-
Notifications
You must be signed in to change notification settings - Fork 20
/
gateway-service.yml
237 lines (232 loc) · 9.62 KB
/
gateway-service.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# Defines the root base path at which the gateway exposes all geoserver request paths
# We're not setting the spring.webflux.base-path because spring-cloud Gateway doesn't
# work properly with it. See https://github.com/spring-cloud/spring-cloud-gateway/issues/1759
# For example, if geoserver.base-path=/geoserver-cloud, then geoserver requests will be served
# under that path prefix (e.g. http://localhost:9090/geoserver-cloud/web, http://localhost:9090/geoserver-cloud/wfs, etc)
# Examples:
#geoserver.base-path:
#geoserver.base-path: /geoserver
#geoserver.base-path: /geoserver-cloud
#geoserver.base-path: /geoserver/cloud
# Leave it empty for no additional path, setting it to / won't work currently
geoserver:
base-path: ${geoserver_base_path:}
security:
gateway-shared-auth:
# enable sharing the webui authentication through the gateway with the other microservices
# make sure the same config is applied in geoserver.yml
enabled: ${gateway.shared-auth:true}
basepath: ${geoserver.base-path}
# by default, assumes a discovery-client is in use, and perform client-side load balancing on
# the advertised instances. See the 'standalone' profile notes for a static config
targets:
acl: http://acl:8080
wfs: lb://wfs-service
wms: lb://wms-service
wcs: lb://wcs-service
wps: lb://wps-service
rest: lb://restconfig-v1
gwc: lb://gwc-service
webui: lb://web-ui
webui-demo: lb://web-ui
# Configure routes to services. See https://cloud.spring.io/spring-cloud-gateway/single/spring-cloud-gateway.html
server:
port: 8080
# Let spring-boot's ForwardedHeaderFilter take care of reflecting the client-originated protocol and address in the HttpServletRequest
forward-headers-strategy: framework
compression:
enabled: true
spring:
cloud:
gateway:
enabled: true
# Disable the Forwarded header, rely on X-Forwarded-*. Forwarded is built wrong.
# e.g.: proto=https;host=\"gateway:8080\";for=\"172.20.0.1:51084\
# instead of proto=https;host=\"original-host:443\";for=\"172.20.0.1:51084\
forwarded.enabled: false
x-forwarded:
for-enabled: true
host-enabled: true
port-enabled: true
proto-enabled: true
prefix-enabled: true
metrics.enabled: true
default-filters:
# see https://docs.spring.io/spring-cloud-gateway/reference/spring-cloud-gateway/gatewayfilter-factories/deduperesponseheader-factory.html
- DedupeResponseHeader=Access-Control-Allow-Origin Access-Control-Allow-Credentials, RETAIN_UNIQUE
#remove the base path on downstream requests
- StripBasePath=${basepath}
global-filter:
websocket-routing:
enabled: true
filter:
secure-headers:
enabled: true
disable:
- content-security-policy
frame-options: SAMEORIGIN
xss-protection-header: 0
referrer-policy: no-referrer
globalcors:
#add-to-simple-url-handler-mapping: true
cors-configurations:
"[/**]":
allowedOrigins: "*"
allowedHeaders: "*"
allowedMethods: GET, PUT, POST, DELETE, OPTIONS, HEAD
actuator:
verbose:
enabled: true
routes:
- id: root-redirect-to-webui
uri: no://op
predicates:
- Path=/,${basepath}
filters:
- RedirectTo=302, ${basepath}/web/
- id: acl-root-redirect-to-swagger
# redirect /acl and /acl/ to swagger, otherwise /acl/ works but /acl doesn't
uri: no://op
predicates:
- Path=${basepath}/acl
filters:
- RedirectTo=302, ${basepath}/acl/openapi/swagger-ui/index.html
- id: acl
uri: ${targets.acl}
predicates:
- Path=${basepath}/acl/**
filters:
- RewritePath=/acl,/acl/
# WFS routes
- id: wfs # proxies requests to gateway-service:/wfs to wfs-service:/wfs
uri: ${targets.wfs}
predicates:
- Path=${basepath}/wfs,${basepath}/{workspace}/wfs,${basepath}/{workspace}/{layer}/wfs,${basepath}/schemas/wfs/**,${basepath}/webresources/wfs/**
# proxy [/{workspace}]/ows?SERVICE=wfs to wfs-service:[/{workspace}]/ows?SERVICE=wfs. Param value is case insensitive, name is not.
- id: wfs_ows
uri: ${targets.wfs}
predicates:
- Path=${basepath}/ows,${basepath}/{workspace}/ows,${basepath}/{workspace}/{layer}/ows
- RegExpQuery=(?i:service),(?i:wfs) # match service=wfs case insensitively
# WMS routes
- id: wms # proxies requests to gateway-service:/wms to wms-service:/wms
uri: ${targets.wms}
predicates:
- Path=${basepath}/wms,${basepath}/{workspace}/wms,${basepath}/{workspace}/{layer}/wms,${basepath}/schemas/wms/**,${basepath}/openlayers/**,${basepath}/openlayers3/**,${basepath}/webresources/wms/**,${basepath}/options.png
- id: wms_ows # proxy [/{workspace}]/ows?SERVICE=wms to wms-service:[/{workspace}]/ows?SERVICE=wms. Param value is case insensitive, name is not.
uri: ${targets.wms}
predicates:
- Path=${basepath}/ows,${basepath}/{workspace}/ows,${basepath}/{workspace}/{layer}/ows
- RegExpQuery=(?i:service),(?i:wms) # match service=wms case insensitively
- id: kml # proxies requests to kml endpoints to the wms service
uri: ${targets.wms}
predicates:
- Path=${basepath}/wms/kml,${basepath}/{workspace}/wms/kml,${basepath}/kml/icon/**
# WCS routes
- id: wcs # proxies requests to gateway-service:/wcs to wcs-service:/wcs
uri: ${targets.wcs}
predicates:
- Path=${basepath}/wcs,${basepath}/{workspace}/wcs,${basepath}/{workspace}/{layer}/wcs,${basepath}/schemas/wcs/**
- id: wcs_ows # proxy [/{workspace}]/ows?SERVICE=wcs to wcs-service:[/{workspace}]/ows?SERVICE=wcs. Param value is case insensitive, name is not.
uri: ${targets.wcs}
predicates:
- Path=${basepath}/ows,${basepath}/{workspace}/ows,${basepath}/{workspace}/{layer}/ows
- RegExpQuery=(?i:service),(?i:wcs) # match service=wcs case insensitively
# WPS routes
- id: wps # proxies requests to gateway-service:/wps to wfs-service:/wps
uri: ${targets.wps}
predicates:
- Path=${basepath}/wps,${basepath}/{segment}/wps,${basepath}/schemas/wps/**
- id: wps_ows # proxy [/{workspace}]/ows?SERVICE=wps to wps-service:[/{workspace}]/ows?SERVICE=wps. Param value is case insensitive, name is not.
uri: ${targets.wps}
predicates:
- Path=${basepath}/ows,${basepath}/{segment}/ows
- RegExpQuery=(?i:service),(?i:wps) # match service=wps case insensitively
# REST configuration routes
- id: restconfig
uri: ${targets.rest}
predicates:
- Path=${basepath}/rest/**
# GeoWebcache configuration routes
- id: gwc
uri: ${targets.gwc}
predicates:
- Path=${basepath}/gwc/**,${basepath}/{workspace}/gwc/**,${basepath}/{workspace}/{layer}/gwc/**
# Web UI configuration routes
- id: webui
uri: ${targets.webui}
predicates:
- Path=${basepath}/**
#- Path=${basepath},${basepath}/,${basepath}/index.html,${basepath}/web,${basepath}/web/**,${basepath}/j_spring_security_check,${basepath}/j_spring_security_logout
management:
endpoints:
enabled-by-default: true
web.exposure.include: "*"
endpoint:
info.enabled: true
metrics.enabled: true
shutdown.enabled: true
health:
enabled: true
show-details: always
metrics:
binders:
processor.enabled: true
uptime.enabled: true
jvm.enabled: true
enable.all: true
enable.jvm: true
export:
atlas.enabled: false
logging:
level:
root: info
com.netflix.discovery.DiscoveryClient: warn
# log flooding with "INFO Resolving eureka endpoints via configuration"
com.netflix.discovery.shared.resolver: warn
org.geoserver.cloud.security.gateway.sharedauth: info
---
# this profile is automatically included if any of the embedded
# config_first or discovery_first profile groups are active
spring.config.activate.on-profile: discovery_eureka
# Should only be set in application.yml. Setting the value in bootstrap.yml will cause undesirable side effects like registering in eureka with an UNKNOWN status.
# See https://cloud.spring.io/spring-cloud-netflix/2.0.x/multi/multi__service_discovery_eureka_clients.html#_eureka_s_health_checks
eureka.client.healthcheck.enabled: true
eureka.server.url: http://discovery:8761/eureka
---
spring.config.activate.on-profile: standalone
# Define static targets using known host names.
# Host names can be docker-compose assigned service names, or k8s service names as appropriate
targets:
acl: http://acl:8080
wfs: http://wfs:8080
wms: http://wms:8080
wcs: http://wcs:8080
wps: http://wps:8080
rest: http://rest:8080
gwc: http://gwc:8080
webui: http://webui:8080
---
spring.config.activate.on-profile: debug
logging:
level:
root: debug
---
spring.config.activate.on-profile: logging_debug_security
logging:
level:
org.geoserver.cloud.security.gateway.sharedauth.pre: debug
org.geoserver.cloud.security.gateway.sharedauth.post: debug
---
spring.config.activate.on-profile: local
server.port: 9090
management.server.port: 9090
targets:
acl: http://localhost:9000
wfs: http://localhost:9101
wms: http://localhost:9102
wcs: http://localhost:9103
wps: http://localhost:9104
rest: http://localhost:9105
webui: http://localhost:9106
gwc: http://localhost:9107