jpwiedekopf/Caddyfile

## Caddyfile
{
	pki {
		ca caddy {
			name "SmICS App Local Authority"
			root {
				cert /caddy_ca/smics-uksh-ca.crt
				key /caddy_ca/smics-uksh-ca.key
			}
		}
	}
}

(tls_on_demand) {
	tls {
		on_demand
		issuer internal {
			ca caddy
		}
	}
}

(oap_secured) {
	forward_auth oauth2_proxy:4180 {
		uri /oauth2/auth
		@unauth status 401
		handle_response @unauth {
			root * /htdocs
			rewrite * /fwauth_{rp.status_code}.html
			file_server
		}
	}
}

:443 {
	@oap path /oauth2 /oauth2/*
	handle @oap {
		reverse_proxy http://oauth2_proxy:4180 {
			header_up +X-Caddy-Proxy "oauth2_proxy:4180"
		}
	}

	redir /logout /oauth2/sign_out?rd=https%3A%2F%2Fdev-88029423.okta.com%2Flogin%2Fsignout%3Ffrom%3Dhttps%3A%2F%2F{host} temporary

	@vis {
		path /visualisierung /visualisierung/*
	}
	handle @vis {
		reverse_proxy smics_visualisierung:3231 {
			header_down +X-Caddy-Proxy "smics_visualisierung:3231"
		}
		#import oap_secured
	}

	@websockets {
		#header Connection *Upgrade*
		#header Upgrade websocket
		path /socket.io /socket.io/*
	}
	handle @websockets {
		reverse_proxy smics_visualisierung:3231 {
			header_down +X-Caddy-Proxy "smics_visualisierung:3231 websocket"
		}
	}

	@core not {
		path /visualisierung /visualisierung/*
		path /oauth2 /oauth2/*
		path /logout
	}
	handle @core {
		reverse_proxy smics_core:80 {
			header_down +X-Caddy-Proxy "smics_core:80"
		}
		import oap_secured
	}

	import tls_on_demand

	log
}

## docker-compose.yml
version: '3.1'

services:
  caddy:
    image: caddy
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/self-signed-root:/caddy_ca
      - ./caddy/htdocs:/htdocs
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - caddy-net
      - etl-net

  oauth2_proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    volumes:
      - ./oauth2_proxy/oauth2_proxy.cfg:/oauth2_proxy.cfg
    command: --config /oauth2_proxy.cfg
    container_name: oauth2_proxy
    networks:
      - caddy-net

  smics_core_ehrbase:
    build: ./SmICSCore
    container_name: smics_core
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:80"]
      interval: 20s
      timeout: 10s
      retries: 5
      start_period: 5m
    volumes:
      - t_smicsdata_db_ehrbase:/app/Resources/db/
    environment:
      - OPENEHR_DB=https://etl-caddy:8443/ehrbase/
      - OPENEHR_USER=ehrbase
      - OPENEHR_PASSWD=aaa
      - FIRST_DATA_ENTRY_YEAR=2022
      - QUERY_TIMEOUT=300000
    networks:
      - etl-net
    profiles:
      - ehrbase

  smics_core_better:
    build: ./SmICSCore
    container_name: smics_core
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:80"]
      interval: 20s
      timeout: 10s
      retries: 5
      start_period: 5m
    volumes:
      - t_smicsdata_db_better:/app/Resources/db/
    environment:
      - OPENEHR_DB=https://etl-caddy:8443/thinkehr/
      - OPENEHR_USER=admin
      - OPENEHR_PASSWD=aaa
      - FIRST_DATA_ENTRY_YEAR=2022
      - QUERY_TIMEOUT=300000
    networks:
      - etl-net
    profiles:
      - better

  smics_visualisierung_ehrbase:
    build: ./SmICSVisualisierung
    container_name: smics_visualisierung
    depends_on:
      smics_core_ehrbase:
        condition: service_healthy
    environment:
      - SMICS_HOSTNAME=smics_core
      - SMICS_PORT=80
    networks:
      - etl-net
    profiles:
      - ehrbase

  smics_visualisierung_better:
    build: ./SmICSVisualisierung
    container_name: smics_visualisierung
    depends_on:
      smics_core_better:
        condition: service_healthy
    environment:
      - SMICS_HOSTNAME=smics_core
      - SMICS_PORT=80
    networks:
      - etl-net
    profiles:
      - better

networks:
  etl-net:
    external: true
  caddy-net:
    driver: bridge

volumes:
  caddy_data: {}
  caddy_config: {}
  t_smicsdata_db_ehrbase: {}
  t_smicsdata_db_better: {}

## fwauth_401.html
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <title>SmICS @ UKSH</title>
    <link
      href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css"
      rel="stylesheet"
      integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65"
      crossorigin="anonymous"
    />
    <script
      src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
      integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
      crossorigin="anonymous"
    ></script>
    <meta
      name="viewport"
      content="width=device-width, initial-scale=1, shrink-to-fit=no"
    />
    <meta http-equiv="refresh" content="3; URL=/oauth2/sign_in" />
    <meta
      http-equiv="Cache-Control"
      content="no-cache, no-store, must-revalidate"
    />
    <meta http-equiv="Pragma" content="no-cache" />
    <meta http-equiv="Expires" content="0" />
  </head>
  <body>
    <div class="container">
      <div class="row">
        <div class="jumbotron">
          <h1 class="display-4">You are not logged in to SmICS.</h1>
          <p class="lead">You will be redirected momentarily.</p>
          <p>If this doesn't work, please click this button.</p>
        </div>
      </div>
      <div class="row">
        <a class="btn btn-primary btn-block" href="/oauth2/start"
          >Click to sign-in.</a
        >
      </div>
    </div>
  </body>
</html>

## oauth2_proxy.cfg
http_address = "0.0.0.0:4180"
standard_logging = true
#request_logging = true
#auth_logging = true
reverse_proxy = true

cookie_secret = "aaa"
email_domains = [
  "uksh.de",
  "uni-luebeck.de"
]

custom_sign_in_logo = "https://www.highmed.org/hubfs/CD/Logo/HiGHmed_Logo_weisser_Kreis_210520.svg"

provider = "oidc"
provider_display_name = "SmICS @ UKSH via Okta"
client_id = "aaa"
client_secret = "aaaa"
redirect_url = "https://localhost.wiedekopf.net/oauth2/callback"
oidc_issuer_url = "https://dev-aaa.okta.com/oauth2/default"
code_challenge_method = "S256"

pass_access_token = true
set_xauthrequest = true
pasS_authorization_header = true

whitelist_domains = [
  "dev-aaa.okta.com"
]

## rp_502.html
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <title>SmICS @ UKSH</title>
    <link
      href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css"
      rel="stylesheet"
      integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65"
      crossorigin="anonymous"
    />
    <script
      src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
      integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
      crossorigin="anonymous"
    ></script>
    <meta
      name="viewport"
      content="width=device-width, initial-scale=1, shrink-to-fit=no"
    />
    <meta http-equiv="refresh" content="3; URL=/" />
    <meta
      http-equiv="Cache-Control"
      content="no-cache, no-store, must-revalidate"
    />
    <meta http-equiv="Pragma" content="no-cache" />
    <meta http-equiv="Expires" content="0" />
  </head>
  <body>
    <div class="container">
      <div class="row">
        <div class="jumbotron">
          <h1 class="display-4">SmICS is not responding currently.</h1>
          <p class="lead">You will be redirected momentarily.</p>
          <p>If this doesn't work, please click this button.</p>
        </div>
      </div>
      <div class="row">
        <a class="btn btn-primary btn-block" href="/"
          >Click to sign-in.</a
        >
      </div>
    </div>
  </body>
</html>
	{
	pki {
	ca caddy {
	name "SmICS App Local Authority"
	root {
	cert /caddy_ca/smics-uksh-ca.crt
	key /caddy_ca/smics-uksh-ca.key
	}
	}
	}
	}

	(tls_on_demand) {
	tls {
	on_demand
	issuer internal {
	ca caddy
	}
	}
	}

	(oap_secured) {
	forward_auth oauth2_proxy:4180 {
	uri /oauth2/auth
	@unauth status 401
	handle_response @unauth {
	root * /htdocs
	rewrite * /fwauth_{rp.status_code}.html
	file_server
	}
	}
	}

	:443 {
	@oap path /oauth2 /oauth2/*
	handle @oap {
	reverse_proxy http://oauth2_proxy:4180 {
	header_up +X-Caddy-Proxy "oauth2_proxy:4180"
	}
	}

	redir /logout /oauth2/sign_out?rd=https%3A%2F%2Fdev-88029423.okta.com%2Flogin%2Fsignout%3Ffrom%3Dhttps%3A%2F%2F{host} temporary

	@vis {
	path /visualisierung /visualisierung/*
	}
	handle @vis {
	reverse_proxy smics_visualisierung:3231 {
	header_down +X-Caddy-Proxy "smics_visualisierung:3231"
	}
	#import oap_secured
	}

	@websockets {
	#header Connection Upgrade
	#header Upgrade websocket
	path /socket.io /socket.io/*
	}
	handle @websockets {
	reverse_proxy smics_visualisierung:3231 {
	header_down +X-Caddy-Proxy "smics_visualisierung:3231 websocket"
	}
	}

	@core not {
	path /visualisierung /visualisierung/*
	path /oauth2 /oauth2/*
	path /logout
	}
	handle @core {
	reverse_proxy smics_core:80 {
	header_down +X-Caddy-Proxy "smics_core:80"
	}
	import oap_secured
	}

	import tls_on_demand

	log
	}
	version: '3.1'

	services:
	caddy:
	image: caddy
	container_name: caddy
	ports:
	- "80:80"
	- "443:443"
	- "443:443/udp"
	volumes:
	- ./caddy/Caddyfile:/etc/caddy/Caddyfile
	- ./caddy/self-signed-root:/caddy_ca
	- ./caddy/htdocs:/htdocs
	- caddy_data:/data
	- caddy_config:/config
	networks:
	- caddy-net
	- etl-net

	oauth2_proxy:
	image: quay.io/oauth2-proxy/oauth2-proxy
	volumes:
	- ./oauth2_proxy/oauth2_proxy.cfg:/oauth2_proxy.cfg
	command: --config /oauth2_proxy.cfg
	container_name: oauth2_proxy
	networks:
	- caddy-net

	smics_core_ehrbase:
	build: ./SmICSCore
	container_name: smics_core
	healthcheck:
	test: ["CMD", "curl", "-f", "http://localhost:80"]
	interval: 20s
	timeout: 10s
	retries: 5
	start_period: 5m
	volumes:
	- t_smicsdata_db_ehrbase:/app/Resources/db/
	environment:
	- OPENEHR_DB=https://etl-caddy:8443/ehrbase/
	- OPENEHR_USER=ehrbase
	- OPENEHR_PASSWD=aaa
	- FIRST_DATA_ENTRY_YEAR=2022
	- QUERY_TIMEOUT=300000
	networks:
	- etl-net
	profiles:
	- ehrbase

	smics_core_better:
	build: ./SmICSCore
	container_name: smics_core
	healthcheck:
	test: ["CMD", "curl", "-f", "http://localhost:80"]
	interval: 20s
	timeout: 10s
	retries: 5
	start_period: 5m
	volumes:
	- t_smicsdata_db_better:/app/Resources/db/
	environment:
	- OPENEHR_DB=https://etl-caddy:8443/thinkehr/
	- OPENEHR_USER=admin
	- OPENEHR_PASSWD=aaa
	- FIRST_DATA_ENTRY_YEAR=2022
	- QUERY_TIMEOUT=300000
	networks:
	- etl-net
	profiles:
	- better

	smics_visualisierung_ehrbase:
	build: ./SmICSVisualisierung
	container_name: smics_visualisierung
	depends_on:
	smics_core_ehrbase:
	condition: service_healthy
	environment:
	- SMICS_HOSTNAME=smics_core
	- SMICS_PORT=80
	networks:
	- etl-net
	profiles:
	- ehrbase

	smics_visualisierung_better:
	build: ./SmICSVisualisierung
	container_name: smics_visualisierung
	depends_on:
	smics_core_better:
	condition: service_healthy
	environment:
	- SMICS_HOSTNAME=smics_core
	- SMICS_PORT=80
	networks:
	- etl-net
	profiles:
	- better

	networks:
	etl-net:
	external: true
	caddy-net:
	driver: bridge

	volumes:
	caddy_data: {}
	caddy_config: {}
	t_smicsdata_db_ehrbase: {}
	t_smicsdata_db_better: {}
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="content-type" content="text/html; charset=utf-8" />
	<title>SmICS @ UKSH</title>
	<link
	href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css"
	rel="stylesheet"
	integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65"
	crossorigin="anonymous"
	/>
	<script
	src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
	integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
	crossorigin="anonymous"
	></script>
	<meta
	name="viewport"
	content="width=device-width, initial-scale=1, shrink-to-fit=no"
	/>
	<meta http-equiv="refresh" content="3; URL=/oauth2/sign_in" />
	<meta
	http-equiv="Cache-Control"
	content="no-cache, no-store, must-revalidate"
	/>
	<meta http-equiv="Pragma" content="no-cache" />
	<meta http-equiv="Expires" content="0" />
	</head>
	<body>
	<div class="container">
	<div class="row">
	<div class="jumbotron">
	<h1 class="display-4">You are not logged in to SmICS.</h1>
	<p class="lead">You will be redirected momentarily.</p>
	<p>If this doesn't work, please click this button.</p>
	</div>
	</div>
	<div class="row">
	<a class="btn btn-primary btn-block" href="/oauth2/start"
	>Click to sign-in.</a
	>
	</div>
	</div>
	</body>
	</html>
	http_address = "0.0.0.0:4180"
	standard_logging = true
	#request_logging = true
	#auth_logging = true
	reverse_proxy = true

	cookie_secret = "aaa"
	email_domains = [
	"uksh.de",
	"uni-luebeck.de"
	]

	custom_sign_in_logo = "https://www.highmed.org/hubfs/CD/Logo/HiGHmed_Logo_weisser_Kreis_210520.svg"

	provider = "oidc"
	provider_display_name = "SmICS @ UKSH via Okta"
	client_id = "aaa"
	client_secret = "aaaa"
	redirect_url = "https://localhost.wiedekopf.net/oauth2/callback"
	oidc_issuer_url = "https://dev-aaa.okta.com/oauth2/default"
	code_challenge_method = "S256"

	pass_access_token = true
	set_xauthrequest = true
	pasS_authorization_header = true

	whitelist_domains = [
	"dev-aaa.okta.com"
	]