Skip to content

Commit

Permalink
OPSEXP-2411: switch docker compose proxy to traefik (#1194)
Browse files Browse the repository at this point in the history
  • Loading branch information
@alxgomz
alxgomz authored Oct 1, 2024
1 parent ee9199a commit a9e6e4d
Show file tree
Hide file tree
Showing 10 changed files with 336 additions and 106 deletions.
5 changes: 5 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ This project contains the code for running Alfresco Content Services (ACS) with
Compose](https://docs.docker.com/compose) or on
[Kubernetes](https://kubernetes.io) using [Helm Charts](https://helm.sh).

:warning: The [Docker Compose](./docker-compose/docker-compose.yml) deployment
has moved from a custom NGINX based proxy to Traefik based proxy.
Please read the [documentation](./docs/docker-compose#alfresco-proxy-proxy) for
more details.

User docs available at: [https://alfresco.github.io/acs-deployment/](https://alfresco.github.io/acs-deployment/)

## License
Expand Down
54 changes: 46 additions & 8 deletions docker-compose/7.1.N-docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,16 @@ services:
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
-XX:MaxRAM=1900m
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand Down Expand Up @@ -108,6 +118,8 @@ services:
image: quay.io/alfresco/alfresco-share:7.1.1.10
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -118,6 +130,13 @@ services:
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/.*$`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:13.3
mem_limit: 512m
Expand Down Expand Up @@ -159,18 +178,30 @@ services:
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.2.0
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- "8888:8888"
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 204 in docker-compose/7.1.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container 

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -189,6 +220,13 @@ services:
-XX:MaxRAM=1g
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
65 changes: 55 additions & 10 deletions docker-compose/7.2.N-docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@ services:
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
-XX:MaxRAM=1900m
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand Down Expand Up @@ -109,6 +119,8 @@ services:
image: quay.io/alfresco/alfresco-share:7.2.2.4
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -119,6 +131,13 @@ services:
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:13.3
mem_limit: 512m
Expand Down Expand Up @@ -163,27 +182,46 @@ services:
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adfroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
control-center:
image: quay.io/alfresco/alfresco-control-center:7.9.0
mem_limit: 128m
environment:
APP_CONFIG_PROVIDER: "ECM"
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
labels:
- "traefik.enable=true"
- "traefik.http.routers.acc.rule=PathPrefix(`/admin`)"
- "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin"
- "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$"
- "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot"
- "traefik.http.routers.acc.middlewares=accchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.3.0
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
- control-center
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- control-center
- "8888:8888"
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 224 in docker-compose/7.2.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container 

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -202,6 +240,13 @@ services:
-XX:MaxRAM=1g
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
68 changes: 56 additions & 12 deletions docker-compose/7.3.N-docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,16 @@ services:
-Ddsync.service.uris=http://localhost:9090/alfresco
-XX:MinRAMPercentage=50
-XX:MaxRAMPercentage=80
labels:
- "traefik.enable=true"
- "traefik.http.routers.alfresco.rule=PathPrefix(`/`)"
- "traefik.http.services.alfresco.loadbalancer.server.port=8080"
- "traefik.http.routers.solrapideny.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/api/solr/`)"
- "traefik.http.middlewares.acsfakeauth.basicauth.users=fake:"
- "traefik.http.routers.solrapideny.middlewares=acsfakeauth@docker"
- "traefik.http.routers.alfrescomicrometer.rule=PathRegexp(`^/alfresco/(wc)?s(ervice)?/prometheus`)"
- "traefik.http.middlewares.prometheusipfilter.ipallowlist.sourcerange=127.0.0.0/8"
- "traefik.http.routers.alfrescomicrometer.middlewares=prometheusipfilter@docker"
transform-router:
mem_limit: 512m
image: quay.io/alfresco/alfresco-transform-router:2.1.2
Expand All @@ -69,7 +79,7 @@ services:
http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file
ports:
- "8095:8095"
links:
depends_on:
- activemq
transform-core-aio:
image: alfresco/alfresco-transform-core-aio:3.1.2
Expand All @@ -83,7 +93,7 @@ services:
http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file
ports:
- "8090:8090"
links:
depends_on:
- activemq
shared-file-store:
image: quay.io/alfresco/alfresco-shared-file-store:2.1.2
Expand All @@ -102,6 +112,8 @@ services:
image: quay.io/alfresco/alfresco-share:7.3.2.1
mem_limit: 1g
environment:
CSRF_FILTER_ORIGIN: http://localhost:8080
CSRF_FILTER_REFERER: http://localhost:8080/share/.*
REPO_HOST: "alfresco"
REPO_PORT: "8080"
JAVA_OPTS: >-
Expand All @@ -111,6 +123,13 @@ services:
-Dalfresco.port=8080
-Dalfresco.context=alfresco
-Dalfresco.protocol=http
labels:
- "traefik.enable=true"
- "traefik.http.routers.share.rule=PathPrefix(`/share`)"
- "traefik.http.services.share.loadbalancer.server.port=8080"
- "traefik.http.routers.proxiedsolrapideny.rule=PathRegexp(`^/share/proxy/alfresco(-(noauth|feed|api))?/api/solr/`)"
- "traefik.http.middlewares.sharefakeauth.basicauth.users=fake:"
- "traefik.http.routers.proxiedsolrapideny.middlewares=sharefakeauth@docker"
postgres:
image: postgres:14.4
mem_limit: 512m
Expand Down Expand Up @@ -155,27 +174,45 @@ services:
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
APP_BASE_SHARE_URL: "http://localhost:8080/workspace/#/preview/s"
labels:
- "traefik.enable=true"
- "traefik.http.routers.adw.rule=PathPrefix(`/workspace`)"
- "traefik.http.middlewares.adwforceslash.redirectregex.regex=^(.*/workspace)$$"
- "traefik.http.middlewares.adwforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.adwroot.stripprefix.prefixes=/workspace"
- "traefik.http.middlewares.adwchain.chain.middlewares=adwforceslash,adwroot"
- "traefik.http.routers.adw.middlewares=adwchain@docker"
control-center:
image: quay.io/alfresco/alfresco-control-center:7.9.0
mem_limit: 128m
environment:
APP_CONFIG_PROVIDER: "ECM"
APP_CONFIG_AUTH_TYPE: "BASIC"
BASE_PATH: ./
labels:
- "traefik.enable=true"
- "traefik.http.routers.acc.rule=PathPrefix(`/admin`)"
- "traefik.http.middlewares.accroot.stripprefix.prefixes=/admin"
- "traefik.http.middlewares.accforceslash.redirectregex.regex=^(.*/admin)$$"
- "traefik.http.middlewares.accforceslash.redirectregex.replacement=$${1}/"
- "traefik.http.middlewares.accchain.chain.middlewares=accforceslash,accroot"
- "traefik.http.routers.acc.middlewares=accchain@docker"
proxy:
image: alfresco/alfresco-acs-nginx:3.4.2
image: traefik:v3.1.3
mem_limit: 128m
depends_on:
- alfresco
- digital-workspace
- control-center
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:8080"
- "--entryPoints.traefik.address=:8888"
- "--accesslog=true"
- "--providers.docker.exposedByDefault=false"
ports:
- "8080:8080"
links:
- digital-workspace
- alfresco
- share
- control-center
- "8888:8888"
privileged: true

Check warning on line 213 in docker-compose/7.3.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Privileged Containers Enabled 

Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.
volumes:
- /var/run/docker.sock:/var/run/docker.sock

Check warning on line 215 in docker-compose/7.3.N-docker-compose.yml

View workflow job for this annotation

GitHub Actions / kics

[HIGH] Docker Socket Mounted In Container 

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
sync-service:
image: quay.io/alfresco/service-sync:3.11.3
mem_limit: 1g
Expand All @@ -193,6 +230,13 @@ services:
-XX:MaxRAMPercentage=80
ports:
- "9090:9090"
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncservice.rule=PathPrefix(`/syncservice`)"
- "traefik.http.services.sync-service.loadbalancer.server.port=9090"
- "traefik.http.middlewares.syncservice.replacepathregex.regex=^/syncservice/(.*)"
- "traefik.http.middlewares.syncservice.replacepathregex.replacement=/alfresco/$$1"
- "traefik.http.routers.syncservice.middlewares=syncservice@docker"
volumes:
shared-file-store-volume:
driver_opts:
Expand Down
Loading

0 comments on commit a9e6e4d

Please sign in to comment.