traefik https

.env.dev

@@ -4,6 +4,8 @@ HOST="localhost"
 HTTP_PORT=8081
 HTTPS_PORT=8083
 
+ACME_EMAIL=""
+
 POSTGRES_USER="geonatadmin"
 POSTGRES_PASSWORD="geonatpasswd"
 POSTGRES_HOST="postgres"

.env.prod

@@ -4,6 +4,8 @@ HOST="example.com"
 HTTP_PORT=80
 HTTPS_PORT=443
 
+ACME_EMAIL=""
+
 POSTGRES_USER="geonatadmin"
 POSTGRES_PASSWORD="geonatpasswd"
 POSTGRES_HOST="postgres"

.gitignore

@@ -1,7 +1,6 @@
 .env
-config/*
-data/taxhub/static/*
-data/geonature/media/*
+/config/
+/data/
 !data/**/.gitkeep
 !data/**/*.sample
 *.swp

docker-compose.yml

@@ -40,10 +40,16 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entrypoint.to=:${HTTPS_PORT}"  # use binded port instead of websecure
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
       - "--entrypoints.websecure.address=:443"
+      - "--certificatesResolvers.acme-resolver.acme.email=${ACME_EMAIL}"
+      - "--certificatesResolvers.acme-resolver.acme.storage=/etc/traefik/certs/acme.json"
+      - "--certificatesResolvers.acme-resolver.acme.tlsChallenge=true"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./data/traefik/certs:/certs
+      - ./config/traefik:/etc/traefik/dynamic
+      - ./data/traefik/certs:/etc/traefik/certs
     ports:
       - ${HTTP_PORT:-80}:80
       - ${HTTPS_PORT:-443}:443
@@ -93,8 +99,9 @@ services:
       - PYTHONPATH=/dist/config
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.usershub.rule=Host(`${USERSHUB_DOMAIN}`) && PathPrefix(`${USERSHUB_PREFIX:-/usershub}`)"
-      - "traefik.http.routers.usershub.entrypoints=web"
+      - "traefik.http.routers.usershub.rule=Host(`${USERSHUB_DOMAIN}`) && PathPrefix(`${USERSHUB_PREFIX}`)"
+      - "traefik.http.routers.usershub.entrypoints=websecure"
+      - "traefik.http.routers.usershub.tls.certResolver=acme-resolver"
 
   taxhub:
     <<: *defaults
@@ -112,8 +119,9 @@ services:
       - PYTHONPATH=/dist/config
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.taxhub.rule=Host(`${TAXHUB_DOMAIN}`) && PathPrefix(`${TAXHUB_PREFIX:-/taxhub}`)"
-      - "traefik.http.routers.taxhub.entrypoints=web"
+      - "traefik.http.routers.taxhub.rule=Host(`${TAXHUB_DOMAIN}`) && PathPrefix(`${TAXHUB_PREFIX}`)"
+      - "traefik.http.routers.taxhub.entrypoints=websecure"
+      - "traefik.http.routers.taxhub.tls.certResolver=acme-resolver"
 
   geonature-worker:
     <<: *geonature-backend-defaults
@@ -140,8 +148,9 @@ services:
       - ${GEONATURE_MEDIA_DIRECTORY:-./data/geonature/media}:/dist/media
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.geonature-backend.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_BACKEND_PREFIX:-/geonature/api}`)"
-      - "traefik.http.routers.geonature-backend.entrypoints=web"
+      - "traefik.http.routers.geonature-backend.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_BACKEND_PREFIX}`)"
+      - "traefik.http.routers.geonature-backend.entrypoints=websecure"
+      - "traefik.http.routers.geonature-backend.tls.certResolver=acme-resolver"
 
   geonature-frontend:
     image: ${GEONATURE_FRONTEND_IMAGE}
@@ -150,8 +159,9 @@ services:
       - API_ENDPOINT="${GEONATURE_BACKEND_PROTOCOL}://${GEONATURE_BACKEND_HOST}${GEONATURE_BACKEND_PREFIX}"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.geonature.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_FRONTEND_PREFIX:-/}`)"
-      - "traefik.http.routers.geonature.entrypoints=web"
+      - "traefik.http.routers.geonature.rule=Host(`${GEONATURE_DOMAIN}`) && PathPrefix(`${GEONATURE_FRONTEND_PREFIX}`)"
+      - "traefik.http.routers.geonature.entrypoints=websecure"
+      - "traefik.http.routers.geonature.tls.certResolver=acme-resolver"
 
 volumes:
   redis: