From 0fbce86cfcd57794aeba282e84382651e1a3e6da Mon Sep 17 00:00:00 2001 From: kaffa Date: Tue, 21 Apr 2026 10:08:16 +0900 Subject: [PATCH] outline: route via APISIX (port 9443, ApisixRoute CRD), not Traefik Switched Bunny iron-kr-nowaf origin from :443 (Traefik) to :9443 (APISIX, no SafeLine plugin) since APISIX plugins are per-route. Used existing :9443 path (juiceshop already there) instead of opening a new OpenWrt port. Outline route managed via ApisixTls + ApisixRoute CRDs because admin-API direct PUTs get swept by apisix-ingress-controller as orphans. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../2026-04-21-outline-bunny-nowaf-migration.md | 15 ++++++++++++++- infra/platform/outline.md | 3 ++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/history/2026-04-21-outline-bunny-nowaf-migration.md b/history/2026-04-21-outline-bunny-nowaf-migration.md index e2fd9a7..81f9a80 100644 --- a/history/2026-04-21-outline-bunny-nowaf-migration.md +++ b/history/2026-04-21-outline-bunny-nowaf-migration.md @@ -36,12 +36,25 @@ Basic plan 한계로 host-per-path 커스텀 룰 불가, 따라서 **전용 풀 | Pull Zone | iron-kr (ID 5555227) | **iron-kr-nowaf** (ID 5720695, 신규) | | Shield | iron-kr Shield 101015 (CRS 활성) | Shield 없음 | | 국가차단 | middleware 64811 | middleware 64811 (동일) | -| OriginUrl | https://220.120.65.245 | https://220.120.65.245 (동일) | +| OriginUrl | https://220.120.65.245 (Traefik 직결) | **https://220.120.65.245:9443** (APISIX 경유) | +| Backend 경로 | OpenWrt :443 → HAProxy → Traefik 192.168.9.53:443 → outline IngressRoute | OpenWrt :9443 → HAProxy → APISIX 192.168.9.50:443 → ApisixRoute outline → outline svc | | AddHostHeader | true | true | | VerifyOriginSSL | false | false | | EnableWebSockets | true | true | | TLS 인증서 | LE 자동 | `*.inouter.com` wildcard (cert-manager 수동 업로드) | +### APISIX (서울 K3s) + +CRD 기반으로 관리 (admin API 직접 PUT은 apisix-ingress-controller가 orphan으로 판단해 sweep함): + +| 객체 | 종류 | 이름 | 비고 | +|---|---|---|---| +| SSL | `ApisixTls` | `outline-tls` | sni=`outline.inouter.com`, secret=`apisix/wildcard-inouter-tls`, ssl_id=`4e7704e0` | +| Route | `ApisixRoute` | `outline` | host=`outline.inouter.com`, upstream=`outline.outline.svc:80`, plugins 없음(SafeLine 미장착), route_id=`ce4d2d80` | +| Class | `ingressClassName: apisix` | | apisix-ingress-controller가 reconcile | + +⚠️ **중요**: APISIX 객체를 admin API로 직접 PUT하면 `apisix-ingress-controller`가 ingressClassName 없는 orphan으로 판단해 자동 DELETE함. 반드시 ApisixTls/ApisixRoute CRD 사용. + ### DNS ``` diff --git a/infra/platform/outline.md b/infra/platform/outline.md index 1dbea56..99fef4f 100644 --- a/infra/platform/outline.md +++ b/infra/platform/outline.md @@ -26,8 +26,9 @@ Outline은 팀 위키/문서 관리 플랫폼. K3s 클러스터에 배포. | TLS (Traefik) | wildcard-inouter-tls (*.inouter.com) | | TLS (CDN) | *.inouter.com wildcard (cert-manager, GTS WR1 발급) 수동 업로드 | | CDN | BunnyCDN **iron-kr-nowaf** 존 (ID 5720695, WAF 없음, 쿠키 허용) — 2026-04-21 iron-kr에서 분리 이전 | +| Bunny Origin | https://220.120.65.245:9443 → APISIX (Traefik 미경유) | | DNS | outline.inouter.com CNAME → iron-kr-nowaf.b-cdn.net (Cloudflare, proxied OFF) | -| Ingress | Traefik IngressRoute (CRD) | +| Ingress | **APISIX ApisixRoute `outline` (ssl_id 4e7704e0, route_id ce4d2d80)** — 2026-04-21 변경. Traefik IngressRoute는 롤백 대비 유지 중이지만 비활성 경로 | ## 인증 (Gitea OAuth2)