From 41e8d763d788740f8027cfa8c1f125a6b7afa3ca Mon Sep 17 00:00:00 2001
From: minottic <carlo.minotti1@gmail.com>
Date: Mon, 22 Apr 2024 15:39:16 +0200
Subject: [PATCH] Add manual configuration closer to trafik

---
 services/proxy/README.md           | 22 ++++++++++++++++++++++
 services/proxy/config/config.yaml  | 18 ++++++++++++++++++
 services/proxy/docker-compose.yaml | 11 +++++++----
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 services/proxy/README.md
 create mode 100644 services/proxy/config/config.yaml

diff --git a/services/proxy/README.md b/services/proxy/README.md
new file mode 100644
index 00000000..a497d9e8
--- /dev/null
+++ b/services/proxy/README.md
@@ -0,0 +1,22 @@
+# Proxy
+
+The proxy acts as a reverse proxy to the SciCat Live containers. 
+
+## [config.yaml file](./config/config.yaml)
+
+It sets proxy options. Most of them are rarely changed, but the user who wants to enable TLS, provided that the service URLs exposed by traefik are reachable from the public web, should change the [resolver settings](./config/config.yaml#L17-L18) accordingly.
+
+## Enable TLS
+
+The proxy sets a default certificate resolver, using letsencrypt. To use it, the user should: 
+1. change the [resolver settings](./config/config.yaml#L17-L18)
+2. restart the proxy service
+3. add dedicated labels to each service the user wants to expose, making sure that the URLs are reachable by letsencrypt. The user should set: the service public URL, the certificate resolver annotation and set the entrypoint to `websecure` to use port 443. For example, for the [frontend service](../frontend/docker-compose.yaml):
+
+```diff
+    labels:
+-      - traefik.http.routers.frontend.rule=Host(`localhost`)
++      - traefik.http.routers.frontend.rule=Host(`<YOUR_PUBLIC_HOST>`)
++      - traefik.http.routers.frontend.entrypoints=websecure
++      - traefik.http.routers.frontend.tls.certresolver=leresolver
+```
diff --git a/services/proxy/config/config.yaml b/services/proxy/config/config.yaml
new file mode 100644
index 00000000..58bc90e6
--- /dev/null
+++ b/services/proxy/config/config.yaml
@@ -0,0 +1,18 @@
+api:
+  insecure: true
+
+providers:
+  docker: true
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+certificatesResolvers:
+  leresolver:
+    acme:
+      storage: /letsencrypt/acme.json
+      email: mail@example.com
+      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
diff --git a/services/proxy/docker-compose.yaml b/services/proxy/docker-compose.yaml
index 33a59b4c..b6c49f84 100644
--- a/services/proxy/docker-compose.yaml
+++ b/services/proxy/docker-compose.yaml
@@ -1,12 +1,15 @@
 services:
   proxy:
     image: traefik:2.11
-    command:
-      - --api.insecure=true
-      - --providers.docker=true
-      - --entrypoints.web.address=:80
     ports:
       - 80:80
+      - 443:443
       - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - ./config/config.yaml:/etc/traefik/traefik.yaml:ro
+      - letsencrypt_proxy_data:/letsencrypt
+
+volumes:
+  letsencrypt_proxy_data:
+    driver: local