Varnish

backend/src/ploneorg/src/ploneorg/profiles/default/metadata.xml

@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metadata>
-  <version>20221206001</version>
+  <version>20221207001</version>
   <dependencies>
     <dependency>profile-plone.volto:default</dependency>
+    <dependency>profile-plone.app.caching:default</dependency>
     <dependency>profile-plone.app.vulnerabilities:default</dependency>
     <dependency>profile-pas.plugins.authomatic:default</dependency>
     <dependency>profile-collective.volto.dropdownmenu:default</dependency>

backend/src/ploneorg/src/ploneorg/upgrades/__init__.py

@@ -10,3 +10,11 @@ def install_case_study(setup_tool=None):
     installer = get_installer(portal, getRequest())
     installer.install_product("collective.casestudy")
     logger.info("Installed collective.casestudy")
+
+
+def install_caching(setup_tool=None):
+    """Install plone.app.caching."""
+    portal = api.portal.get()
+    installer = get_installer(portal, getRequest())
+    installer.install_product("plone.app.caching")
+    logger.info("Installed plone.app.caching")

backend/src/ploneorg/src/ploneorg/upgrades/configure.zcml

@@ -26,4 +26,16 @@
         />
   </genericsetup:upgradeSteps>
 
+  <genericsetup:upgradeSteps
+      profile="ploneorg:default"
+      source="20221206001"
+      destination="20221207001"
+      >
+    <upgradeStep
+        title="Install plone.app.caching"
+        description="Install plone.app.caching"
+        handler=".install_caching"
+        />
+  </genericsetup:upgradeSteps>
+
 </configure>

backend/src/ploneorg/tests/test_setup.py

@@ -34,7 +34,7 @@ def test_latest_version(self):
         """Test latest version of default profile."""
         self.assertEqual(
             self.setup.getLastVersionForProfile("ploneorg:default")[0],
-            "20221206001",
+            "20221207001",
         )
 
 

backend/src/ploneorg/tests/test_upgrades.py

@@ -33,6 +33,7 @@ def available_steps(self, src, dst) -> list:
         [
             ("20221014001", "20221112001", 1),
             ("20221112001", "20221206001", 1),
+            ("20221206001", "20221207001", 1),
         ]
     )
     def test_available(self, src, dst, expected):

devops/Makefile

@@ -75,7 +75,7 @@ docker-login: .docker/config.json  ## Login with Docker
 	${DOCKER} login
 
 .PHONY: docker-setup
-docker-setup:  ## Setup docker context
+docker-setup: ## Setup docker context
 	if `docker context ls --format '{{.Name}}'|grep -wq ${CONTEXT}`
 	then
 		rm -r .docker;
@@ -125,21 +125,25 @@ deploy: docker-setup ## Deploy stacks: Plone
 	${DOCKER_CONTEXT} stack deploy -c stacks/beta.plone.org.yml plone
 
 .PHONY: create-site
-create-site: docker-setup ## Deploy stacks: Plone
-	@echo "$(GREEN)==> Create Plone Site in backend for $(DEPLOY_ENV) $(RESET)"
-	${DOCKER_CONTEXT} exec deploy -c stacks/beta.plone.org.yml plone
+create-site: docker-setup ## Create Plone Site
+	@echo "$(GREEN)==> Create Plone Site in backend for $(DEPLOY_ENV) $(RESET)";
+	${DOCKER_CONTEXT} exec `${DOCKER_CONTEXT} ps -f 'name=plone_backend.1' -q --no-trunc` /app/docker-entrypoint.sh create-site;
 
 .PHONY: status
 status: docker-setup ## Check status of stack
 	@echo "$(GREEN)==> Stack status in $(DEPLOY_ENV) $(RESET)"
 	${DOCKER_CONTEXT} stack ps -f "desired-state=running" plone
 
-
 .PHONY: logs-webserver
 logs-webserver: ## Display webserver logs
 	@echo "$(GREEN)==> Logs for webserver in $(DEPLOY_ENV) $(RESET)"
 	${DOCKER_CONTEXT} service logs plone_traefik
 
+.PHONY: logs-varnish
+logs-varnish: ## Display varnish logs
+	@echo "$(GREEN)==> Logs for varnish in $(DEPLOY_ENV) $(RESET)"
+	${DOCKER_CONTEXT} service logs plone_varnish
+
 .PHONY: logs-frontend
 logs-frontend: ## Display frontend logs
 	@echo "$(GREEN)==> Logs for frontend in $(DEPLOY_ENV) $(RESET)"

devops/README.md

@@ -90,7 +90,7 @@ For local deployment entries of the domains were already created in `/etc/hosts`
 For production public DNS needs configuration.
 
 Once deployed, there is no Plone site installed.
-This can be done by accessing the ZMI or by executing the create-site script with docker.
+This can be done by accessing the ZMI or by executing `make create-site`.
 
 ## Check Stack Status
 

devops/stacks/beta.plone.org.yml

@@ -18,7 +18,7 @@ services:
         - traefik.http.routers.traefik-public-https.entrypoints=https
         - traefik.http.routers.traefik-public-https.tls=true
         - traefik.http.routers.traefik-public-https.service=api@internal
-        - traefik.http.routers.traefik-public-https.middlewares=admin-auth
+        # - traefik.http.routers.traefik-public-https.middlewares=admin-auth
         - traefik.http.services.traefik-public.loadbalancer.server.port=8000
 
         # GENERIC MIDDLEWARES
@@ -56,10 +56,29 @@ services:
     networks:
       - traefik-public
 
+  varnish:
+    image: varnish:stable
+    configs:
+      - source: varnishvcl
+        target: /etc/varnish/default.vcl
+    tmpfs:
+      - /var/lib/varnish:exec
+    networks:
+      - traefik-public
+    deploy:
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik-public
+        - traefik.constraint-label=traefik-public
+        # SERVICE
+        - traefik.http.services.varnish.loadbalancer.server.port=80
+
   frontend:
     image: ghcr.io/plone/ploneorg-frontend:latest
     environment:
       RAZZLE_INTERNAL_API_PATH: http://backend:8080/Plone
+      RAZZLE_API_PATH: https://beta.plone.org
     depends_on:
       - backend
     networks:
@@ -74,12 +93,17 @@ services:
         # SERVICE
         - traefik.http.services.plone-frontend.loadbalancer.server.port=3000
         # HOSTS
-        - traefik.http.routers.frontend.rule=Host(`beta.plone.org`)
-        - traefik.http.routers.frontend.entrypoints=https
-        - traefik.http.routers.frontend.tls=true
-        - traefik.http.routers.frontend.tls.certresolver=le
-        - traefik.http.routers.frontend.service=plone-frontend
-        - traefik.http.routers.frontend.middlewares=gzip
+        # -> Varnish Public
+        - traefik.http.routers.frontend-varnish.rule=Host(`beta.plone.org`)
+        - traefik.http.routers.frontend-varnish.entrypoints=https
+        - traefik.http.routers.frontend-varnish.tls=true
+        - traefik.http.routers.frontend-varnish.tls.certresolver=le
+        - traefik.http.routers.frontend-varnish.service=varnish
+        # Plone Intern
+        - traefik.http.routers.frontend-intern.rule=Host(`beta.plone.org`) && Headers(`X-Varnish-Routed`,`1`)
+        - traefik.http.routers.frontend-intern.entrypoints=http
+        - traefik.http.routers.frontend-intern.service=plone-frontend
+        - traefik.http.routers.frontend-intern.middlewares=gzip
 
   backend:
     image: ghcr.io/plone/ploneorg-backend:latest
@@ -105,9 +129,14 @@ services:
         # SERVICE
         - traefik.http.services.plone-backend.loadbalancer.server.port=8080
         # Plone API
-        - traefik.http.routers.backend.rule=Host(`beta.plone.org`) && (PathPrefix(`/++api++`))
-        - traefik.http.routers.backend.entrypoints=https
-        - traefik.http.routers.backend.tls=true
+        # -> Varnish Public
+        - traefik.http.routers.backend-varnish.rule=Host(`beta.plone.org`) && (PathPrefix(`/++api++`))
+        - traefik.http.routers.backend-varnish.entrypoints=https
+        - traefik.http.routers.backend-varnish.tls=true
+        - traefik.http.routers.backend-varnish.service=varnish
+        # -> Plone Intern
+        - traefik.http.routers.backend.rule=Host(`beta.plone.org`) && (PathPrefix(`/++api++`)) && Headers(`X-Varnish-Routed`,`1`)
+        - traefik.http.routers.backend.entrypoints=http
         - traefik.http.routers.backend.service=plone-backend
         - "traefik.http.middlewares.backend.replacepathregex.regex=^/\\+\\+api\\+\\+($$|/.*)"
         - "traefik.http.middlewares.backend.replacepathregex.replacement=/VirtualHostBase/https/beta.plone.org/Plone/++api++/VirtualHostRoot/$$1"
@@ -120,6 +149,14 @@ services:
         - "traefik.http.middlewares.backend-classic.replacepathregex.regex=^/ClassicUI($$|/.*)"
         - "traefik.http.middlewares.backend-classic.replacepathregex.replacement=/VirtualHostBase/https/beta.plone.org/Plone/VirtualHostRoot/_vh_ClassicUI/$$1"
         - traefik.http.routers.backend-classic.middlewares=gzip,backend-auth,backend-classic
+        # Plone ZMI - uncomment if not needed - protected with basic auth (prevent SEOs from crawl it)
+        - traefik.http.routers.backend-zmi.rule=Host(`beta.plone.org`) && PathPrefix(`/zmi`)
+        - traefik.http.routers.backend-zmi.entrypoints=https
+        - traefik.http.routers.backend-zmi.tls=true
+        - traefik.http.routers.backend-zmi.service=plone-backend
+        - "traefik.http.middlewares.backend-zmi.replacepathregex.regex=^/zmi($$|/.*)"
+        - "traefik.http.middlewares.backend-zmi.replacepathregex.replacement=/VirtualHostBase/https/beta.plone.org/VirtualHostRoot/_vh_zmi/$$1"
+        - traefik.http.routers.backend-zmi.middlewares=gzip,backend-auth,backend-zmi
 
   db:
     image: postgres:14.2
@@ -132,6 +169,11 @@ services:
     networks:
     - backend
 
+configs:
+  varnishvcl:
+    # name: ploneorg-varnish-0001
+    file: ./default.vcl
+
 volumes:
   traefik-public-certificates:
     driver_opts:
@@ -155,3 +197,4 @@ networks:
     driver: overlay
   backend:
     driver: overlay
+