Add more selective match to increase the regex precedence

2023-02-15 14:00:52 +01:00 · 2023-02-15 14:00:52 +01:00 · 71a8507928
commit 71a8507928
parent 0957ad5f1c
9 changed files with 29 additions and 15 deletions
--- a/containers/collabora/tasks.yml
+++ b/containers/collabora/tasks.yml
@ -50,7 +50,7 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.collabora.entrypoints: "https"
-          traefik.http.routers.collabora.rule: "PathPrefix(`/collabora`,`/browser`)"
+          traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/collabora`,`/browser`)"
          traefik.http.routers.collabora.tls: "true"
          traefik.http.routers.collabora.tls.certresolver: "wildcard"
          traefik.http.routers.collabora.service: "collabora"
--- a/containers/drone-runner/tasks.yml
+++ b/containers/drone-runner/tasks.yml
@ -50,11 +50,11 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.drone-runner.entrypoints: "https"
-          traefik.http.routers.drone-runner.rule: "PathPrefix(`/runner`)"
+          traefik.http.routers.drone-runner.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/runner/`) || Path(`/runner`))"
          traefik.http.routers.drone-runner.tls: "true"
          traefik.http.routers.drone-runner.tls.certresolver: "wildcard"
          traefik.http.routers.drone-runner.service: "drone-runner"
-          traefik.http.routers.drone-runner.middlewares: "drone-runner-prefixstrip@docker"
+          traefik.http.routers.drone-runner.middlewares: "force-trailing-slash@file,drone-runner-prefixstrip@docker"
          traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/runner"
          traefik.http.services.drone-runner.loadbalancer.server.port: "3000"
          traefik.docker.network: "traefik-drone-runner"
--- a/containers/drone-server/tasks.yml
+++ b/containers/drone-server/tasks.yml
@ -48,11 +48,11 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.drone-server.entrypoints: "https"
-          traefik.http.routers.drone-server.rule: "PathPrefix(`/drone`)"
+          traefik.http.routers.drone-server.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/drone/`) || Path(`/drone`))"
          traefik.http.routers.drone-server.tls: "true"
          traefik.http.routers.drone-server.tls.certresolver: "wildcard"
          traefik.http.routers.drone-server.service: "drone-server"
-          traefik.http.routers.drone-server.middlewares: "drone-server-prefixstrip@docker"
+          traefik.http.routers.drone-server.middlewares: "force-trailing-slash@file,drone-server-prefixstrip@docker"
          traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/drone"
          traefik.http.services.drone-server.loadbalancer.server.port: "80"
          traefik.docker.network: "traefik-drone"
--- a/containers/gitea/tasks.yml
+++ b/containers/gitea/tasks.yml
@ -100,11 +100,11 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.gitea.entrypoints: "https"
-          traefik.http.routers.gitea.rule: "PathPrefix(`/git`)"
+          traefik.http.routers.gitea.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/git/`) || Path(`/git`))"
          traefik.http.routers.gitea.tls: "true"
          traefik.http.routers.gitea.tls.certresolver: "wildcard"
          traefik.http.routers.gitea.service: "gitea"
-          traefik.http.routers.gitea.middlewares: "gitea-prefixstrip@docker"
+          traefik.http.routers.gitea.middlewares: "force-trailing-slash@file,gitea-prefixstrip@docker"
          traefik.http.middlewares.gitea-prefixstrip.stripprefix.prefixes: "/git"
          traefik.http.services.gitea.loadbalancer.server.port: "3000"
          traefik.docker.network: "traefik-gitea"
--- a/containers/nextcloud/tasks.yml
+++ b/containers/nextcloud/tasks.yml
@ -145,11 +145,11 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.nextcloud.entrypoints: "https"
-          traefik.http.routers.nextcloud.rule: "PathPrefix(`/cloud`)"
+          traefik.http.routers.nextcloud.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cloud/`) || Path(`/cloud`))"
          traefik.http.routers.nextcloud.tls: "true"
          traefik.http.routers.nextcloud.tls.certresolver: "wildcard"
          traefik.http.routers.nextcloud.service: "nextcloud"
-          traefik.http.routers.nextcloud.middlewares: "nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
+          traefik.http.routers.nextcloud.middlewares: "force-trailing-slash@file,nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: "true"
          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/.well-known/(card|cal)dav"
          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/remote.php/dav/"
--- a/containers/portainer/tasks.yml
+++ b/containers/portainer/tasks.yml
@ -48,11 +48,11 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.routers.portainer.entrypoints: "https"
-          traefik.http.routers.portainer.rule: "PathPrefix(`/portainer`)"
+          traefik.http.routers.portainer.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/portainer/`) || Path(`/portainer`))"
          traefik.http.routers.portainer.tls: "true"
          traefik.http.routers.portainer.tls.certresolver: "wildcard"
          traefik.http.routers.portainer.service: "portainer"
-          traefik.http.routers.portainer.middlewares: "portainer-prefixstrip@docker"
+          traefik.http.routers.portainer.middlewares: "force-trailing-slash@file,portainer-prefixstrip@docker"
          traefik.http.middlewares.portainer-prefixstrip.stripprefix.prefixes: "/portainer"
          traefik.http.services.portainer.loadbalancer.server.port: "9000"
          traefik.docker.network: "traefik-portainer"
--- a/containers/traefik/files/conf/force_trailing_slash.yml
+++ b/containers/traefik/files/conf/force_trailing_slash.yml
@ -0,0 +1,15 @@
+http:
+  middlewares:
+    force-trailing-slash:
+      chain:
+        middlewares:
+          - add-trailing-slash
+          - strip-after-slash
+    add-trailing-slash:
+      redirectregex:
+        regex: "^(https?://[^/]+/[a-z0-9_]+)$"
+        replacement: "${1}/"
+        permanent: true
+    strip-after-slash:
+      stripprefixregex:
+        regex: "/[a-z0-9_]+"
--- a/containers/traefik/tasks.yml
+++ b/containers/traefik/tasks.yml
@ -104,9 +104,8 @@
          io.containers.autoupdate: "registry"
          traefik.enable: "true"
          traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}"
-          traefik.http.middlewares.traefik-prefixstrip.stripprefix.prefixes: "/traefik"
          traefik.http.routers.traefik.entrypoints: "https"
-          traefik.http.routers.traefik.rule: "PathPrefix(`/traefik`) || HeadersRegexp(`Referer`, `.*/traefik/.*`)"
+          traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/api`,`/dashboard`)"
          traefik.http.routers.traefik.middlewares: "traefik-auth@docker"
          traefik.http.routers.traefik.tls: "true"
          traefik.http.routers.traefik.tls.certresolver: "wildcard"
--- a/containers/traefik/templates/conf/cockpit.yml.j2
+++ b/containers/traefik/templates/conf/cockpit.yml.j2
@ -1,10 +1,10 @@
 http:
  routers:
    cockpit:
-      rule: "PathPrefix(`/cockpit`)"
+      rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cockpit/`) || Path(`/cockpit`))"
      entryPoints: https
      middlewares:
-        - cockpit-stripprefix
+        - force-trailing-slash
      service: cockpit
      tls:
        certresolver: wildcard