Traefik tls enable

docker/docker-compose.yml

@@ -1,35 +1,35 @@
 # docker/docker-compose.yml
 services:
-  # ================== Балансировщик нагрузки ==================
+  # ================== Балансировщик нагрузки (HTTPS/WSS) ==================
   traefik:
     image: traefik:latest
-    user: "0:1001"   # группа docker на хосте (подберите при необходимости, см. ls -la /var/run/docker.sock)
+    user: "0:1001"   # группа docker на хосте (подберите под свою систему, см. ls -la /var/run/docker.sock)
     command:
-      - "--api.insecure=true"                       # дашборд (можно отключить в production)
+      - "--api.insecure=true"                                      # дашборд (можно удалить в production)
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"             # пользовательский REST
-      - "--entrypoints.ws.address=:8081"            # пользовательский WebSocket
-      - "--entrypoints.admin-web.address=:8445"     # админский REST
-      - "--entrypoints.admin-ws.address=:8446"      # админский WebSocket
-      # === Включаем метрики Prometheus ===
+      - "--providers.file.filename=/etc/traefik/dynamic_conf.yml" # самоподписанный сертификат и редирект
+      - "--entrypoints.web.address=:80"                            # HTTP (для редиректа)
+      - "--entrypoints.websecure.address=:443"                    # HTTPS/WSS
+      # Метрики Prometheus
       - "--metrics.prometheus=true"
       - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
       - "--metrics.prometheus.addEntryPointsLabels=true"
       - "--metrics.prometheus.addServicesLabels=true"
     ports:
       - "80:80"
+      - "443:443"
+      # порт дашборда (опционально)
       - "8080:8080"
-      - "8081:8081"
-      - "8445:8445"
-      - "8446:8446"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./traefik/certs:/etc/traefik/certs:ro"                    # самоподписанный сертификат
+      - "./traefik/dynamic_conf.yml:/etc/traefik/dynamic_conf.yml:ro"
     networks:
       - eventhub-net
     restart: unless-stopped
 
-  # ================== Кластер EventHub ==================
+  # ================== Кластер EventHub (3 ноды) ==================
   eventhub-node1:
     build:
       context: ..
@@ -46,25 +46,41 @@ services:
       - eventhub-node1-data:/app/data
     labels:
       - "traefik.enable=true"
-      # REST API пользователей
+      # --- REST API пользователей ---
       - "traefik.http.routers.api.rule=Host(`api.eventhub.local`)"
       - "traefik.http.routers.api.entrypoints=web"
-      - "traefik.http.routers.api.service=api"
+      - "traefik.http.routers.api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.api-secure.rule=Host(`api.eventhub.local`)"
+      - "traefik.http.routers.api-secure.entrypoints=websecure"
+      - "traefik.http.routers.api-secure.tls=true"
+      - "traefik.http.routers.api-secure.service=api"
       - "traefik.http.services.api.loadbalancer.server.port=8080"
-      # WebSocket пользователей
+      # --- WebSocket пользователей (WSS через websecure) ---
       - "traefik.http.routers.ws.rule=Host(`ws.eventhub.local`)"
-      - "traefik.http.routers.ws.entrypoints=ws"
-      - "traefik.http.routers.ws.service=ws"
+      - "traefik.http.routers.ws.entrypoints=web"
+      - "traefik.http.routers.ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.ws-secure.rule=Host(`ws.eventhub.local`)"
+      - "traefik.http.routers.ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.ws-secure.tls=true"
+      - "traefik.http.routers.ws-secure.service=ws"
       - "traefik.http.services.ws.loadbalancer.server.port=8081"
-      # Админский REST
+      # --- Админский REST ---
       - "traefik.http.routers.admin-api.rule=Host(`admin.eventhub.local`)"
-      - "traefik.http.routers.admin-api.entrypoints=admin-web"
-      - "traefik.http.routers.admin-api.service=admin-api"
+      - "traefik.http.routers.admin-api.entrypoints=web"
+      - "traefik.http.routers.admin-api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-api-secure.rule=Host(`admin.eventhub.local`)"
+      - "traefik.http.routers.admin-api-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-api-secure.tls=true"
+      - "traefik.http.routers.admin-api-secure.service=admin-api"
       - "traefik.http.services.admin-api.loadbalancer.server.port=8445"
-      # Админский WebSocket
+      # --- Админский WebSocket (WSS) ---
       - "traefik.http.routers.admin-ws.rule=Host(`admin-ws.eventhub.local`)"
-      - "traefik.http.routers.admin-ws.entrypoints=admin-ws"
-      - "traefik.http.routers.admin-ws.service=admin-ws"
+      - "traefik.http.routers.admin-ws.entrypoints=web"
+      - "traefik.http.routers.admin-ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-ws-secure.rule=Host(`admin-ws.eventhub.local`)"
+      - "traefik.http.routers.admin-ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-ws-secure.tls=true"
+      - "traefik.http.routers.admin-ws-secure.service=admin-ws"
       - "traefik.http.services.admin-ws.loadbalancer.server.port=8446"
     restart: unless-stopped
 
@@ -86,19 +102,35 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.api.rule=Host(`api.eventhub.local`)"
       - "traefik.http.routers.api.entrypoints=web"
-      - "traefik.http.routers.api.service=api"
+      - "traefik.http.routers.api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.api-secure.rule=Host(`api.eventhub.local`)"
+      - "traefik.http.routers.api-secure.entrypoints=websecure"
+      - "traefik.http.routers.api-secure.tls=true"
+      - "traefik.http.routers.api-secure.service=api"
       - "traefik.http.services.api.loadbalancer.server.port=8080"
       - "traefik.http.routers.ws.rule=Host(`ws.eventhub.local`)"
-      - "traefik.http.routers.ws.entrypoints=ws"
-      - "traefik.http.routers.ws.service=ws"
+      - "traefik.http.routers.ws.entrypoints=web"
+      - "traefik.http.routers.ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.ws-secure.rule=Host(`ws.eventhub.local`)"
+      - "traefik.http.routers.ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.ws-secure.tls=true"
+      - "traefik.http.routers.ws-secure.service=ws"
       - "traefik.http.services.ws.loadbalancer.server.port=8081"
       - "traefik.http.routers.admin-api.rule=Host(`admin.eventhub.local`)"
-      - "traefik.http.routers.admin-api.entrypoints=admin-web"
-      - "traefik.http.routers.admin-api.service=admin-api"
+      - "traefik.http.routers.admin-api.entrypoints=web"
+      - "traefik.http.routers.admin-api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-api-secure.rule=Host(`admin.eventhub.local`)"
+      - "traefik.http.routers.admin-api-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-api-secure.tls=true"
+      - "traefik.http.routers.admin-api-secure.service=admin-api"
       - "traefik.http.services.admin-api.loadbalancer.server.port=8445"
       - "traefik.http.routers.admin-ws.rule=Host(`admin-ws.eventhub.local`)"
-      - "traefik.http.routers.admin-ws.entrypoints=admin-ws"
-      - "traefik.http.routers.admin-ws.service=admin-ws"
+      - "traefik.http.routers.admin-ws.entrypoints=web"
+      - "traefik.http.routers.admin-ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-ws-secure.rule=Host(`admin-ws.eventhub.local`)"
+      - "traefik.http.routers.admin-ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-ws-secure.tls=true"
+      - "traefik.http.routers.admin-ws-secure.service=admin-ws"
       - "traefik.http.services.admin-ws.loadbalancer.server.port=8446"
     restart: unless-stopped
 
@@ -120,19 +152,35 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.api.rule=Host(`api.eventhub.local`)"
       - "traefik.http.routers.api.entrypoints=web"
-      - "traefik.http.routers.api.service=api"
+      - "traefik.http.routers.api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.api-secure.rule=Host(`api.eventhub.local`)"
+      - "traefik.http.routers.api-secure.entrypoints=websecure"
+      - "traefik.http.routers.api-secure.tls=true"
+      - "traefik.http.routers.api-secure.service=api"
       - "traefik.http.services.api.loadbalancer.server.port=8080"
       - "traefik.http.routers.ws.rule=Host(`ws.eventhub.local`)"
-      - "traefik.http.routers.ws.entrypoints=ws"
-      - "traefik.http.routers.ws.service=ws"
+      - "traefik.http.routers.ws.entrypoints=web"
+      - "traefik.http.routers.ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.ws-secure.rule=Host(`ws.eventhub.local`)"
+      - "traefik.http.routers.ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.ws-secure.tls=true"
+      - "traefik.http.routers.ws-secure.service=ws"
       - "traefik.http.services.ws.loadbalancer.server.port=8081"
       - "traefik.http.routers.admin-api.rule=Host(`admin.eventhub.local`)"
-      - "traefik.http.routers.admin-api.entrypoints=admin-web"
-      - "traefik.http.routers.admin-api.service=admin-api"
+      - "traefik.http.routers.admin-api.entrypoints=web"
+      - "traefik.http.routers.admin-api.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-api-secure.rule=Host(`admin.eventhub.local`)"
+      - "traefik.http.routers.admin-api-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-api-secure.tls=true"
+      - "traefik.http.routers.admin-api-secure.service=admin-api"
       - "traefik.http.services.admin-api.loadbalancer.server.port=8445"
       - "traefik.http.routers.admin-ws.rule=Host(`admin-ws.eventhub.local`)"
-      - "traefik.http.routers.admin-ws.entrypoints=admin-ws"
-      - "traefik.http.routers.admin-ws.service=admin-ws"
+      - "traefik.http.routers.admin-ws.entrypoints=web"
+      - "traefik.http.routers.admin-ws.middlewares=redirect-to-https@file"
+      - "traefik.http.routers.admin-ws-secure.rule=Host(`admin-ws.eventhub.local`)"
+      - "traefik.http.routers.admin-ws-secure.entrypoints=websecure"
+      - "traefik.http.routers.admin-ws-secure.tls=true"
+      - "traefik.http.routers.admin-ws-secure.service=admin-ws"
       - "traefik.http.services.admin-ws.loadbalancer.server.port=8446"
     restart: unless-stopped
 
@@ -144,9 +192,8 @@ services:
       - '--storage.tsdb.path=/prometheus'
       - '--web.console.libraries=/usr/share/prometheus/console_libraries'
       - '--web.console.templates=/usr/share/prometheus/consoles'
-      # === Ограничение retention ===
-      - '--storage.tsdb.retention.time=30d'        # хранить данные 30 дней
-      - '--storage.tsdb.retention.size=15GB'       # максимальный размер 15 ГБ
+      - '--storage.tsdb.retention.time=30d'
+      - '--storage.tsdb.retention.size=15GB'
     volumes:
       - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus-data:/prometheus
@@ -160,9 +207,9 @@ services:
     image: grafana/grafana:latest
     environment:
       - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD}
-      - GF_SECURITY_DISABLE_INITIAL_ADMIN_PASSWORD_CHANGE=false   # обязательно сменить пароль после первого входа
-      - GF_USERS_ALLOW_SIGN_UP=false                              # запретить самостоятельную регистрацию
-      - GF_AUTH_ANONYMOUS_ENABLED=false                           # запретить анонимный доступ
+      - GF_SECURITY_DISABLE_INITIAL_ADMIN_PASSWORD_CHANGE=false
+      - GF_USERS_ALLOW_SIGN_UP=false
+      - GF_AUTH_ANONYMOUS_ENABLED=false
     volumes:
       - ./grafana/provisioning:/etc/grafana/provisioning
       - ./grafana/dashboards:/etc/grafana/dashboards