279 lines
6.3 KiB
YAML
279 lines
6.3 KiB
YAML
_format_version: '2.1'
|
|
_transform: true
|
|
|
|
###
|
|
### Consumers / Users
|
|
###
|
|
consumers:
|
|
- username: DASHBOARD
|
|
- username: anon
|
|
keyauth_credentials:
|
|
- key: $SUPABASE_ANON_KEY
|
|
- username: service_role
|
|
keyauth_credentials:
|
|
- key: $SUPABASE_SERVICE_KEY
|
|
|
|
###
|
|
### Access Control List
|
|
###
|
|
acls:
|
|
- consumer: anon
|
|
group: anon
|
|
- consumer: service_role
|
|
group: admin
|
|
|
|
###
|
|
### Dashboard credentials
|
|
###
|
|
basicauth_credentials:
|
|
- consumer: DASHBOARD
|
|
username: $DASHBOARD_USERNAME
|
|
password: $DASHBOARD_PASSWORD
|
|
|
|
###
|
|
### API Routes
|
|
###
|
|
services:
|
|
## Open Auth routes
|
|
- name: auth-v1-open
|
|
url: http://auth:9999/verify
|
|
routes:
|
|
- name: auth-v1-open
|
|
strip_path: true
|
|
paths:
|
|
- /auth/v1/verify
|
|
plugins:
|
|
- name: cors
|
|
- name: auth-v1-open-callback
|
|
url: http://auth:9999/callback
|
|
routes:
|
|
- name: auth-v1-open-callback
|
|
strip_path: true
|
|
paths:
|
|
- /auth/v1/callback
|
|
plugins:
|
|
- name: cors
|
|
- name: auth-v1-open-authorize
|
|
url: http://auth:9999/authorize
|
|
routes:
|
|
- name: auth-v1-open-authorize
|
|
strip_path: true
|
|
paths:
|
|
- /auth/v1/authorize
|
|
plugins:
|
|
- name: cors
|
|
|
|
## Secure Auth routes
|
|
- name: auth-v1
|
|
_comment: 'GoTrue: /auth/v1/* -> http://auth:9999/*'
|
|
url: http://auth:9999/
|
|
routes:
|
|
- name: auth-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /auth/v1/
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
- anon
|
|
|
|
## Secure REST routes
|
|
- name: rest-v1
|
|
_comment: 'PostgREST: /rest/v1/* -> http://rest:3000/*'
|
|
url: http://rest:3000/
|
|
routes:
|
|
- name: rest-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /rest/v1/
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: true
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
- anon
|
|
|
|
## Secure GraphQL routes
|
|
- name: graphql-v1
|
|
_comment: 'PostgREST: /graphql/v1/* -> http://rest:3000/rpc/graphql'
|
|
url: http://rest:3000/rpc/graphql
|
|
routes:
|
|
- name: graphql-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /graphql/v1
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: true
|
|
- name: request-transformer
|
|
config:
|
|
add:
|
|
headers:
|
|
- Content-Profile:graphql_public
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
- anon
|
|
|
|
## Secure Realtime routes
|
|
- name: realtime-v1-ws
|
|
_comment: 'Realtime: /realtime/v1/* -> ws://realtime:4000/socket/*'
|
|
url: http://realtime-dev.supabase-realtime:4000/socket
|
|
protocol: ws
|
|
routes:
|
|
- name: realtime-v1-ws
|
|
strip_path: true
|
|
paths:
|
|
- /realtime/v1/
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
- anon
|
|
- name: realtime-v1-rest
|
|
_comment: 'Realtime: /realtime/v1/* -> ws://realtime:4000/socket/*'
|
|
url: http://realtime-dev.supabase-realtime:4000/api
|
|
protocol: http
|
|
routes:
|
|
- name: realtime-v1-rest
|
|
strip_path: true
|
|
paths:
|
|
- /realtime/v1/api
|
|
plugins:
|
|
- name: cors
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
- anon
|
|
## Storage routes: the storage server manages its own auth
|
|
- name: storage-v1
|
|
_comment: 'Storage: /storage/v1/* -> http://storage:5000/*'
|
|
url: http://storage:5000/
|
|
routes:
|
|
- name: storage-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /storage/v1/
|
|
plugins:
|
|
- name: cors
|
|
|
|
## Edge Functions routes
|
|
- name: functions-v1
|
|
_comment: 'Edge Functions: /functions/v1/* -> http://functions:9000/*'
|
|
url: http://functions:9000/
|
|
routes:
|
|
- name: functions-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /functions/v1/
|
|
plugins:
|
|
- name: cors
|
|
|
|
## Analytics routes
|
|
- name: analytics-v1
|
|
_comment: 'Analytics: /analytics/v1/* -> http://logflare:4000/*'
|
|
url: http://analytics:4000/
|
|
routes:
|
|
- name: analytics-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /analytics/v1/
|
|
|
|
## Secure Database routes
|
|
- name: meta
|
|
_comment: 'pg-meta: /pg/* -> http://pg-meta:8080/*'
|
|
url: http://meta:8080/
|
|
routes:
|
|
- name: meta-all
|
|
strip_path: true
|
|
paths:
|
|
- /pg/
|
|
plugins:
|
|
- name: key-auth
|
|
config:
|
|
hide_credentials: false
|
|
- name: acl
|
|
config:
|
|
hide_groups_header: true
|
|
allow:
|
|
- admin
|
|
|
|
## MCP Server routes - Model Context Protocol for AI integrations
|
|
## Authentication is handled by the MCP server itself (JWT validation)
|
|
- name: mcp-v1
|
|
_comment: 'MCP Server: /mcp/v1/* -> http://mcp:3100/mcp'
|
|
url: http://mcp:3100
|
|
routes:
|
|
- name: mcp-v1-all
|
|
strip_path: true
|
|
paths:
|
|
- /mcp/v1/
|
|
plugins:
|
|
- name: request-transformer
|
|
config:
|
|
replace:
|
|
uri: /mcp
|
|
- name: cors
|
|
config:
|
|
origins:
|
|
- "http://localhost:3000"
|
|
- "http://127.0.0.1:3000"
|
|
- "http://192.168.0.94:50001"
|
|
methods:
|
|
- GET
|
|
- POST
|
|
- DELETE
|
|
- OPTIONS
|
|
headers:
|
|
- Accept
|
|
- Authorization
|
|
- Content-Type
|
|
- X-Client-Info
|
|
- apikey
|
|
- Mcp-Session-Id
|
|
exposed_headers:
|
|
- Mcp-Session-Id
|
|
credentials: true
|
|
max_age: 3600
|
|
|
|
## Protected Dashboard - catch all remaining routes
|
|
#- name: dashboard
|
|
# _comment: 'Studio: /* -> http://studio:3000/*'
|
|
# url: http://studio:3000/
|
|
# routes:
|
|
# - name: dashboard-all
|
|
# strip_path: true
|
|
# paths:
|
|
# - /
|
|
# plugins:
|
|
# - name: cors
|
|
# - name: basic-auth
|
|
# config:
|
|
# hide_credentials: true |