Last active
September 15, 2023 09:01
-
-
Save falkheiland/1e94eeb12a8b603433caa6022088a16e to your computer and use it in GitHub Desktop.
configure traefik for use with scriptrunner in docker swarm mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.8" | |
services: | |
traefik: | |
image: traefik:2.10.0 | |
ports: | |
- target: 80 | |
published: 80 | |
mode: host | |
- target: 443 | |
published: 443 | |
mode: host | |
deploy: | |
mode: global | |
placement: | |
constraints: | |
- node.role == manager | |
update_config: | |
parallelism: 1 | |
delay: 10s | |
failure_action: rollback | |
restart_policy: | |
condition: on-failure | |
labels: | |
- "traefik.enable=true" | |
- "traefik.constraint-label=proxy" | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
- /var/run/docker.sock:/var/run/docker.sock:ro | |
networks: | |
- proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# dynamic configuration | |
# dyn.yml | |
tls: | |
options: | |
default: | |
minVersion: VersionTLS12 | |
cipherSuites: | |
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | |
- TLS_AES_128_GCM_SHA256 | |
- TLS_AES_256_GCM_SHA384 | |
- TLS_CHACHA20_POLY1305_SHA256 | |
curvePreferences: | |
- CurveP521 | |
- CurveP384 | |
sniStrict: true | |
certificates: | |
- certFile: /etc/certs/domain.tld.crt | |
keyFile: /etc/certs/domain.tld.key | |
tcp: | |
routers: | |
# ScriptRunner | |
scriptrunner: | |
entryPoints: | |
- "https" | |
rule: "HostSNI(`host.domain.tld`)" | |
tls: | |
options: default | |
passthrough: true | |
service: scriptrunner | |
services: | |
# ScriptRunner | |
scriptrunner: | |
loadBalancer: | |
servers: | |
- address: "sr-server.domain.tld:443" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.8" | |
services: | |
traefik: | |
volumes: | |
- /mnt/gv0/stack-traefik/conf/swarmX/traefik/:/etc/traefik/ | |
- /mnt/gv0/stack-traefik/data/swarmX/traefik/certs/:/etc/certs/ | |
- /mnt/gv0/stack-traefik/data/swarmX/traefik/logs:/var/log/ | |
deploy: | |
labels: | |
- "traefik.http.routers.traefik.entrypoints=http" | |
- "traefik.http.routers.traefik.rule=HostRegexp(`{subdomain:swarm[A-Z]+}.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/metrics`))" | |
- "traefik.http.routers.traefik.middlewares=default-https-redirect@file" | |
- "traefik.http.routers.traefik-secure.entrypoints=https" | |
- "traefik.http.routers.traefik-secure.rule=HostRegexp(`{subdomain:swarm[A-Z]+}.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/metrics`))" | |
- "traefik.http.routers.traefik-secure.middlewares=default-auth@file" | |
- "traefik.http.routers.traefik-secure.tls=true" | |
- "traefik.http.routers.traefik-secure.tls.domains.main=`domain.tld`" | |
- "traefik.http.routers.traefik-secure.tls.domains.sans=`*.domain.tld`" | |
- "traefik.http.routers.traefik-secure.service=api@internal" | |
- "traefik.http.services.traefik.loadbalancer.server.port=8080" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
api: | |
dashboard: true | |
insecure: true | |
debug: true | |
entryPoints: | |
http: | |
address: ":80" | |
https: | |
address: ":443" | |
providers: | |
docker: | |
constraints: "Label(`traefik.constraint-label`, `proxy`)" | |
swarmMode: true | |
endpoint: "unix:///var/run/docker.sock" | |
exposedByDefault: false | |
network: "proxy" | |
file: | |
filename: "/etc/traefik/dyn.yml" | |
watch: true | |
log: | |
filePath: "/var/log/traefik.log" | |
format: json | |
level: "ERROR" #DEBUG, PANIC, FATAL, ERROR, WARN, and INFO | |
# Limiting the Logs to Specific Fields | |
accessLog: | |
filePath: "/var/log/access.log" | |
format: json | |
fields: | |
defaultMode: keep | |
names: | |
ClientUsername: drop | |
headers: | |
defaultMode: keep | |
names: | |
User-Agent: keep #redact | |
Authorization: keep #drop | |
Content-Type: keep | |
serversTransport: | |
insecureSkipVerify: true |
added reports site to dyn.yml
added comment to repeat after update:
from https://host.domain.tld to sr-server.domain.tld
C:\Program Files\ScriptRunner\WebApps\AdminApp\uri.js
C:\Program Files\ScriptRunner\WebApps\Portal\app.json
and:
Set-AsrURI -SSLCertThumbprint THUMBPRINT -SSLReplaceExisting -SSLEnable -Restart
update the files and description for the use with ScriptRunner Version 6.9 where no IIS is used anymore.
changed baseuri containing file to C:\Program Files\ScriptRunner\Service\uri.js + C:\Program Files\ScriptRunner\Service\ScriptRunnerService.config
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this is an excerpt of a working configuration to use the ScriptRunner via traefik reverse proxy running on docker swarm mode cluster.
instead of calling the portal direct from the scriptRunner server via
https://sr-server.domain.tld/
(which should be installed in a non-public network segment),it can than be called viahttps://host.domain.tld/
from a public accessible network segment.there are only TCP routers used in the traefik conf, since NTLM and Kereberos Authentication do not work with http routers.
you have to allow the TCP ports 443 to be used from
host.domain.tld
tosr-server.domain.tld
.ScriptRunner server (sr-server.domain.tld)
create ssl certificates for sr-server
https://support.scriptrunner.com/articles/#!server/create-certificate
set SPN for sr-server to host for use with reverse proxy
https://support.scriptrunner.com/articles/#!server/http-to-https/a/h2__565733207
edit baseUri
from
https://host.domain.tld
tosr-server.domain.tld
renew SR-backend certificate to use the one from reverse proxy host.domain.tld:
/etc/certs/domain.tld.crt
import cert:
https://support.scriptrunner.com/articles/#!server/install-ssl
https://support.scriptrunner.com/articles/#!server/renew-certificate
check Thumbprint of used certificate:
Test-AsrUri -Verbose
traefik on docker swarm mode (host.domain.tld)
DNS
have host (A) entry for ONE node ip of the swarm to host.domain.tld. i tried using dns round-robin, but this will create issues (404).
docker swarm mode traefik directory structure:
deploy stack