valknar/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
97 Commits 1 Branch 0 Tags
ac2dd7ee4dd9742510f4fc3ded92e3f419f968f2
Commit Graph

5 Commits

Author SHA1 Message Date
Sebastian Krüger
ac2dd7ee4d fix: move Sablier middleware to dynamic configuration 
Moved Sablier middleware from Docker labels to Traefik dynamic configuration
to fix "unknown plugin type: sablier" error. Traefik plugins can only be
used in dynamic file configuration, not in Docker labels.

Changes:
- Removed sablier-vert@file reference from Docker label middleware chain
- Added complete router definition to proxy/dynamic/vert-sablier.yaml
- Router includes full middleware chain: sablier-vert → vert-auth → compress
- Kept sablier.enable and sablier.group labels for Sablier service discovery

This allows Sablier to properly scale the container to zero while maintaining
the middleware chain order through file-based configuration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 17:27:04 +01:00
Sebastian Krüger
9cf0d160b4 feat: add HTTP auth and Sablier scale-to-zero to VERT stack 
Added authentication and scale-to-zero capabilities to VERT file converter service:

**Authentication**:
- Added HTTP Basic Auth middleware using VERT_AUTH_USERS
- Auth middleware applied to web-secure router
- Credentials configured via .env file (htpasswd format)

**Sablier Scale-to-Zero**:
- Added sablier.enable and sablier.group labels
- Created proxy/dynamic/vert-sablier.yaml with Sablier middleware config
- 1-hour session duration before automatic scale-down
- Ghost theme with custom display name
- Middleware chain: sablier-vert@file → auth → compress

**Configuration Updates**:
- Added VERT_SABLIER_ENABLED to arty.yml (default: true)
- Updated CLAUDE.md with auth and Sablier documentation
- Middleware order ensures Sablier wakes container before auth check

Infrastructure:
- Follows same pattern as Scrapy service for auth
- Dynamic Traefik configuration for Sablier plugin
- Container name: vert_app (referenced in Sablier config)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 17:22:48 +01:00
Sebastian Krüger
d3850e559a refactor: use inline basicauth for Traefik dashboard 
Changed dashboard authentication to use inline basicauth
like Scrapy instead of external .htpasswd file:

**Changes:**
- Updated proxy labels to use basicauth.users=${PROXY_AUTH_USERS}
- Removed .htpasswd file and auth directory
- Removed dashboard-auth middleware from security.yaml
- Removed .htpasswd volume mount from compose.yaml

**Benefits:**
- Consistent with Scrapy authentication pattern
- Simpler configuration (no external files)
- Auth credentials managed centrally via .env

Dashboard accessible at: https://proxy.pivoine.art
Credentials: valknar / ragnarok98 (via PROXY_AUTH_USERS)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:35:43 +01:00
Sebastian Krüger
ec76db69ed feat: add Traefik dashboard at proxy.pivoine.art with basic auth 
Added secure access to Traefik dashboard:

**Dashboard Configuration:**
- Enabled Traefik API and dashboard
- Configured router for proxy.pivoine.art
- Secured with HTTP Basic Auth middleware

**Security:**
- Created .htpasswd file with bcrypt credentials
- Added dashboard-auth middleware to dynamic/security.yaml
- Mounted .htpasswd file read-only in container
- Dashboard only accessible via HTTPS with valid credentials

**Environment Updates:**
- Added PROXY_AUTH_USERS to .env (htpasswd hash)
- Added PROXY_TRAEFIK_HOST to arty.yml

Dashboard accessible at: https://proxy.pivoine.art

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-06 08:17:42 +01:00
Sebastian Krüger
b420f1d4bf feat: add comprehensive Traefik security hardening 
Added security enhancements to Traefik reverse proxy:

**TLS Security:**
- Minimum TLS 1.2 enforced
- Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
- Modern curve preferences (P-521, P-384)
- SNI strict mode enabled

**HTTP Security Headers:**
- HSTS with 1-year max-age, includeSubdomains, and preload
- X-Frame-Options: SAMEORIGIN (clickjacking protection)
- X-XSS-Protection enabled
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (disable camera, mic, geolocation, etc.)
- X-Robots-Tag for SEO control

**Rate Limiting Middlewares:**
- General: 100 req/s average, 50 burst
- API endpoints: 30 req/s average, 15 burst

**Configuration:**
- Enabled Traefik file provider for dynamic config
- Security headers applied globally to web-secure entrypoint
- Dynamic config in proxy/dynamic/security.yaml
- Auto-reloads on config changes

All HTTPS traffic now benefits from enhanced security headers.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-04 23:20:34 +01:00