From d6db6bc49c59e0bf547c4cdbc666748f631f2d43 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Fri, 18 Oct 2024 21:53:31 +0000 Subject: [PATCH 1/3] chore: update firewall rules --- terraform/modules/digitalocean/droplets.tf | 45 ++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/terraform/modules/digitalocean/droplets.tf b/terraform/modules/digitalocean/droplets.tf index 447df75750..53000e13df 100644 --- a/terraform/modules/digitalocean/droplets.tf +++ b/terraform/modules/digitalocean/droplets.tf @@ -93,6 +93,51 @@ resource "digitalocean_droplet" "manager" { } } +resource "digitalocean_loadbalancer" "public" { + name = "${var.project_name}-${var.region}-${var.environment}" + region = var.region + size_unit = var.loadbalancer_size_unit + project_id = digitalocean_project.appwrite_cloud.id + vpc_uuid = digitalocean_vpc.subnet.id + droplet_ids = digitalocean_droplet.loadbalancer_v3.*.id + + redirect_http_to_https = false + enable_backend_keepalive = true + enable_proxy_protocol = true + + forwarding_rule { + entry_port = 80 + entry_protocol = "http" + + target_port = 8080 + target_protocol = "http" + } + + forwarding_rule { + entry_port = 443 + entry_protocol = "http2" + + target_port = 8443 + target_protocol = "http2" + + tls_passthrough = true + } + + healthcheck { + port = 8080 + path = "/ping" + protocol = "http" + check_interval_seconds = 3 + response_timeout_seconds = 3 + unhealthy_threshold = 5 + healthy_threshold = 5 + } + + firewall { + allow = ["cidr:103.21.244.0/22","cidr:103.22.200.0/22","cidr:103.31.4.0/22","cidr:104.16.0.0/13","cidr:104.24.0.0/14","cidr:108.162.192.0/18","cidr:131.0.72.0/22","cidr:141.101.64.0/18","cidr:162.158.0.0/15","cidr:172.64.0.0/13","cidr:173.245.48.0/20","cidr:188.114.96.0/20","cidr:190.93.240.0/20","cidr:197.234.240.0/22","cidr:198.41.128.0/17"] + } +} + resource "digitalocean_droplet" "worker" { count = var.worker_count image = var.base_image From ff1a9035ff2fabfab0687f0059a00bb09a1b402f Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Sat, 19 Oct 2024 01:57:43 +0400 Subject: [PATCH 2/3] chore: update firewall rules --- docker/production.yml | 7 +++++++ terraform/modules/digitalocean/droplets.tf | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/docker/production.yml b/docker/production.yml index 0668e0e7d5..ae45ef86ac 100644 --- a/docker/production.yml +++ b/docker/production.yml @@ -32,6 +32,13 @@ services: - --providers.docker.exposedByDefault=false - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 + - --entrypoints.web.transport.lifeCycle.requestAcceptGraceTimeout=60s + - --entrypoints.web.proxyProtocol.trustedIPs=10.0.0.0/8 + - --entrypoints.websecure.transport.lifeCycle.requestAcceptGraceTimeout=60s + - --entrypoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8 + - --entryPoints.websecure.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17 + - --ping + - --ping.entryPoint=web - --entrypoints.web.http.redirections.entrypoint.to=websecure - --entrypoints.web.http.redirections.entrypoint.scheme=https - --providers.docker.constraints=Label(`traefik.constraint-label-stack`,`appwrite`) diff --git a/terraform/modules/digitalocean/droplets.tf b/terraform/modules/digitalocean/droplets.tf index 53000e13df..fb057818b3 100644 --- a/terraform/modules/digitalocean/droplets.tf +++ b/terraform/modules/digitalocean/droplets.tf @@ -96,10 +96,10 @@ resource "digitalocean_droplet" "manager" { resource "digitalocean_loadbalancer" "public" { name = "${var.project_name}-${var.region}-${var.environment}" region = var.region - size_unit = var.loadbalancer_size_unit - project_id = digitalocean_project.appwrite_cloud.id + size_unit = 1 + project_id = digitalocean_project.homepage.id vpc_uuid = digitalocean_vpc.subnet.id - droplet_ids = digitalocean_droplet.loadbalancer_v3.*.id + droplet_ids = digitalocean_droplet.manager.*.id redirect_http_to_https = false enable_backend_keepalive = true @@ -109,7 +109,7 @@ resource "digitalocean_loadbalancer" "public" { entry_port = 80 entry_protocol = "http" - target_port = 8080 + target_port = 80 target_protocol = "http" } @@ -117,7 +117,7 @@ resource "digitalocean_loadbalancer" "public" { entry_port = 443 entry_protocol = "http2" - target_port = 8443 + target_port = 443 target_protocol = "http2" tls_passthrough = true From fa6501075a07aecf5046fa1f6495b7f119f53b8e Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Sat, 19 Oct 2024 02:06:06 +0400 Subject: [PATCH 3/3] chore: update firewall rules --- terraform/modules/digitalocean/droplets.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/modules/digitalocean/droplets.tf b/terraform/modules/digitalocean/droplets.tf index fb057818b3..10b2f1fafd 100644 --- a/terraform/modules/digitalocean/droplets.tf +++ b/terraform/modules/digitalocean/droplets.tf @@ -29,6 +29,10 @@ resource "digitalocean_project" "homepage" { digitalocean_droplet.worker[*].urn, digitalocean_droplet.nfs.urn ]) + + lifecycle { + ignore_changes = all + } } # Tags @@ -124,7 +128,7 @@ resource "digitalocean_loadbalancer" "public" { } healthcheck { - port = 8080 + port = 80 path = "/ping" protocol = "http" check_interval_seconds = 3