Merge pull request #1443 from appwrite/add-firewall-rules

chore: update firewall rules
appwrite · Oct 18, 2024 · 5b31273 · 5b31273
2 parents 1f82897 + fa65010
commit 5b31273
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/docker/production.yml b/docker/production.yml
@@ -32,6 +32,13 @@ services:
             - --providers.docker.exposedByDefault=false
             - --entrypoints.web.address=:80
             - --entrypoints.websecure.address=:443
+            - --entrypoints.web.transport.lifeCycle.requestAcceptGraceTimeout=60s
+            - --entrypoints.web.proxyProtocol.trustedIPs=10.0.0.0/8
+            - --entrypoints.websecure.transport.lifeCycle.requestAcceptGraceTimeout=60s
+            - --entrypoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8
+            - --entryPoints.websecure.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17
+            - --ping
+            - --ping.entryPoint=web
             - --entrypoints.web.http.redirections.entrypoint.to=websecure
             - --entrypoints.web.http.redirections.entrypoint.scheme=https
             - --providers.docker.constraints=Label(`traefik.constraint-label-stack`,`appwrite`)

diff --git a/terraform/modules/digitalocean/droplets.tf b/terraform/modules/digitalocean/droplets.tf
@@ -29,6 +29,10 @@ resource "digitalocean_project" "homepage" {
     digitalocean_droplet.worker[*].urn,
     digitalocean_droplet.nfs.urn
   ])
+
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 # Tags
@@ -93,6 +97,51 @@ resource "digitalocean_droplet" "manager" {
   }
 }
 
+resource "digitalocean_loadbalancer" "public" {
+  name        = "${var.project_name}-${var.region}-${var.environment}"
+  region      = var.region
+  size_unit   =  1
+  project_id  = digitalocean_project.homepage.id
+  vpc_uuid    = digitalocean_vpc.subnet.id
+  droplet_ids = digitalocean_droplet.manager.*.id
+
+  redirect_http_to_https   = false
+  enable_backend_keepalive = true
+  enable_proxy_protocol    = true
+
+  forwarding_rule {
+    entry_port     = 80
+    entry_protocol = "http"
+
+    target_port     = 80
+    target_protocol = "http"
+  }
+
+  forwarding_rule {
+    entry_port     = 443
+    entry_protocol = "http2"
+
+    target_port     = 443
+    target_protocol = "http2"
+
+    tls_passthrough = true
+  }
+
+  healthcheck {
+    port                     = 80
+    path                     = "/ping"
+    protocol                 = "http"
+    check_interval_seconds   = 3
+    response_timeout_seconds = 3
+    unhealthy_threshold      = 5
+    healthy_threshold        = 5
+  }
+
+  firewall {
+    allow = ["cidr:103.21.244.0/22","cidr:103.22.200.0/22","cidr:103.31.4.0/22","cidr:104.16.0.0/13","cidr:104.24.0.0/14","cidr:108.162.192.0/18","cidr:131.0.72.0/22","cidr:141.101.64.0/18","cidr:162.158.0.0/15","cidr:172.64.0.0/13","cidr:173.245.48.0/20","cidr:188.114.96.0/20","cidr:190.93.240.0/20","cidr:197.234.240.0/22","cidr:198.41.128.0/17"]
+  }
+}
+
 resource "digitalocean_droplet" "worker" {
   count  = var.worker_count
   image  = var.base_image