prayagsingh/docker-explorer.yaml

## docker-explorer.yaml
version: '3.7'

volumes:
  pgdata:
  walletstore:

networks:
  testchain-network:
    external: true
    name: testchain-network

services:

  explorerdb:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 5
      placement:
        constraints:
          - node.hostname == gcloud1
      #resources:
        #limits:
          #cpus: '0.50'
          #memory: 100M
          #reservations:
          #cpus: '0.25'
          #memory: 50M

    image: hyperledger/explorer-db:1.0.0-rc2
    hostname: explorerdb
    environment:
      - DATABASE_DATABASE=fabricexplorer
      - DATABASE_USERNAME=hppoc
      - DATABASE_PASSWORD=password
    volumes:
      - /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/persistence/fabric/postgreSQL/db/createdb.sh:/docker-entrypoint-initdb.d/createdb.sh
      - pgdata:/var/lib/postgresql/data
    networks:
      testchain-network:
        aliases:
          - explorerdb

  explorer:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 5
      placement:
        constraints:
          - node.hostname == gcloud1
            #resources:
            #limits:
            #cpus: '0.50'
            #memory: 100M
            #reservations:
            #cpus: '0.25'
            #memory: 50M

      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=testchain-network"
        - "traefik.http.routers.exprtr.rule=Host(`explorer.example.in`)"
        - "traefik.http.routers.exprtr.entrypoints=websecure"
        #- "traefik.http.routers.exprtr.middlewares=auth" # using basicauth middleware declared under Middleware section
        - "traefik.http.routers.exprtr.service=explorer"

        # Https: Using Letsencryt tls challenge
        - "traefik.http.routers.exprtr.tls=true"
        - "traefik.http.routers.exprtr.tls.certresolver=myresolver"
        - "traefik.http.routers.exprtr.tls.domains[0].main=explorer.example.in"

        # Middleware
        - "traefik.http.middlewares.auth.basicauth.users=delta:$$apr1$$dH.NJJK4$$2.UTMIf8Etzu9.iTzOrME/" # created a basicauth middleware with a name `auth`

        # Services
        - "traefik.http.services.explorer.loadbalancer.server.port=8080"
        #- "traefik.http.services.explorer.loadbalancer.server.scheme=https" #<-- on which protocol server gonna listen the incoming requests. if https then configure server for https else leave it to http
        - "traefik.http.services.explorer.loadbalancer.passhostheader=true"

    image: hyperledger/explorer:1.0.0-rc2
    hostname: explorer
    environment:
      - DATABASE_HOST=explorerdb
      - DATABASE_USERNAME=hppoc
      - DATABASE_PASSWD=password
        # - DATABASE_PORT=5433
      - DISCOVERY_AS_LOCALHOST=false
      - LOG_LEVEL_APP=OFF
      - LOG_LEVEL_CONSOLE=OFF
    volumes:
      - /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/platform/fabric/config.json:/opt/explorer/app/platform/fabric/config.json
      - /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/platform/fabric/connection-profile:/opt/explorer/app/platform/fabric/connection-profile
      - /home/delta/GoWorkspace/src/github.com/testchain/networks/crypto-config:/tmp/crypto
      - walletstore:/opt/wallet
    command: sh -c "sleep 16&& node /opt/explorer/main.js && tail -f /dev/null"
    ports:
      - published: 8090
        target: 8080
        mode: host

    networks:
      testchain-network:
        aliases:
          - explorer

    depends_on:
      - explorerdb

## docker-traefik.yaml
# Providers :- discover the services that live on your infrastructure (their IP, health, ...)
# Entrypoints :- listen for incoming traffic (ports, ...)
# Routers :- analyse the requests (host, path, headers, SSL, ...). A router is in charge of connecting incoming requests to the services that can handle them.
# Services :- forward the request to your services (load balancing, ...). The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
# Middlewares :- may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)


version: "3.7"

networks:
  testchain-network:
    external: true
    name: testchain-network

services:

  traefik:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 5
      placement:
        constraints:
          - node.hostname == gcloud1
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.dummyService.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port


    secrets:
      - source: custom_crt
        target: /run/secrets/server.crt
        mode: 0400

      - source: custom_key
        target: /run/secrets/server.key
        mode: 0400

      - source: custom_root
        target: /run/secret/root-ca.pem
        mode: 0400

    hostname: traefik
    image: "traefik:v2.1"
    #user: "${UID}:1002"

    #Static configuration
    command:
      - --providers.file.filename=/etc/traefik/proxy-config.toml # Using file for reading the config
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false

      - --entrypoints.web.address=:6060
      - --entrypoints.websecure.address=:443
      #- --api.insecure # enabling dashboard on insecure connection
      - --api=true
      - --api.dashboard=true
      - --api.debug=true
      - --log.level=DEBUG

      #lets encrypt : for production by default url is "https://acme-v02.api.letsencrypt.org/directory"
      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.myresolver.acme.email=myemail@gmail.com
      - --certificatesresolvers.myresolver.acme.storage=acme.json
      - --certificatesresolvers.myresolver.acme.tlschallenge=true

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
        #- /home/delta/GoWorkspace/src/github.com/testchain/certs/:/etc/traefik/certs:ro
      - letsencrypt:/letsencrypt/acme.json:rw

    ports:
      - target: 6060
        published: 6060

        mode: host
      - target: 443
        published: 443

        mode: host
      - target: 8080
        published: 8080
        mode: ingress # traefik dashboard

    networks:
      - testchain-network

volumes:
  letsencrypt:

secrets:
  custom_crt:
    external: true
    name: server.crt

  custom_key:
    external: true
    name: server.key

  custom_root:
    external: true
    name: ca.pem

## proxy-config.toml
########################
#### ENTRYPOINT / ROUTER
########################

[http.routers]
  ### Blockchain API
  [http.routers.myrouter]
    rule = "Host(`bchain.example.in`)"
    middlewares = ["auth"]
    service = "goserver"
    entryPoints = ["websecure"]

    # will route TLS requests (and ignore non tls requests)
    [http.routers.myrouter.tls]
      options = "myoptions"
      #certResolver = "myresolver"
      #[[http.routers.myrouter.tls.domains]]
       # main = "bchain.example.in"

  ### Traefik Dashboard
  [http.routers.api]
    rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
    entryPoints = ["websecure"]  # <-- changed to `websecure` for https else moved it back to `web`
    middlewares = ["auth"]
    service = "api@internal"

    # will route TLS requests (and ignore non tls requests)
    [http.routers.api.tls]
      certResolver = "myresolver"
      # https://docs.traefik.io/routing/routers/#domains
      [[http.routers.api.tls.domains]]
        main = "traefik.example.in"

  # redirecting http to https for dashboard
  [http.routers.api-http]
    entryPoints = ["web"]
    rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
    middlewares = ["auth", "redirect-to-https"]
    service = "api@internal"

#################
#### MIDDLEWARES
#################

[http.middlewares]
  [http.middlewares.auth.basicAuth]
    users = ["test:XXXXX"]

  [http.middlewares.redirect-to-https.redirectScheme]
    scheme = "https"
    port = "443"
    permanent = true

##############
#### SERVICES
##############

[http.services]
  [http.services.goserver.loadBalancer]
    [[http.services.goserver.loadBalancer.servers]]
      url = "http://1.1.1.1:8001"

#####################
#### CUSTOM TLS CERT
#####################

[tls]
  [[tls.certificates]]
    certFile = "/run/secrets/server.crt"
    keyFile = "/run/secrets/server.key"

  [tls.stores]
    [tls.stores.default]
      [tls.stores.default.defaultCertificate]
        certFile = "/run/secrets/server.crt"
        keyFile = "/run/secrets/server.key"

  [tls.options]
    [tls.options.myoptions]
      minVersion = "VersionTLS12"
      sniStrict = true
    #[tls.options.mintls13]
    #  minVersion = "VersionTLS13"
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        #"TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
      ]
	version: '3.7'

	volumes:
	pgdata:
	walletstore:

	networks:
	testchain-network:
	external: true
	name: testchain-network

	services:

	explorerdb:
	deploy:
	replicas: 1
	restart_policy:
	condition: on-failure
	delay: 5s
	max_attempts: 5
	placement:
	constraints:
	- node.hostname == gcloud1
	#resources:
	#limits:
	#cpus: '0.50'
	#memory: 100M
	#reservations:
	#cpus: '0.25'
	#memory: 50M

	image: hyperledger/explorer-db:1.0.0-rc2
	hostname: explorerdb
	environment:
	- DATABASE_DATABASE=fabricexplorer
	- DATABASE_USERNAME=hppoc
	- DATABASE_PASSWORD=password
	volumes:
	- /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/persistence/fabric/postgreSQL/db/createdb.sh:/docker-entrypoint-initdb.d/createdb.sh
	- pgdata:/var/lib/postgresql/data
	networks:
	testchain-network:
	aliases:
	- explorerdb

	explorer:
	deploy:
	replicas: 1
	restart_policy:
	condition: on-failure
	delay: 5s
	max_attempts: 5
	placement:
	constraints:
	- node.hostname == gcloud1
	#resources:
	#limits:
	#cpus: '0.50'
	#memory: 100M
	#reservations:
	#cpus: '0.25'
	#memory: 50M

	labels:
	- "traefik.enable=true"
	- "traefik.docker.network=testchain-network"
	- "traefik.http.routers.exprtr.rule=Host(`explorer.example.in`)"
	- "traefik.http.routers.exprtr.entrypoints=websecure"
	#- "traefik.http.routers.exprtr.middlewares=auth" # using basicauth middleware declared under Middleware section
	- "traefik.http.routers.exprtr.service=explorer"

	# Https: Using Letsencryt tls challenge
	- "traefik.http.routers.exprtr.tls=true"
	- "traefik.http.routers.exprtr.tls.certresolver=myresolver"
	- "traefik.http.routers.exprtr.tls.domains[0].main=explorer.example.in"

	# Middleware
	- "traefik.http.middlewares.auth.basicauth.users=delta:$$apr1$$dH.NJJK4$$2.UTMIf8Etzu9.iTzOrME/" # created a basicauth middleware with a name `auth`

	# Services
	- "traefik.http.services.explorer.loadbalancer.server.port=8080"
	#- "traefik.http.services.explorer.loadbalancer.server.scheme=https" #<-- on which protocol server gonna listen the incoming requests. if https then configure server for https else leave it to http
	- "traefik.http.services.explorer.loadbalancer.passhostheader=true"

	image: hyperledger/explorer:1.0.0-rc2
	hostname: explorer
	environment:
	- DATABASE_HOST=explorerdb
	- DATABASE_USERNAME=hppoc
	- DATABASE_PASSWD=password
	# - DATABASE_PORT=5433
	- DISCOVERY_AS_LOCALHOST=false
	- LOG_LEVEL_APP=OFF
	- LOG_LEVEL_CONSOLE=OFF
	volumes:
	- /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/platform/fabric/config.json:/opt/explorer/app/platform/fabric/config.json
	- /home/delta/GoWorkspace/src/github.com/hyperledger/blockchain-explorer/app/platform/fabric/connection-profile:/opt/explorer/app/platform/fabric/connection-profile
	- /home/delta/GoWorkspace/src/github.com/testchain/networks/crypto-config:/tmp/crypto
	- walletstore:/opt/wallet
	command: sh -c "sleep 16&& node /opt/explorer/main.js && tail -f /dev/null"
	ports:
	- published: 8090
	target: 8080
	mode: host

	networks:
	testchain-network:
	aliases:
	- explorer

	depends_on:
	- explorerdb
	# Providers :- discover the services that live on your infrastructure (their IP, health, ...)
	# Entrypoints :- listen for incoming traffic (ports, ...)
	# Routers :- analyse the requests (host, path, headers, SSL, ...). A router is in charge of connecting incoming requests to the services that can handle them.
	# Services :- forward the request to your services (load balancing, ...). The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
	# Middlewares :- may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)


	version: "3.7"

	networks:
	testchain-network:
	external: true
	name: testchain-network

	services:

	traefik:
	deploy:
	replicas: 1
	restart_policy:
	condition: on-failure
	delay: 5s
	max_attempts: 5
	placement:
	constraints:
	- node.hostname == gcloud1
	- node.role == manager
	labels:
	- "traefik.enable=true"
	- "traefik.http.services.dummyService.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port


	secrets:
	- source: custom_crt
	target: /run/secrets/server.crt
	mode: 0400

	- source: custom_key
	target: /run/secrets/server.key
	mode: 0400

	- source: custom_root
	target: /run/secret/root-ca.pem
	mode: 0400

	hostname: traefik
	image: "traefik:v2.1"
	#user: "${UID}:1002"

	#Static configuration
	command:
	- --providers.file.filename=/etc/traefik/proxy-config.toml # Using file for reading the config
	- --providers.file.watch=true
	- --providers.docker=true
	- --providers.docker.endpoint=unix:///var/run/docker.sock
	- --providers.docker.swarmMode=true
	- --providers.docker.exposedbydefault=false

	- --entrypoints.web.address=:6060
	- --entrypoints.websecure.address=:443
	#- --api.insecure # enabling dashboard on insecure connection
	- --api=true
	- --api.dashboard=true
	- --api.debug=true
	- --log.level=DEBUG

	#lets encrypt : for production by default url is "https://acme-v02.api.letsencrypt.org/directory"
	- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
	- --certificatesresolvers.myresolver.acme.email=myemail@gmail.com
	- --certificatesresolvers.myresolver.acme.storage=acme.json
	- --certificatesresolvers.myresolver.acme.tlschallenge=true

	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
	#- /home/delta/GoWorkspace/src/github.com/testchain/certs/:/etc/traefik/certs:ro
	- letsencrypt:/letsencrypt/acme.json:rw

	ports:
	- target: 6060
	published: 6060

	mode: host
	- target: 443
	published: 443

	mode: host
	- target: 8080
	published: 8080
	mode: ingress # traefik dashboard

	networks:
	- testchain-network

	volumes:
	letsencrypt:

	secrets:
	custom_crt:
	external: true
	name: server.crt

	custom_key:
	external: true
	name: server.key

	custom_root:
	external: true
	name: ca.pem
	########################
	#### ENTRYPOINT / ROUTER
	########################

	[http.routers]
	### Blockchain API
	[http.routers.myrouter]
	rule = "Host(`bchain.example.in`)"
	middlewares = ["auth"]
	service = "goserver"
	entryPoints = ["websecure"]

	# will route TLS requests (and ignore non tls requests)
	[http.routers.myrouter.tls]
	options = "myoptions"
	#certResolver = "myresolver"
	#[[http.routers.myrouter.tls.domains]]
	# main = "bchain.example.in"

	### Traefik Dashboard
	[http.routers.api]
	rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) \|\| PathPrefix(`/dashboard`))"
	entryPoints = ["websecure"] # <-- changed to `websecure` for https else moved it back to `web`
	middlewares = ["auth"]
	service = "api@internal"

	# will route TLS requests (and ignore non tls requests)
	[http.routers.api.tls]
	certResolver = "myresolver"
	# https://docs.traefik.io/routing/routers/#domains
	[[http.routers.api.tls.domains]]
	main = "traefik.example.in"

	# redirecting http to https for dashboard
	[http.routers.api-http]
	entryPoints = ["web"]
	rule = "Host(`traefik.example.in`) && (PathPrefix(`/api`) \|\| PathPrefix(`/dashboard`))"
	middlewares = ["auth", "redirect-to-https"]
	service = "api@internal"

	#################
	#### MIDDLEWARES
	#################

	[http.middlewares]
	[http.middlewares.auth.basicAuth]
	users = ["test:XXXXX"]

	[http.middlewares.redirect-to-https.redirectScheme]
	scheme = "https"
	port = "443"
	permanent = true

	##############
	#### SERVICES
	##############

	[http.services]
	[http.services.goserver.loadBalancer]
	[[http.services.goserver.loadBalancer.servers]]
	url = "http://1.1.1.1:8001"

	#####################
	#### CUSTOM TLS CERT
	#####################

	[tls]
	[[tls.certificates]]
	certFile = "/run/secrets/server.crt"
	keyFile = "/run/secrets/server.key"

	[tls.stores]
	[tls.stores.default]
	[tls.stores.default.defaultCertificate]
	certFile = "/run/secrets/server.crt"
	keyFile = "/run/secrets/server.key"

	[tls.options]
	[tls.options.myoptions]
	minVersion = "VersionTLS12"
	sniStrict = true
	#[tls.options.mintls13]
	# minVersion = "VersionTLS13"
	cipherSuites = [
	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
	#"TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
	]