST: islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
       #
       # Timezone of site.
       #
@@ -302,4 +302,4 @@ services:
         rwIDAQAB
         -----END PUBLIC KEY-----
   solr:
-    # No environment variables require overriding.
+    # No environment variables require overriding.

docker-compose.solr.yml

@@ -17,7 +17,8 @@ services:
         # This allows links from the Drupal administration page to lead
         # to the appropriate solr server.
         aliases:
-          - solr.${COMPOSE_PROJECT_NAME-isle-dc}.localhost
+          - solr.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+          - solr-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
       gateway: # Do not expose in production.
     labels:
       # Do not expose in production.

docker-compose.traefik.yml

@@ -1,6 +1,8 @@
 # Allows traefik to work as the edge router for multiple projects.
 #
-# By default the rules will redirect to ${SERVICE}.${COMPOSE_PROJECT_NAME}.localhost
+# By default the rules will redirect to ${SERVICE}.${COMPOSE_PROJECT_NAME}.traefik.me
+# if working on localhost and ${SERVICE}-${COMPOSE_PROJECT_NAME}-XX-XX-XX-XX.traefik.me
+# if working remotely, where XX-XX-XX-XX is the dashed version of your IP address.
 #
 # For a traefik to be able to route traffic to a given container, that
 # container needs to be on the `gateway` network, otherwise traefik will
@@ -27,7 +29,8 @@ services:
       --providers.docker
       --providers.docker.network=gateway
       --providers.docker.exposedByDefault=false
-      '--providers.docker.defaultRule=Host(`{{ index .Labels "com.docker.compose.service" }}.{{ index .Labels "com.docker.compose.project" }}.localhost`)'
+      --providers.file.filename=/etc/traefik/tls.yml
+      '--providers.docker.defaultRule=Host(`{{ index .Labels "com.docker.compose.service" }}.{{ index .Labels "com.docker.compose.project" }}.${DRUPAL_SITE_HOST:-traefik.me}`,`{{ index .Labels "com.docker.compose.service" }}-{{ index .Labels "com.docker.compose.project" }}-${DRUPAL_SITE_HOST:-traefik.me}`)'
     ports:
       # Has to be bind mounted to 80/443 for assumptions
       # around internal network alias to work as intended.
@@ -40,8 +43,16 @@ services:
       - ${TRAEFIK_WEB_UI_PORT-8080}:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - ./tls.yml:/etc/traefik/tls.yml
+      - ./certs:/etc/ssl/traefik
     labels:
       # Do not expose in production.
       - traefik.http.routers.api.service=api@internal
     networks:
-      - gateway
+      default:
+        # Easy to construct aliases the Drupal service needs to occassionally kick
+        # internal requests back through traefik.
+        aliases:
+            - traefik.islandora.${COMPOSE_PROJECT_NAME-isle-dc}.${DRUPAL_SITE_HOST-traefik.me}
+            - traefik-islandora-${COMPOSE_PROJECT_NAME-isle-dc}-${DRUPAL_SITE_HOST-traefik.me}
+      gateway: null

sample.env

@@ -16,9 +16,10 @@ ENVIRONMENT=demo
 COMPOSE_HTTP_TIMEOUT=480
 
 # Also used for naming services in traefik as well as defining network alias and urls.
-# For example the `drupal` service will be found at `islandora.${COMPOSE_PROJECT_NAME}.localhost`.
+# For example the `drupal` service will be found at `islandora.${COMPOSE_PROJECT_NAME}.${DRUPAL_SITE_HOST}`.
 # See https://docs.docker.com/compose/reference/envvars/
 COMPOSE_PROJECT_NAME=isle-dc
+DRUPAL_SITE_HOST=68-183-192-46.traefik.me
 
 # Allows building custom image with buildkit.
 COMPOSE_DOCKER_CLI_BUILD=1

tls.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/ssl/traefik/cert.pem
+        keyFile: /etc/ssl/traefik/privkey.pem
+  certificates:
+    - certFile: /etc/ssl/traefik/cert.pem
+      keyFile: /etc/ssl/traefik/privkey.pem