From 71a85079288c8c8f89e31117ae382953ffb2b17e Mon Sep 17 00:00:00 2001
From: Francesco Antognazza <francesco.antognazza@polimi.it>
Date: Wed, 15 Feb 2023 14:00:52 +0100
Subject: [PATCH] Add more selective match to increase the regex precedence

---
 containers/collabora/tasks.yml                    |  2 +-
 containers/drone-runner/tasks.yml                 |  4 ++--
 containers/drone-server/tasks.yml                 |  4 ++--
 containers/gitea/tasks.yml                        |  4 ++--
 containers/nextcloud/tasks.yml                    |  4 ++--
 containers/portainer/tasks.yml                    |  4 ++--
 .../traefik/files/conf/force_trailing_slash.yml   | 15 +++++++++++++++
 containers/traefik/tasks.yml                      |  3 +--
 containers/traefik/templates/conf/cockpit.yml.j2  |  4 ++--
 9 files changed, 29 insertions(+), 15 deletions(-)
 create mode 100644 containers/traefik/files/conf/force_trailing_slash.yml

diff --git a/containers/collabora/tasks.yml b/containers/collabora/tasks.yml
index ce41b8c..7a8c015 100644
--- a/containers/collabora/tasks.yml
+++ b/containers/collabora/tasks.yml
@@ -50,7 +50,7 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.collabora.entrypoints: "https"
-          traefik.http.routers.collabora.rule: "PathPrefix(`/collabora`,`/browser`)"
+          traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/collabora`,`/browser`)"
           traefik.http.routers.collabora.tls: "true"
           traefik.http.routers.collabora.tls.certresolver: "wildcard"
           traefik.http.routers.collabora.service: "collabora"
diff --git a/containers/drone-runner/tasks.yml b/containers/drone-runner/tasks.yml
index f5899f9..ac77887 100644
--- a/containers/drone-runner/tasks.yml
+++ b/containers/drone-runner/tasks.yml
@@ -50,11 +50,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.drone-runner.entrypoints: "https"
-          traefik.http.routers.drone-runner.rule: "PathPrefix(`/runner`)"
+          traefik.http.routers.drone-runner.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/runner/`) || Path(`/runner`))"
           traefik.http.routers.drone-runner.tls: "true"
           traefik.http.routers.drone-runner.tls.certresolver: "wildcard"
           traefik.http.routers.drone-runner.service: "drone-runner"
-          traefik.http.routers.drone-runner.middlewares: "drone-runner-prefixstrip@docker"
+          traefik.http.routers.drone-runner.middlewares: "force-trailing-slash@file,drone-runner-prefixstrip@docker"
           traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/runner"
           traefik.http.services.drone-runner.loadbalancer.server.port: "3000"
           traefik.docker.network: "traefik-drone-runner"
diff --git a/containers/drone-server/tasks.yml b/containers/drone-server/tasks.yml
index 49b4f4d..88dd2c9 100644
--- a/containers/drone-server/tasks.yml
+++ b/containers/drone-server/tasks.yml
@@ -48,11 +48,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.drone-server.entrypoints: "https"
-          traefik.http.routers.drone-server.rule: "PathPrefix(`/drone`)"
+          traefik.http.routers.drone-server.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/drone/`) || Path(`/drone`))"
           traefik.http.routers.drone-server.tls: "true"
           traefik.http.routers.drone-server.tls.certresolver: "wildcard"
           traefik.http.routers.drone-server.service: "drone-server"
-          traefik.http.routers.drone-server.middlewares: "drone-server-prefixstrip@docker"
+          traefik.http.routers.drone-server.middlewares: "force-trailing-slash@file,drone-server-prefixstrip@docker"
           traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/drone"
           traefik.http.services.drone-server.loadbalancer.server.port: "80"
           traefik.docker.network: "traefik-drone"
diff --git a/containers/gitea/tasks.yml b/containers/gitea/tasks.yml
index 69f7370..8753f46 100644
--- a/containers/gitea/tasks.yml
+++ b/containers/gitea/tasks.yml
@@ -100,11 +100,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.gitea.entrypoints: "https"
-          traefik.http.routers.gitea.rule: "PathPrefix(`/git`)"
+          traefik.http.routers.gitea.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/git/`) || Path(`/git`))"
           traefik.http.routers.gitea.tls: "true"
           traefik.http.routers.gitea.tls.certresolver: "wildcard"
           traefik.http.routers.gitea.service: "gitea"
-          traefik.http.routers.gitea.middlewares: "gitea-prefixstrip@docker"
+          traefik.http.routers.gitea.middlewares: "force-trailing-slash@file,gitea-prefixstrip@docker"
           traefik.http.middlewares.gitea-prefixstrip.stripprefix.prefixes: "/git"
           traefik.http.services.gitea.loadbalancer.server.port: "3000"
           traefik.docker.network: "traefik-gitea"
diff --git a/containers/nextcloud/tasks.yml b/containers/nextcloud/tasks.yml
index 5321803..1fa04f3 100644
--- a/containers/nextcloud/tasks.yml
+++ b/containers/nextcloud/tasks.yml
@@ -145,11 +145,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.nextcloud.entrypoints: "https"
-          traefik.http.routers.nextcloud.rule: "PathPrefix(`/cloud`)"
+          traefik.http.routers.nextcloud.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cloud/`) || Path(`/cloud`))"
           traefik.http.routers.nextcloud.tls: "true"
           traefik.http.routers.nextcloud.tls.certresolver: "wildcard"
           traefik.http.routers.nextcloud.service: "nextcloud"
-          traefik.http.routers.nextcloud.middlewares: "nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
+          traefik.http.routers.nextcloud.middlewares: "force-trailing-slash@file,nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
           traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: "true"
           traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/.well-known/(card|cal)dav"
           traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/remote.php/dav/"
diff --git a/containers/portainer/tasks.yml b/containers/portainer/tasks.yml
index 7f448c5..c12e79f 100644
--- a/containers/portainer/tasks.yml
+++ b/containers/portainer/tasks.yml
@@ -48,11 +48,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.portainer.entrypoints: "https"
-          traefik.http.routers.portainer.rule: "PathPrefix(`/portainer`)"
+          traefik.http.routers.portainer.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/portainer/`) || Path(`/portainer`))"
           traefik.http.routers.portainer.tls: "true"
           traefik.http.routers.portainer.tls.certresolver: "wildcard"
           traefik.http.routers.portainer.service: "portainer"
-          traefik.http.routers.portainer.middlewares: "portainer-prefixstrip@docker"
+          traefik.http.routers.portainer.middlewares: "force-trailing-slash@file,portainer-prefixstrip@docker"
           traefik.http.middlewares.portainer-prefixstrip.stripprefix.prefixes: "/portainer"
           traefik.http.services.portainer.loadbalancer.server.port: "9000"
           traefik.docker.network: "traefik-portainer"
diff --git a/containers/traefik/files/conf/force_trailing_slash.yml b/containers/traefik/files/conf/force_trailing_slash.yml
new file mode 100644
index 0000000..46bf535
--- /dev/null
+++ b/containers/traefik/files/conf/force_trailing_slash.yml
@@ -0,0 +1,15 @@
+http:
+  middlewares:
+    force-trailing-slash:
+      chain:
+        middlewares:
+          - add-trailing-slash
+          - strip-after-slash
+    add-trailing-slash:
+      redirectregex:
+        regex: "^(https?://[^/]+/[a-z0-9_]+)$"
+        replacement: "${1}/"
+        permanent: true
+    strip-after-slash:
+      stripprefixregex:
+        regex: "/[a-z0-9_]+"
diff --git a/containers/traefik/tasks.yml b/containers/traefik/tasks.yml
index e640a66..71c78db 100644
--- a/containers/traefik/tasks.yml
+++ b/containers/traefik/tasks.yml
@@ -104,9 +104,8 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}"
-          traefik.http.middlewares.traefik-prefixstrip.stripprefix.prefixes: "/traefik"
           traefik.http.routers.traefik.entrypoints: "https"
-          traefik.http.routers.traefik.rule: "PathPrefix(`/traefik`) || HeadersRegexp(`Referer`, `.*/traefik/.*`)"
+          traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/api`,`/dashboard`)"
           traefik.http.routers.traefik.middlewares: "traefik-auth@docker"
           traefik.http.routers.traefik.tls: "true"
           traefik.http.routers.traefik.tls.certresolver: "wildcard"
diff --git a/containers/traefik/templates/conf/cockpit.yml.j2 b/containers/traefik/templates/conf/cockpit.yml.j2
index a82ab1b..0ab8880 100644
--- a/containers/traefik/templates/conf/cockpit.yml.j2
+++ b/containers/traefik/templates/conf/cockpit.yml.j2
@@ -1,10 +1,10 @@
 http:
   routers:
     cockpit:
-      rule: "PathPrefix(`/cockpit`)"
+      rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cockpit/`) || Path(`/cockpit`))"
       entryPoints: https
       middlewares:
-        - cockpit-stripprefix
+        - force-trailing-slash
       service: cockpit
       tls:
         certresolver: wildcard