version: "3.6"
services:
database:
volumes:
- type: tmpfs
target: /dev/shm
tmpfs:
size: 536870912
renderer:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:staging
environment:
INSTALL_DIR: "/var/www/pvs/ops/"
INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
deploy:
labels:
# router for shib auth based access (https)
- "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.middlewares.emg-renderer-shib-fa.forwardauth.address=http://shibauth-emg/secure"
- "traefik.http.routers.emg-renderer-shib.middlewares=emg-renderer-shib-fa,compress@file,cors@file"
- "traefik.http.routers.emg-renderer-shib.tls=true"
- "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
# router for internal proxy based access (https)
- "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=178.248.89.10"
- "traefik.http.middlewares.emg-renderer-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-renderer"
- "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,emg-renderer-proxy-fa,compress@file,cors@file"
- "traefik.http.routers.emg-renderer-proxy.tls=true"
- "traefik.http.routers.emg-renderer-proxy.tls.certresolver=default"
- "traefik.http.routers.emg-renderer-proxy.entrypoints=https"
# router for internal proxy based access (http)
- "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
- "traefik.http.routers.emg-renderer-redirect-proxy.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
- "traefik.http.routers.emg-renderer.tls=true"
- "traefik.http.routers.emg-renderer.tls.certresolver=default"
- "traefik.http.routers.emg-renderer.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
- "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
- "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
- "traefik.docker.network=emg-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
replicas: 1
resources:
limits:
memory: 8G
networks:
- extnet
cache:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_cache:staging
configs:
- source: mapcache-ops
target: /mapcache-template.xml
deploy:
labels:
- "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
# router for shib auth based access (https)
- "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-shib-chain"
- "traefik.http.middlewares.emg-cache-shib-fa.forwardauth.address=http://shibauth-emg/secure"
- "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=emg-cache-shib-fa,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache-shib.tls=true"
- "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
- "traefik.http.routers.emg-cache-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-cache-redirect-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
# router for internal proxy based access (https)
- "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=178.248.89.10"
- "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.middlewares.emg-cache-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-cache"
- "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-proxy-chain"
- "traefik.http.middlewares.emg-cache-proxy-chain.chain.middlewares=emg-pass-whitelist-cache,emg-cache-proxy-fa,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache-proxy.tls=true"
- "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
- "traefik.http.routers.emg-cache-proxy.entrypoints=https"
# router for internal proxy based access (http)
- "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
- "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
- "traefik.http.routers.emg-cache.tls=true"
- "traefik.http.routers.emg-cache.tls.certresolver=default"
- "traefik.http.routers.emg-cache.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
- "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-cache-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-cache.loadbalancer.sticky=false"
- "traefik.http.services.emg-cache.loadbalancer.server.port=80"
- "traefik.docker.network=emg-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
replicas: 1
resources:
limits:
memory: 8G
networks:
- extnet
registrar:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_core:staging
environment:
INSTALL_DIR: "/var/www/pvs/ops/"
INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
UPLOAD_CONTAINER: "emg-data-staging"
deploy:
replicas: 1
ingestor:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:staging
environment:
REDIS_PREPROCESS_MD_QUEUE_KEY: "preprocess_queue"
sftp:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_sftp:staging
client:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_client:staging
configs:
- source: client-ops
target: /usr/share/nginx/html/index.html
deploy:
labels:
# router for shib auth based access (https)
- "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
- "traefik.http.middlewares.emg-client-shib-fa.forwardauth.address=http://shibauth-emg/secure"
- "traefik.http.routers.emg-client-shib.middlewares=emg-client-shib-fa,compress@file"
- "traefik.http.routers.emg-client-shib.tls=true"
- "traefik.http.routers.emg-client-shib.tls.certresolver=default"
- "traefik.http.routers.emg-client-shib.entrypoints=https"
# router for shib auth based access (http)
- "traefik.http.routers.emg-client-redirect-shib.rule=Host(`emg.pass.copernicus.eu`)"
- "traefik.http.routers.emg-client-redirect-shib.middlewares=redirect@file"
- "traefik.http.routers.emg-client-redirect-shib.entrypoints=http"
# router for basic auth based access (https)
- "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`)"
- "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
- "traefik.http.routers.emg-client.tls=true"
- "traefik.http.routers.emg-client.tls.certresolver=default"
- "traefik.http.routers.emg-client.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`)"
- "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-client-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-client.loadbalancer.sticky=false"
- "traefik.http.services.emg-client.loadbalancer.server.port=80"
- "traefik.docker.network=emg-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
networks:
- extnet
preprocessor:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_preprocessor:staging
volumes:
- type: bind
source: /var/vhr
target: /tmp
deploy:
replicas: 1
environment:
UPLOAD_CONTAINER: "emg-data-staging"
shibauth-emg:
image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth:staging
environment:
APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
PROXY_USER_CATEGORY_ALLOW_RENDERER: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
PROXY_USER_CATEGORY_ALLOW_CACHE: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
secrets:
- source: EMG_SHIB_CERT
target: SHIB_CERT
- source: EMG_SHIB_KEY
target: SHIB_KEY
- BASIC_AUTH_USERS_AUTH
deploy:
replicas: 1
labels:
# router for basic auth based access (https)
- "traefik.http.routers.emg-shibauth.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"
- "traefik.http.routers.emg-shibauth.middlewares=compress@file,cors@file"
- "traefik.http.routers.emg-shibauth.tls=true"
- "traefik.http.routers.emg-shibauth.tls.certresolver=default"
- "traefik.http.routers.emg-shibauth.entrypoints=https"
# router for basic auth based access (http)
- "traefik.http.routers.emg-shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/Shibboleth.sso`)"
- "traefik.http.routers.emg-shibauth-redirect.middlewares=redirect@file"
- "traefik.http.routers.emg-shibauth-redirect.entrypoints=http"
# general
- "traefik.http.services.emg-shibauth.loadbalancer.sticky=false"
- "traefik.http.services.emg-shibauth.loadbalancer.server.port=80"
- "traefik.docker.network=emg-extnet"
- "traefik.docker.lbswarm=true"
- "traefik.enable=true"
networks:
- extnet
configs:
- source: shib-access-control-conf
target: /etc/shibboleth/pass-ac.xml
- source: shib-access-control-conf-cache
target: /etc/shibboleth/pass-ac-cache.xml
- source: shib-shibboleth2
target: /etc/shibboleth/shibboleth2.xml
- source: shib-apache
target: /etc/httpd/conf.d/shib.conf
- source: shib-attribute-map
target: /etc/shibboleth/attribute-map.xml
- source: idp-metadata
target: /etc/shibboleth/idp-metadata.xml
- source: shibd-logger
target: /etc/shibboleth/shibd.logger
- source: native-logger
target: /etc/shibboleth/native.logger
networks:
extnet:
name: emg-extnet
external: true
configs:
shib-access-control-conf:
file: ./config/shibboleth/emg-ac.xml
shib-access-control-conf-cache:
file: ./config/shibboleth/emg-ac-cache.xml
shib-shibboleth2:
file: ./config/shibboleth/emg-shibboleth2.xml
shib-apache:
file: ./config/shibboleth/shib-apache.conf
shib-attribute-map:
file: ./config/shibboleth/attribute-map.xml
native-logger:
file: ./config/shibboleth/native.logger
shibd-logger:
file: ./config/shibboleth/shibd.logger
idp-metadata:
external: true
secrets:
EMG_SHIB_CERT:
external: true
EMG_SHIB_KEY:
external: true
BASIC_AUTH_USERS_AUTH:
external: true