diff --git a/docker-compose_copy.yml b/docker-compose_copy.yml new file mode 100644 index 00000000..a71c20d8 --- /dev/null +++ b/docker-compose_copy.yml @@ -0,0 +1,95 @@ +version: '3' + +services: + # Backend (Flask) auf Port 443 mit SSL + backend: + build: + context: ./backend + dockerfile: Dockerfile + container_name: myp-backend + restart: unless-stopped + hostname: raspberrypi + ports: + - "80:80" # HTTP Fallback + - "443:443" # HTTPS + volumes: + - ./backend:/app + - ./backend/logs:/app/logs + - ./backend/instance:/app/instance + networks: + - myp-network + environment: + - FLASK_APP=app/app.py + - FLASK_ENV=production + - SSL_ENABLED=true + - SSL_HOSTNAME=raspberrypi + healthcheck: + test: ["CMD", "curl", "-k", "https://localhost:443/health"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + + # Next.js Frontend + frontend: + build: + context: ./frontend + dockerfile: Dockerfile + container_name: myp-rp + restart: unless-stopped + environment: + - NODE_ENV=production + - NEXT_PUBLIC_API_URL=https://raspberrypi:443 + - NEXT_PUBLIC_BACKEND_HOST=raspberrypi:443 + volumes: + - ./frontend:/app + - /app/node_modules + - /app/.next + ports: + - "3000:3000" + networks: + - myp-network + healthcheck: + test: ["CMD", "wget", "--spider", "http://localhost:3000/health"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + + # Caddy Proxy für Frontend auf Port 443 mit SSL + caddy: + image: caddy:2.7-alpine + container_name: myp-caddy + restart: unless-stopped + hostname: m040tbaraspi001 + ports: + - "80:80" + - "443:443" + volumes: + - ./frontend/docker/caddy/Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + - caddy_config:/config + - ./backend/instance/ssl:/etc/caddy/ssl + networks: + - myp-network + extra_hosts: + - "host.docker.internal:host-gateway" + - "raspberrypi:backend" + - "m040tbaraspi001.de040.corpintra.net:127.0.0.1" + environment: + - CADDY_HOST=m040tbaraspi001.de040.corpintra.net + - CADDY_DOMAIN=m040tbaraspi001.de040.corpintra.net + cap_add: + - NET_ADMIN + depends_on: + - backend + - frontend + +networks: + myp-network: + driver: bridge + +volumes: + caddy_data: + caddy_config: + backend_ssl: \ No newline at end of file diff --git a/frontend/docker/caddy/Caddyfile_copy b/frontend/docker/caddy/Caddyfile_copy new file mode 100644 index 00000000..fc153451 --- /dev/null +++ b/frontend/docker/caddy/Caddyfile_copy @@ -0,0 +1,111 @@ +{ + debug + auto_https disable_redirects +} + +# Produktionsumgebung - Spezifischer Hostname für Mercedes-Benz Werk 040 Berlin +m040tbaraspi001.de040.corpintra.net { + # TLS mit selbstsignierten Zertifikaten für die Produktionsumgebung + tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key { + protocols tls1.2 tls1.3 + } + + # API Anfragen zum Backend (Raspberry Pi) weiterleiten + @api { + path /api/* /health + } + handle @api { + uri strip_prefix /api + reverse_proxy raspberrypi:443 { + transport http { + tls + tls_insecure_skip_verify + } + header_up Host {upstream_hostport} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } + + # Alle anderen Anfragen zum Frontend weiterleiten + handle { + reverse_proxy myp-rp-dev:3000 { + header_up Host {upstream_hostport} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } + + # OAuth Callbacks + @oauth path /auth/login/callback* + handle @oauth { + header Cache-Control "no-cache" + reverse_proxy myp-rp-dev:3000 + } + + # Produktions-Header + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "strict-origin-when-cross-origin" + } +} + +# Entwicklungsumgebung - Localhost und Raspberry Pi Backend (weiterhin für lokale Entwicklung verfügbar) +localhost, 127.0.0.1 { + # API Anfragen zum Raspberry Pi Backend weiterleiten + @api { + path /api/* /health + } + handle @api { + uri strip_prefix /api + reverse_proxy raspberrypi:443 { + transport http { + tls + tls_insecure_skip_verify + } + header_up Host {upstream_hostport} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } + + # Alle anderen Anfragen zum Frontend weiterleiten + handle { + reverse_proxy myp-rp-dev:3000 { + header_up Host {upstream_hostport} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } + + # TLS für lokale Entwicklung + tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key + + # OAuth Callbacks für Entwicklung + @oauth path /auth/login/callback* + handle @oauth { + header Cache-Control "no-cache" + reverse_proxy myp-rp-dev:3000 + } + + # Entwicklungsfreundliche Header + header { + # Weniger restriktive Sicherheitsheader für Entwicklung + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + + # Keine Caches für Entwicklung + Cache-Control "no-store, no-cache, must-revalidate" + + # CORS für Entwicklung + Access-Control-Allow-Origin "*" + Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + Access-Control-Allow-Headers "Content-Type, Authorization" + } +} \ No newline at end of file