nucleo000/meshcentral
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Actualizar docker-compose.yml
All checks were successful
deploy-meshcentral / deploy (push) Successful in 12s
Details

Browse Source
This commit is contained in:
nucleo000
2025-11-01 02:15:44 -06:00
parent 30f338af74
commit c90c82f349
1 changed files with 17 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
docker-compose.yml
View File

@@ -5,77 +5,62 @@ services:
image: ghcr.io/ylianst/meshcentral:latest image: ghcr.io/ylianst/meshcentral:latest
container_name: ${APP_NAME:-meshcentral} container_name: ${APP_NAME:-meshcentral}
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- /srv/meshcentral/data:/opt/meshcentral/meshcentral-data - /srv/meshcentral/data:/opt/meshcentral/meshcentral-data
- /srv/meshcentral/files:/opt/meshcentral/meshcentral-files - /srv/meshcentral/files:/opt/meshcentral/meshcentral-files
- /srv/meshcentral/backup:/opt/meshcentral/meshcentral-backup - /srv/meshcentral/backup:/opt/meshcentral/meshcentral-backup
- /srv/meshcentral/config:/opt/meshcentral/meshcentral-config - /srv/meshcentral/config:/opt/meshcentral/meshcentral-config
environment: environment:
- HOSTNAME=${APP_DOMAIN} - HOSTNAME=${APP_DOMAIN}
- NODE_ENV=production - NODE_ENV=production
- REVERSE_PROXY_TLS_PORT= # Sobrescribir a vacío para desactivar modo reverse proxy - REVERSE_PROXY_TLS_PORT=
ulimits: ulimits:
nofile: nofile:
soft: 65536 soft: 65536
hard: 65536 hard: 65536
sysctls: sysctls:
- net.ipv6.conf.all.disable_ipv6=1 - net.ipv6.conf.all.disable_ipv6=1
- net.ipv6.conf.default.disable_ipv6=1 - net.ipv6.conf.default.disable_ipv6=1
dns_opt: dns_opt:
- use-vc - use-vc
- ndots:1 - ndots:1
extra_hosts: extra_hosts:
- "authentik.nucleoriofrio.com:172.19.0.6" - "authentik.nucleoriofrio.com:172.19.0.6"
networks: networks:
- principal - principal
- traefik-network - traefik-network
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.docker.network=principal" - "traefik.docker.network=traefik-network"
# ====================================================================== # =========================
# HTTP Services & Routers - Para Web UI de usuarios # WEB UI (HTTPS vía Traefik)
# ====================================================================== # =========================
# Service - Conexión HTTP interna (Traefik maneja HTTPS hacia el exterior)
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=79" - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=79"
# Router principal con Authentik Forward Auth para rutas de usuario - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
- "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/agent.ashx`) && !PathPrefix(`/meshrelay.ashx`) && !PathPrefix(`/devicefile.ashx`) && !PathPrefix(`/amtactivate`) && !PathPrefix(`/meshsettings`) && !PathPrefix(`/devicepower.ashx`)"
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure" - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
- "traefik.http.routers.${APP_NAME}.tls=true" - "traefik.http.routers.${APP_NAME}.tls=true"
- "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt" - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
- "traefik.http.routers.${APP_NAME}.service=${APP_NAME}" - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
- "traefik.http.routers.${APP_NAME}.priority=100" - "traefik.http.routers.${APP_NAME}.priority=100"
- "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"
# Router para agentes (sin autenticación) - mayor prioridad # ===========================================================
- "traefik.http.routers.${APP_NAME}-agents.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/agent.ashx`) || PathPrefix(`/meshrelay.ashx`) || PathPrefix(`/devicefile.ashx`) || PathPrefix(`/amtactivate`) || PathPrefix(`/meshsettings`) || PathPrefix(`/devicepower.ashx`))" # AGENTES: TCP passthrough directo al 443 interno de Mesh
- "traefik.http.routers.${APP_NAME}-agents.entrypoints=websecure" # ===========================================================
- "traefik.http.routers.${APP_NAME}-agents.tls=true"
- "traefik.http.routers.${APP_NAME}-agents.tls.certresolver=letsencrypt"
- "traefik.http.routers.${APP_NAME}-agents.service=${APP_NAME}"
- "traefik.http.routers.${APP_NAME}-agents.priority=200"
- "traefik.http.routers.${APP_NAME}-agents.middlewares=${APP_NAME}-headers"
# Custom headers middleware
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
- "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
# ======================================================================
# TCP Router & Service - Para agentes con TCP Passthrough
# ======================================================================
# Los agentes se conectarán a mesh-agents.nucleoriofrio.com
# y verán el certificado SSL de MeshCentral (no el de Traefik)
# TCP Router - SNI routing para subdominio de agentes
- "traefik.tcp.routers.${APP_NAME}-agents-tcp.rule=HostSNI(`${MESH_AGENTS_DOMAIN}`)" - "traefik.tcp.routers.${APP_NAME}-agents-tcp.rule=HostSNI(`${MESH_AGENTS_DOMAIN}`)"
- "traefik.tcp.routers.${APP_NAME}-agents-tcp.entrypoints=websecure" - "traefik.tcp.routers.${APP_NAME}-agents-tcp.entrypoints=websecure"
- "traefik.tcp.routers.${APP_NAME}-agents-tcp.tls.passthrough=true" - "traefik.tcp.routers.${APP_NAME}-agents-tcp.tls.passthrough=true"
- "traefik.tcp.routers.${APP_NAME}-agents-tcp.service=${APP_NAME}-tcp" - "traefik.tcp.routers.${APP_NAME}-agents-tcp.service=${APP_NAME}-tcp"
# TCP Service - Conexión directa al puerto HTTPS de MeshCentral
- "traefik.tcp.services.${APP_NAME}-tcp.loadbalancer.server.port=443" - "traefik.tcp.services.${APP_NAME}-tcp.loadbalancer.server.port=443"
networks: networks: