tls: stores: default: defaultCertificate: certFile: /etc/traefik/certs/traefik.crt keyFile: /etc/traefik/certs/traefik.key certificates: - certFile: /etc/traefik/certs/traefik.crt keyFile: /etc/traefik/certs/traefik.key http: middlewares: redirect-to-https: redirectScheme: scheme: https permanent: true waf: plugin: coraza: directives: # - "SecRuleEngine DetectionOnly" # можно раскомментировать для тестирования - "SecRuleEngine On" - "SecDebugLog /dev/stdout" - "SecDebugLogLevel 2" # - "SecRule REQUEST_URI \"@rx /admin\" \"id:101,phase:1,log,deny,status:403\"" - "SecRule ARGS \"@rx (union|select|insert|drop|alter)\" \"id:102,phase:2,log,deny,status:403\"" api-ratelimit: rateLimit: average: 100 period: 1m burst: 50 admin-ratelimit: rateLimit: average: 20 period: 1m burst: 5 routers: # --- REST API пользователей --- api: rule: "Host(`api.eventhub.local`)" entryPoints: ["web"] middlewares: ["redirect-to-https", "api-ratelimit", "waf"] service: "api" api-secure: rule: "Host(`api.eventhub.local`)" entryPoints: ["websecure"] tls: true middlewares: ["api-ratelimit", "waf"] service: "api" # --- WebSocket пользователей (без WAF) --- ws: rule: "Host(`ws.eventhub.local`)" entryPoints: ["web"] middlewares: ["redirect-to-https"] service: "ws" ws-secure: rule: "Host(`ws.eventhub.local`)" entryPoints: ["websecure"] tls: true service: "ws" # --- Админ-панель (SPA) --- admin-ui: rule: "Host(`admin.eventhub.local`) && !PathPrefix(`/api/`) && !PathPrefix(`/ws/`)" entryPoints: ["web"] middlewares: ["redirect-to-https"] service: "admin-ui-service" admin-ui-secure: rule: "Host(`admin.eventhub.local`) && !PathPrefix(`/api/`) && !PathPrefix(`/ws/`)" entryPoints: ["websecure"] tls: true service: "admin-ui-service" # --- Проксирование /api/ на админский REST --- admin-api-proxy: rule: "Host(`admin.eventhub.local`) && PathPrefix(`/api/`)" entryPoints: ["web"] middlewares: ["redirect-to-https", "admin-ratelimit", "waf"] service: "admin-api" admin-api-proxy-secure: rule: "Host(`admin.eventhub.local`) && PathPrefix(`/api/`)" entryPoints: ["websecure"] tls: true middlewares: ["admin-ratelimit", "waf"] service: "admin-api" # --- Проксирование /ws/ на админский WebSocket --- admin-ws-proxy: rule: "Host(`admin.eventhub.local`) && PathPrefix(`/ws/`)" entryPoints: ["web"] middlewares: ["redirect-to-https"] service: "admin-ws" admin-ws-proxy-secure: rule: "Host(`admin.eventhub.local`) && PathPrefix(`/ws/`)" entryPoints: ["websecure"] tls: true service: "admin-ws" services: # --- Пользовательский REST API (failover) --- api: failover: service: api-live fallback: api-fallback api-live: loadbalancer: servers: - url: "http://eventhub-node1:8080" - url: "http://eventhub-node2:8080" - url: "http://eventhub-node3:8080" healthCheck: path: "/health" interval: "10s" timeout: "3s" api-fallback: loadbalancer: servers: - url: "http://fallback:80" # --- Пользовательский WebSocket --- ws: loadbalancer: servers: - url: "http://eventhub-node1:8081" - url: "http://eventhub-node2:8081" - url: "http://eventhub-node3:8081" # --- Админский REST (failover) --- admin-api: failover: service: admin-api-live fallback: admin-api-fallback admin-api-live: loadbalancer: servers: - url: "http://eventhub-node1:8445" - url: "http://eventhub-node2:8445" - url: "http://eventhub-node3:8445" healthCheck: path: "/health" interval: "10s" timeout: "3s" admin-api-fallback: loadbalancer: servers: - url: "http://fallback:80" # --- Админский WebSocket --- admin-ws: loadbalancer: servers: - url: "http://eventhub-node1:8446" - url: "http://eventhub-node2:8446" - url: "http://eventhub-node3:8446" # --- SPA (админ‑панель) --- admin-ui-service: loadbalancer: servers: - url: "http://admin-ui:80"