production 푸시 초안

config/traefik-compose.yml

@@ -0,0 +1,69 @@
+services:
+    traefik:
+        image: traefik:v3.7.5
+        container_name: traefik
+        restart: unless-stopped
+        ports:
+            - "80:80"
+            - "443:443"
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock:ro
+            - ./letsencrypt:/letsencrypt
+        command:
+            - "--api.dashboard=true"
+            - "--providers.docker=true"
+            - "--providers.docker.exposedbydefault=false"
+            - "--providers.docker.network=traefik-public"
+            - "--entrypoints.web.address=:80"
+            - "--entrypoints.websecure.address=:443"
+            - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+            - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+            - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+            - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+            - "--certificatesresolvers.myresolver.acme.email=${TRAEFIK_ACME_EMAIL:-admin@hmac.kr}"
+            - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.traefik-dashboard.rule=Host(`${TRAEFIK_DASHBOARD_HOST:-traefik.brsw.kr}`)"
+            - "traefik.http.routers.traefik-dashboard.service=api@internal"
+            - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+            - "traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver"
+            - "traefik.http.routers.traefik-dashboard.middlewares=auth-forward@docker"
+        networks:
+            - traefik-public
+
+    forward-auth:
+        image: thomseddon/traefik-forward-auth:2.2.0
+        container_name: forward-auth
+        restart: unless-stopped
+        environment:
+            - LOG_LEVEL=${TRAEFIK_FORWARD_AUTH_LOG_LEVEL:-info}
+            - DEFAULT_PROVIDER=generic-oauth
+            - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/auth
+            - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/token
+            - PROVIDERS_GENERIC_OAUTH_USER_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/userinfo
+            - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${TRAEFIK_FORWARD_AUTH_CLIENT_ID:-traefik-forward-auth}
+            - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${TRAEFIK_FORWARD_AUTH_CLIENT_SECRET}
+            - PROVIDERS_GENERIC_OAUTH_SCOPE=openid profile email
+            - SECRET=${TRAEFIK_FORWARD_AUTH_COOKIE_SECRET}
+            - AUTH_HOST=${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}
+            - COOKIE_DOMAIN=${TRAEFIK_COOKIE_DOMAIN:-brsw.kr}
+            - URL_PATH=${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}
+            - INSECURE_COOKIE=${TRAEFIK_FORWARD_AUTH_INSECURE_COOKIE:-false}
+            - LIFETIME=${TRAEFIK_FORWARD_AUTH_LIFETIME:-43200}
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.services.forward-auth.loadbalancer.server.port=4181"
+            - "traefik.http.middlewares.auth-forward.forwardauth.address=http://forward-auth:4181"
+            - "traefik.http.middlewares.auth-forward.forwardauth.trustForwardHeader=true"
+            - "traefik.http.middlewares.auth-forward.forwardauth.authResponseHeaders=X-Forwarded-User"
+            - "traefik.http.routers.forward-auth.rule=Host(`${TRAEFIK_FORWARD_AUTH_HOST:-app.brsw.kr}`) && PathPrefix(`${TRAEFIK_FORWARD_AUTH_URL_PATH:-/_oauth}`)"
+            - "traefik.http.routers.forward-auth.entrypoints=websecure"
+            - "traefik.http.routers.forward-auth.tls.certresolver=myresolver"
+        networks:
+            - traefik-public
+
+networks:
+    traefik-public:
+        external: true
+        name: traefik-public