susana/BeyondCXAnalytics-Demo
2
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

WIP proxy #3

Open
garbelo wants to merge 65 commits from proxy into main
pull from: proxy
merge into: susana:main
Conversation 0 Commits 65 Files Changed 10 +225 -167
3 changed files with 225 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 4fc681b2c4 - Show all commits

24
docker-compose.yml
View File

@@ -28,21 +28,17 @@ services:
- "4173" - "4173"
networks: networks:
- beyond-net - beyond-net
- frontend
nginx: labels:
image: nginx:1.27-alpine - "traefik.enable=true"
container_name: beyond-nginx - "treafik.http.routers.XXX-https.rule=Host(`XXX.mylab.k8s.org.es`)"
- "traefik.http.routers.XXX-https.entrypoints=websecure"
- "traefik.http.routers.XXX-https.tls=true"
- "traefik.http.routers.XXX-https.tls.certresolver=doresolv"
- "traefik.http.routers.XXX-https.service=XXX-service-scv"
- "traefik.http.services.XXX-service-scv.loadBalancer.server.port=4173"
depends_on: depends_on:
- backend - backend
- frontend
ports:
- "80:80"
- "443:443"
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
- ./nginx/conf.d:/etc/nginx/conf.d:ro
networks:
- beyond-net
volumes: volumes:
cache-data: cache-data:
@@ -51,3 +47,5 @@ volumes:
networks: networks:
beyond-net: beyond-net:
driver: bridge driver: bridge
frontend:
external: true

51
docker-compose.yml.back Normal file
View File

@@ -0,0 +1,51 @@
version: "3.9"
services:
backend:
build:
context: ./backend
container_name: beyond-backend
environment:
# credenciales del API (las mismas que usas ahora)
BASIC_AUTH_USERNAME: "beyond"
BASIC_AUTH_PASSWORD: "beyond2026"
CACHE_DIR: "/data/cache"
volumes:
- cache-data:/data/cache
expose:
- "8000"
networks:
- beyond-net
frontend:
build:
context: ./frontend
args:
# el front compilará con este BASE_URL -> /api
VITE_API_BASE_URL: /api
container_name: beyond-frontend
expose:
- "4173"
networks:
- beyond-net
- frontend
labels:
- "traefik.enable=true"
- "treafik.http.routers.XXX-https.rule=Host('XXX.mylab.k8s.org.es')"
- "traefik.http.routers.XXX-https.entrypoints=websecure"
- "traefik.http.routers.XXX-https.tls=true"
- "traefik.http.routers.XXX-https.tls.certresolver=doresolv"
- "traefik.http.routers.XXX-https.service=XXX-service-scv"
- "traefik.http.services.XXX-service-scv.loadBalancer.server.port=4173"
depends_on:
- backend
volumes:
cache-data:
driver: local
networks:
beyond-net:
driver: bridge
frontend:
external: true

317
install_beyond.sh
View File

@@ -6,7 +6,7 @@ set -euo pipefail
############################################### ###############################################
# TODO: pon aquí la URL real de tu repo (sin credenciales) # TODO: pon aquí la URL real de tu repo (sin credenciales)
REPO_URL_DEFAULT="https://github.com/igferne/Beyond-Diagnosis.git" REPO_URL_DEFAULT="https://github.com/igferne/Beyond-Diagnosis.git"
INSTALL_DIR="/opt/beyonddiagnosis" INSTALL_BASE="/home/garbelo/"
############################################### ###############################################
# UTILIDADES # UTILIDADES
@@ -37,7 +37,8 @@ if [ -z "$DOMAIN" ]; then
echo "El dominio no puede estar vacío." echo "El dominio no puede estar vacío."
exit 1 exit 1
fi fi
SUBDOMAIN="$DOMAIN%%.*"
INSTALL_DIR=$INSTALL_BASE"/"$SUBDOMAIN
read -rp "Email para Let's Encrypt (avisos de renovación): " EMAIL read -rp "Email para Let's Encrypt (avisos de renovación): " EMAIL
if [ -z "$EMAIL" ]; then if [ -z "$EMAIL" ]; then
echo "El email no puede estar vacío." echo "El email no puede estar vacío."
@@ -66,30 +67,32 @@ read -rp "¿El repositorio es PRIVADO en GitHub y necesitas token? [s/N]: " IS_P
IS_PRIVATE=${IS_PRIVATE:-N} IS_PRIVATE=${IS_PRIVATE:-N}
GIT_CLONE_URL="$REPO_URL" GIT_CLONE_URL="$REPO_URL"
if [[ "$IS_PRIVATE" =~ ^[sS]$ ]]; then #if [[ "$IS_PRIVATE" =~ ^[sS]$ ]]; then
echo "Introduce un Personal Access Token (PAT) de GitHub con permiso de lectura del repo." # echo "Introduce un Personal Access Token (PAT) de GitHub con permiso de lectura del repo."
read -rsp "GitHub PAT: " GITHUB_TOKEN # read -rsp "GitHub PAT: " GITHUB_TOKEN
echo # echo
if [ -z "$GITHUB_TOKEN" ]; then # if [ -z "$GITHUB_TOKEN" ]; then
echo "El token no puede estar vacío si el repo es privado." # echo "El token no puede estar vacío si el repo es privado."
exit 1 # exit 1
fi # fi
#
# Construimos una URL del tipo: https://TOKEN@github.com/usuario/repo.git # # Construimos una URL del tipo: https://TOKEN@github.com/usuario/repo.git
if [[ "$REPO_URL" =~ ^https:// ]]; then # if [[ "$REPO_URL" =~ ^https:// ]]; then
GIT_CLONE_URL="https://${GITHUB_TOKEN}@${REPO_URL#https://}" # GIT_CLONE_URL="https://${GITHUB_TOKEN}@${REPO_URL#https://}"
else # else
echo "La URL del repositorio debe empezar por https:// para usar el token." # echo "La URL del repositorio debe empezar por https:// para usar el token."
exit 1 # exit 1
fi # fi
fi #fi
#
echo echo
echo "Resumen de configuración:" echo "Resumen de configuración:"
echo " Dominio: $DOMAIN" echo " Dominio: $DOMAIN"
echo " Email Let'sEnc: $EMAIL" echo " Email Let'sEnc: $EMAIL"
echo " Usuario API: $API_USER" echo " Usuario API: $API_USER"
echo " Repo (visible): $REPO_URL" echo " Repo (visible): $REPO_URL"
echo " Path del despliegue: $INSTALL_DIR"
if [[ "$IS_PRIVATE" =~ ^[sS]$ ]]; then if [[ "$IS_PRIVATE" =~ ^[sS]$ ]]; then
echo " Repo privado: Sí (se usará un PAT sólo para el clon inicial)" echo " Repo privado: Sí (se usará un PAT sólo para el clon inicial)"
else else
@@ -107,56 +110,56 @@ fi
############################################### ###############################################
# 2. INSTALAR DOCKER + DOCKER COMPOSE + CERTBOT # 2. INSTALAR DOCKER + DOCKER COMPOSE + CERTBOT
############################################### ###############################################
step "Instalando Docker, docker compose plugin y certbot" #step "Instalando Docker, docker compose plugin y certbot"
#
apt-get update -y #apt-get update -y
#
# Dependencias para repositorio Docker ## Dependencias para repositorio Docker
apt-get install -y \ #apt-get install -y \
ca-certificates \ # ca-certificates \
curl \ # curl \
gnupg \ # gnupg \
lsb-release # lsb-release
#
# Clave GPG de Docker ## Clave GPG de Docker
if [ ! -f /etc/apt/keyrings/docker.gpg ]; then #if [ ! -f /etc/apt/keyrings/docker.gpg ]; then
install -m 0755 -d /etc/apt/keyrings # install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \ # curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor -o /etc/apt/keyrings/docker.gpg # gpg --dearmor -o /etc/apt/keyrings/docker.gpg
fi #fi
#
# Repo Docker estable ## Repo Docker estable
if [ ! -f /etc/apt/sources.list.d/docker.list ]; then #if [ ! -f /etc/apt/sources.list.d/docker.list ]; then
echo \ # echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ # "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ # $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null # tee /etc/apt/sources.list.d/docker.list > /dev/null
fi #fi
#
apt-get update -y #apt-get update -y
#
apt-get install -y \ #apt-get install -y \
docker-ce \ # docker-ce \
docker-ce-cli \ # docker-ce-cli \
containerd.io \ # containerd.io \
docker-buildx-plugin \ # docker-buildx-plugin \
docker-compose-plugin \ # docker-compose-plugin \
git \ # git \
certbot # certbot
#
systemctl enable docker #systemctl enable docker
systemctl start docker #systemctl start docker
#
# Abrimos puertos en ufw si está activo ## Abrimos puertos en ufw si está activo
if command -v ufw >/dev/null 2>&1; then #if command -v ufw >/dev/null 2>&1; then
if ufw status | grep -q "Status: active"; then # if ufw status | grep -q "Status: active"; then
step "Configurando firewall (ufw) para permitir 80 y 443" # step "Configurando firewall (ufw) para permitir 80 y 443"
ufw allow 80/tcp || true # ufw allow 80/tcp || true
ufw allow 443/tcp || true # ufw allow 443/tcp || true
fi # fi
fi #fi
#
############################################### ################################################
# 3. CLONAR / ACTUALIZAR REPO # 3. CLONAR / ACTUALIZAR REPO
############################################### ###############################################
step "Descargando/actualizando el repositorio en $INSTALL_DIR" step "Descargando/actualizando el repositorio en $INSTALL_DIR"
@@ -189,94 +192,100 @@ else
sed -i "s/BASIC_AUTH_PASSWORD:.*/BASIC_AUTH_PASSWORD: \"$API_PASS\"/" docker-compose.yml sed -i "s/BASIC_AUTH_PASSWORD:.*/BASIC_AUTH_PASSWORD: \"$API_PASS\"/" docker-compose.yml
fi fi
if ! grep -q "XXX" docker-compose.yml; then
echo "⚠ No encuentro XXX en docker-compose.yml. Revisa el archivo a mano."
else
sed -i "s/XXX/\"$SUBDOMAIN\"/" docker-compose.yml
fi
# Aseguramos que nginx exponga también 443 # Aseguramos que nginx exponga también 443
if grep -q 'ports:' docker-compose.yml && grep -q 'nginx:' docker-compose.yml; then #if grep -q 'ports:' docker-compose.yml && grep -q 'nginx:' docker-compose.yml; then
if ! grep -q '443:443' docker-compose.yml; then # if ! grep -q '443:443' docker-compose.yml; then
sed -i '/- "80:80"/a\ - "443:443"' docker-compose.yml || true # sed -i '/- "80:80"/a\ - "443:443"' docker-compose.yml || true
fi # fi
fi #fi
#
# Aseguramos que montamos /etc/letsencrypt dentro del contenedor de nginx ## Aseguramos que montamos /etc/letsencrypt dentro del contenedor de nginx
if ! grep -q '/etc/letsencrypt:/etc/letsencrypt:ro' docker-compose.yml; then #if ! grep -q '/etc/letsencrypt:/etc/letsencrypt:ro' docker-compose.yml; then
sed -i '/nginx:/,/networks:/{ # sed -i '/nginx:/,/networks:/{
/volumes:/a\ - /etc/letsencrypt:/etc/letsencrypt:ro # /volumes:/a\ - /etc/letsencrypt:/etc/letsencrypt:ro
}' docker-compose.yml || true # }' docker-compose.yml || true
fi #fi
#
############################################### ###############################################
# 5. OBTENER CERTIFICADO LET'S ENCRYPT # 5. OBTENER CERTIFICADO LET'S ENCRYPT
############################################### ###############################################
step "Obteniendo certificado SSL de Lets Encrypt para $DOMAIN" #step "Obteniendo certificado SSL de Lets Encrypt para $DOMAIN"
#
if [ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then #if [ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
echo "Certificado ya existe, saltando paso de emisión." # echo "Certificado ya existe, saltando paso de emisión."
else #else
# Asegurarnos de que no hay nada escuchando en 80/443 # # Asegurarnos de que no hay nada escuchando en 80/443
systemctl stop nginx || true # systemctl stop nginx || true
#
certbot certonly \ # certbot certonly \
--standalone \ # --standalone \
--non-interactive \ # --non-interactive \
--agree-tos \ # --agree-tos \
-m "$EMAIL" \ # -m "$EMAIL" \
-d "$DOMAIN" # -d "$DOMAIN"
#
echo "Certificado emitido en /etc/letsencrypt/live/$DOMAIN/" # echo "Certificado emitido en /etc/letsencrypt/live/$DOMAIN/"
fi #fi
#
############################################### ################################################
# 6. CONFIGURAR NGINX DENTRO DEL REPO ## 6. CONFIGURAR NGINX DENTRO DEL REPO
############################################### ################################################
step "Generando configuración nginx con SSL" #step "Generando configuración nginx con SSL"
#
mkdir -p nginx/conf.d #mkdir -p nginx/conf.d
#
cat > nginx/conf.d/beyond.conf <<EOF #cat > nginx/conf.d/beyond.conf <<EOF
server { #server {
listen 80; # listen 80;
server_name $DOMAIN; # server_name $DOMAIN;
return 301 https://\$host\$request_uri; # return 301 https://\$host\$request_uri;
client_max_body_size 1024M; # client_max_body_size 1024M;
} #}
#
server { #server {
listen 443 ssl; # listen 443 ssl;
server_name $DOMAIN; # server_name $DOMAIN;
#
client_max_body_size 1024M; # client_max_body_size 1024M;
#
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; # ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; # ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5; # ssl_ciphers HIGH:!aNULL:!MD5;
#
# FRONTEND (React) # # FRONTEND (React)
location / { # location / {
proxy_pass http://frontend:4173/; # proxy_pass http://frontend:4173/;
proxy_http_version 1.1; # proxy_http_version 1.1;
proxy_set_header Host \$host; # proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr; # proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Upgrade \$http_upgrade; # proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; # proxy_set_header Connection "upgrade";
} # }
#
# BACKEND (FastAPI) # # BACKEND (FastAPI)
location /api/ { # location /api/ {
proxy_pass http://backend:8000/; # proxy_pass http://backend:8000/;
proxy_http_version 1.1; # proxy_http_version 1.1;
proxy_set_header Host \$host; # proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr; # proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Upgrade \$http_upgrade; # proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade"; # proxy_set_header Connection "upgrade";
#
proxy_connect_timeout 60s; # proxy_connect_timeout 60s;
proxy_send_timeout 600s; # proxy_send_timeout 600s;
proxy_read_timeout 600s; # proxy_read_timeout 600s;
send_timeout 600s; # send_timeout 600s;
} # }
} #}
EOF #EOF
#
############################################### ###############################################
# 7. BUILD Y ARRANQUE DE CONTENEDORES # 7. BUILD Y ARRANQUE DE CONTENEDORES
############################################### ###############################################