josedario87
bac825e07d
All checks were successful
deploy-meshcentral / deploy (push) Successful in 22s
MeshCentral escucha en puerto 443 internamente, no en 4430. Traefik debe conectarse al puerto donde MeshCentral realmente está escuchando.
73 lines
3.1 KiB
YAML
73 lines
3.1 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
meshcentral:
|
|
image: ghcr.io/ylianst/meshcentral:latest
|
|
container_name: ${APP_NAME:-meshcentral}
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${MESH_PORT:-4430}:4430"
|
|
volumes:
|
|
- ./meshcentral-data:/opt/meshcentral/meshcentral-data
|
|
- ./meshcentral-files:/opt/meshcentral/meshcentral-files
|
|
- ./meshcentral-backup:/opt/meshcentral/meshcentral-backup
|
|
- ./meshcentral-config:/opt/meshcentral/meshcentral-config
|
|
environment:
|
|
- HOSTNAME=${APP_DOMAIN}
|
|
- REVERSE_PROXY=traefik
|
|
- REVERSE_PROXY_TLS_PORT=443
|
|
- IFRAME=false
|
|
- ALLOWLOGINTOKEN=true
|
|
- LOCALSESSIONRECORDING=false
|
|
- MINIFY=true
|
|
- WEBRTC=true
|
|
- CLICKONCE=false
|
|
- ALLOWHIGHQUALITYDESKTOP=true
|
|
- DESKTOPASPECTRATIOS=1.33,1.5,1.6,1.7,1.778,2.0
|
|
- ALLOWFRAMING=false
|
|
- COOKIEENCODING=hex
|
|
- SESSIONRECORDINGCHUNKSIZE=1000000
|
|
ulimits:
|
|
nofile:
|
|
soft: 65536
|
|
hard: 65536
|
|
networks:
|
|
- principal
|
|
- traefik-network
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=principal"
|
|
|
|
# Service
|
|
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=443"
|
|
- "traefik.http.services.${APP_NAME}.loadbalancer.server.scheme=https"
|
|
|
|
# Router principal con Authentik Forward Auth para rutas de usuario
|
|
- "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/agent.ashx`) && !PathPrefix(`/meshrelay.ashx`) && !PathPrefix(`/devicefile.ashx`) && !PathPrefix(`/amtactivate`) && !PathPrefix(`/meshsettings`) && !PathPrefix(`/devicepower.ashx`)"
|
|
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}.tls=true"
|
|
- "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}.priority=100"
|
|
- "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"
|
|
|
|
# Router para agentes (sin autenticación) - mayor prioridad
|
|
- "traefik.http.routers.${APP_NAME}-agents.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/agent.ashx`) || PathPrefix(`/meshrelay.ashx`) || PathPrefix(`/devicefile.ashx`) || PathPrefix(`/amtactivate`) || PathPrefix(`/meshsettings`) || PathPrefix(`/devicepower.ashx`))"
|
|
- "traefik.http.routers.${APP_NAME}-agents.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}-agents.tls=true"
|
|
- "traefik.http.routers.${APP_NAME}-agents.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}-agents.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}-agents.priority=200"
|
|
- "traefik.http.routers.${APP_NAME}-agents.middlewares=${APP_NAME}-headers"
|
|
|
|
# Custom headers middleware
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
|
|
|
|
networks:
|
|
principal:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|