Konfigurationsdateien für SSL und Docker hinzugefügt

2025-05-26 09:06:41 +02:00 · 2025-05-26 09:06:41 +02:00 · 4feb3cab9d
commit 4feb3cab9d
parent 286ad6eb15
2 changed files with 206 additions and 0 deletions
--- a/docker-compose_copy.yml
+++ b/docker-compose_copy.yml
@ -0,0 +1,95 @@
+version: '3'
+
+services:
+  # Backend (Flask) auf Port 443 mit SSL
+  backend:
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    container_name: myp-backend
+    restart: unless-stopped
+    hostname: raspberrypi
+    ports:
+      - "80:80"   # HTTP Fallback
+      - "443:443" # HTTPS
+    volumes:
+      - ./backend:/app
+      - ./backend/logs:/app/logs
+      - ./backend/instance:/app/instance
+    networks:
+      - myp-network
+    environment:
+      - FLASK_APP=app/app.py
+      - FLASK_ENV=production
+      - SSL_ENABLED=true
+      - SSL_HOSTNAME=raspberrypi
+    healthcheck:
+      test: ["CMD", "curl", "-k", "https://localhost:443/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+  # Next.js Frontend
+  frontend:
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile
+    container_name: myp-rp
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+      - NEXT_PUBLIC_API_URL=https://raspberrypi:443
+      - NEXT_PUBLIC_BACKEND_HOST=raspberrypi:443
+    volumes:
+      - ./frontend:/app
+      - /app/node_modules
+      - /app/.next
+    ports:
+      - "3000:3000"
+    networks:
+      - myp-network
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+  # Caddy Proxy für Frontend auf Port 443 mit SSL
+  caddy:
+    image: caddy:2.7-alpine
+    container_name: myp-caddy
+    restart: unless-stopped
+    hostname: m040tbaraspi001
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./frontend/docker/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+      - ./backend/instance/ssl:/etc/caddy/ssl
+    networks:
+      - myp-network
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "raspberrypi:backend"
+      - "m040tbaraspi001.de040.corpintra.net:127.0.0.1"
+    environment:
+      - CADDY_HOST=m040tbaraspi001.de040.corpintra.net
+      - CADDY_DOMAIN=m040tbaraspi001.de040.corpintra.net
+    cap_add:
+      - NET_ADMIN
+    depends_on:
+      - backend
+      - frontend
+
+networks:
+  myp-network:
+    driver: bridge
+
+volumes:
+  caddy_data:
+  caddy_config:
+  backend_ssl: 
--- a/frontend/docker/caddy/Caddyfile_copy
+++ b/frontend/docker/caddy/Caddyfile_copy
@ -0,0 +1,111 @@
+{
+    debug
+    auto_https disable_redirects
+}
+
+# Produktionsumgebung - Spezifischer Hostname für Mercedes-Benz Werk 040 Berlin
+m040tbaraspi001.de040.corpintra.net {
+    # TLS mit selbstsignierten Zertifikaten für die Produktionsumgebung
+    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key {
+        protocols tls1.2 tls1.3
+    }
+
+    # API Anfragen zum Backend (Raspberry Pi) weiterleiten
+    @api {
+        path /api/* /health
+    }
+    handle @api {
+        uri strip_prefix /api
+        reverse_proxy raspberrypi:443 {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Alle anderen Anfragen zum Frontend weiterleiten
+    handle {
+        reverse_proxy myp-rp-dev:3000 {
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # OAuth Callbacks
+    @oauth path /auth/login/callback*
+    handle @oauth {
+        header Cache-Control "no-cache"
+        reverse_proxy myp-rp-dev:3000
+    }
+    
+    # Produktions-Header
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+    }
+}
+
+# Entwicklungsumgebung - Localhost und Raspberry Pi Backend (weiterhin für lokale Entwicklung verfügbar)
+localhost, 127.0.0.1 {
+    # API Anfragen zum Raspberry Pi Backend weiterleiten
+    @api {
+        path /api/* /health
+    }
+    handle @api {
+        uri strip_prefix /api
+        reverse_proxy raspberrypi:443 {
+            transport http {
+                tls
+                tls_insecure_skip_verify
+            }
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Alle anderen Anfragen zum Frontend weiterleiten
+    handle {
+        reverse_proxy myp-rp-dev:3000 {
+            header_up Host {upstream_hostport}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # TLS für lokale Entwicklung
+    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key
+
+    # OAuth Callbacks für Entwicklung
+    @oauth path /auth/login/callback*
+    handle @oauth {
+        header Cache-Control "no-cache"
+        reverse_proxy myp-rp-dev:3000
+    }
+    
+    # Entwicklungsfreundliche Header
+    header {
+        # Weniger restriktive Sicherheitsheader für Entwicklung
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        
+        # Keine Caches für Entwicklung
+        Cache-Control "no-store, no-cache, must-revalidate"
+        
+        # CORS für Entwicklung
+        Access-Control-Allow-Origin "*"
+        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+        Access-Control-Allow-Headers "Content-Type, Authorization"
+    }
+}