version: "3.7" services: blaze: image: docker.verbis.dkfz.de/cache/samply/blaze:latest container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" JAVA_TOOL_OPTIONS: "-Xmx4g" ENFORCE_REFERENTIAL_INTEGRITY: "false" volumes: - "blaze-data:/app/data" labels: - "traefik.enable=true" - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)" - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement" - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth" - "traefik.http.routers.blaze_ccp.tls=true" focus: image: docker.verbis.dkfz.de/cache/samply/focus:main container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} BEAM_APP_ID_LONG: focus.${PROXY_ID} PROXY_ID: ${PROXY_ID} BLAZE_URL: "http://bridgehead-ccp-blaze:8080/fhir/" BEAM_PROXY_URL: http://beam-proxy:8081 RETRY_COUNT: ${FOCUS_RETRY_COUNT} EPSILON: 0.28 depends_on: - "beam-proxy" - "blaze" beam-proxy: image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} PROXY_ID: ${PROXY_ID} APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT} PRIVKEY_FILE: /run/secrets/proxy.pem ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs ROOTCERT_FILE: /conf/root.crt.pem secrets: - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro traefik: labels: - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/" - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" oauth2_proxy: image: quay.io/oauth2-proxy/oauth2-proxy container_name: bridgehead_oauth2_proxy command: >- --allowed-group=/${KEYCLOAK_USER_GROUP} --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} --auth-logging=true --whitelist-domain=${HOST} --http-address="0.0.0.0:4180" --reverse-proxy=true --upstream="static://202" --email-domain="*" --cookie-name="_BRIDGEHEAD_oauth2" --cookie-secret="${OAUTH2_PROXY_SECRET}" --cookie-expire="12h" --cookie-secure="true" --cookie-httponly="true" #OIDC settings --provider="keycloak-oidc" --provider-display-name="VerbIS Login" --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" --client-secret="${OIDC_CLIENT_SECRET}" --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" --scope="openid email profile" --code-challenge-method="S256" --skip-provider-button=true #X-Forwarded-Header settings - true/false depending on your needs --pass-basic-auth=true --pass-user-headers=false --pass-access-token=false labels: - "traefik.enable=true" - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - "traefik.http.routers.oauth2_proxy.tls=true" volumes: blaze-data: secrets: proxy.pem: file: /etc/bridgehead/pki/${SITE_ID}.priv.pem