np-dms/lcbp3
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9e8bd25e1d4bad4e6184f344a03c99aa2159afe7
lcbp3/specs/08-infrastructure/แผนผัง Network.md
admin 9e8bd25e1d
Some checks failed
Spec Validation / validate-markdown (push) Has been cancelled
Details
Spec Validation / validate-diagrams (push) Has been cancelled
Details
Spec Validation / check-todos (push) Has been cancelled
Details
260130:1446 Update Infrastructure
2026-01-30 14:46:06 +07:00

360 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🗺️ แผนผัง Network Architecture & Container Services (LCBP3-DMS)
แผนผังนี้แสดงการแบ่งส่วนเครือข่าย (VLANs), การเชื่อมต่อ Firewall (ACLs) และบทบาทของ Server ทั้งสองตัว (QNAP: Application, ASUSTOR: Infrastructure)
---
## 1. ภาพรวมการแบ่งบทบาท Server
```
┌──────────────────────────────────────────────────────────────────────────────┐
│ LCBP3-DMS INFRASTRUCTURE │
├────────────────────────────────┬─────────────────────────────────────────────┤
│ QNAP TS-473A │ ASUSTOR AS5403T │
│ (Application & Database) │ (Infrastructure & Backup) │
├────────────────────────────────┼─────────────────────────────────────────────┤
│ ✔ Application Runtime │ ✔ File Storage (NFS/SMB) │
│ ✔ API / Web (NestJS, Next.js) │ ✔ Backup Target (Restic/Borg) │
│ ✔ Database (MariaDB Primary) │ ✔ Docker Infra (Registry, Portainer) │
│ ✔ High CPU / RAM usage │ ✔ Monitoring (Prometheus, Grafana) │
│ ✔ Worker / Queue (Redis) │ ✔ Log Aggregation (Loki) │
│ ✔ API Gateway (NPM) │ ✔ Uptime Monitoring (Uptime Kuma) │
│ ✖ ไม่เก็บ backup ระยะยาว │ ✖ ไม่รัน App logic หนัก │
├────────────────────────────────┼─────────────────────────────────────────────┤
│ Container: Container Station │ Container: Portainer │
│ IP: 192.168.10.8 │ IP: 192.168.10.9 │
│ Storage: 4TB×4 RAID5 + 1TB SSD │ Storage: 6TB×3 RAID5 + 1TB SSD │
└────────────────────────────────┴─────────────────────────────────────────────┘
```
---
## 2. Data Flow Diagram
```mermaid
flowchart TB
subgraph Internet["🌐 Internet"]
User[("👤 User")]
end
subgraph QNAP["💾 QNAP TS-473A (App Server)"]
NPM["🔲 NPM<br/>(Reverse Proxy)"]
Frontend["📱 Next.js<br/>(Frontend)"]
Backend["⚙️ NestJS<br/>(Backend API)"]
DB["🗄️ MariaDB"]
Redis["📦 Redis"]
ES["🔍 Elasticsearch"]
end
subgraph ASUSTOR["💾 ASUSTOR AS5403T (Infra Server)"]
Portainer["🐳 Portainer"]
Registry["📦 Registry"]
Prometheus["📊 Prometheus"]
Grafana["📈 Grafana"]
Uptime["⏱️ Uptime Kuma"]
Backup["💾 Restic/Borg"]
NFS["📁 NFS Storage"]
end
User -->|HTTPS 443| NPM
NPM --> Frontend
NPM --> Backend
Frontend --> Backend
Backend --> DB
Backend --> Redis
Backend --> ES
DB -.->|Scheduled Backup| Backup
Backup --> NFS
Portainer -.->|Manage| QNAP
Prometheus -.->|Collect Metrics| Backend
Prometheus -.->|Collect Metrics| DB
Uptime -.->|Health Check| NPM
```
---
## 3. Docker Management View
```mermaid
flowchart TB
subgraph Portainer["🐳 Portainer (ASUSTOR - Central Management)"]
direction TB
subgraph LocalStack["📦 Local Infra Stack"]
Registry["Docker Registry"]
Prometheus["Prometheus"]
Grafana["Grafana"]
Uptime["Uptime Kuma"]
Backup["Restic/Borg"]
Loki["Loki (Logs)"]
ClamAV["ClamAV"]
end
subgraph RemoteStack["🔗 Remote: QNAP App Stack"]
Frontend["Next.js"]
Backend["NestJS"]
MariaDB["MariaDB"]
Redis["Redis"]
ES["Elasticsearch"]
NPM["NPM"]
Gitea["Gitea"]
N8N["n8n"]
PMA["phpMyAdmin"]
end
end
```
---
## 4. Security Zones Diagram
```mermaid
flowchart TB
subgraph PublicZone["🌐 PUBLIC ZONE"]
direction LR
NPM["NPM (Reverse Proxy)"]
SSL["SSL/TLS Termination"]
end
subgraph AppZone["📱 APPLICATION ZONE (QNAP)"]
direction LR
Frontend["Next.js"]
Backend["NestJS"]
N8N["n8n"]
Gitea["Gitea"]
end
subgraph DataZone["💾 DATA ZONE (QNAP - Internal Only)"]
direction LR
MariaDB["MariaDB"]
Redis["Redis"]
ES["Elasticsearch"]
end
subgraph InfraZone["🛠️ INFRASTRUCTURE ZONE (ASUSTOR)"]
direction LR
Backup["Backup Services"]
Registry["Docker Registry"]
Monitoring["Prometheus + Grafana"]
Logs["Loki / Syslog"]
end
PublicZone -->|HTTPS Only| AppZone
AppZone -->|Internal API| DataZone
DataZone -.->|Backup| InfraZone
AppZone -.->|Metrics| InfraZone
```
---
## 5. แผนผังการเชื่อมต่อเครือข่าย (Network Flow)
```mermaid
graph TD
direction TB
subgraph Flow1["การเชื่อมต่อจากภายนอก (Public WAN)"]
User["ผู้ใช้งานภายนอก (Internet)"]
end
subgraph Router["Router (ER7206) - Gateway"]
User -- "Port 80/443 (HTTPS/HTTP)" --> ER7206
ER7206["Port Forwarding<br/>TCP 80 → 192.168.10.8:80<br/>TCP 443 → 192.168.10.8:443"]
end
subgraph VLANs["เครือข่ายภายใน (VLANs & Firewall Rules)"]
direction LR
subgraph VLAN10["VLAN 10: Servers<br/>192.168.10.x"]
QNAP["QNAP NAS<br/>(192.168.10.8)"]
ASUSTOR["ASUSTOR NAS<br/>(192.168.10.9)"]
end
subgraph VLAN20["VLAN 20: MGMT<br/>192.168.20.x"]
AdminPC["Admin PC / Switches"]
end
subgraph VLAN30["VLAN 30: USER<br/>192.168.30.x"]
OfficePC["PC พนักงาน/Wi-Fi"]
end
subgraph VLAN70["VLAN 70: GUEST<br/>192.168.70.x"]
GuestPC["Guest Wi-Fi"]
end
subgraph Firewall["Firewall ACLs (OC200/ER7206)"]
direction TB
rule1["Rule 1: DENY<br/>Guest (VLAN 70) → All VLANs"]
rule2["Rule 2: DENY<br/>Server (VLAN 10) → User (VLAN 30)"]
rule3["Rule 3: ALLOW<br/>User (VLAN 30) → QNAP<br/>Ports: 443, 80"]
rule4["Rule 4: ALLOW<br/>MGMT (VLAN 20) → All"]
end
GuestPC -.x|rule1| QNAP
QNAP -.x|rule2| OfficePC
OfficePC -- "https://lcbp3.np-dms.work" -->|rule3| QNAP
AdminPC -->|rule4| QNAP
AdminPC -->|rule4| ASUSTOR
end
ER7206 --> QNAP
subgraph DockerQNAP["Docker 'lcbp3' (QNAP - Applications)"]
direction TB
subgraph PublicServices["Services ที่ NPM เปิดสู่ภายนอก"]
direction LR
NPM["NPM (Nginx Proxy Manager)"]
FrontendC["frontend:3000"]
BackendC["backend:3000"]
GiteaC["gitea:3000"]
PMAC["pma:80"]
N8NC["n8n:5678"]
end
subgraph InternalServices["Internal Services (Backend Only)"]
direction LR
DBC["mariadb:3306"]
CacheC["cache:6379"]
SearchC["search:9200"]
end
NPM -- "lcbp3.np-dms.work" --> FrontendC
NPM -- "backend.np-dms.work" --> BackendC
NPM -- "git.np-dms.work" --> GiteaC
NPM -- "pma.np-dms.work" --> PMAC
NPM -- "n8n.np-dms.work" --> N8NC
BackendC -- "lcbp3 Network" --> DBC
BackendC -- "lcbp3 Network" --> CacheC
BackendC -- "lcbp3 Network" --> SearchC
end
subgraph DockerASUSTOR["Docker 'lcbp3' (ASUSTOR - Infrastructure)"]
direction TB
subgraph InfraServices["Infrastructure Services"]
direction LR
PortainerC["portainer:9443"]
RegistryC["registry:5000"]
PrometheusC["prometheus:9090"]
GrafanaC["grafana:3000"]
UptimeC["uptime-kuma:3001"]
end
subgraph BackupServices["Backup & Storage"]
direction LR
ResticC["restic/borg"]
NFSC["NFS Share"]
end
PortainerC -.->|"Remote Endpoint"| NPM
PrometheusC -.->|"Scrape Metrics"| BackendC
ResticC --> NFSC
end
QNAP --> NPM
ASUSTOR --> PortainerC
DBC -.->|"Scheduled Backup"| ResticC
```
---
## 6. สรุปการตั้งค่า Firewall ACLs (สำหรับ Omada OC200)
นี่คือรายการกฎ (Rules) ที่คุณต้องสร้างใน **Settings > Network Security > ACL** (เรียงลำดับจากบนลงล่าง):
| ลำดับ | Name | Policy | Source | Destination | Ports |
| :---- | :--------------------- | :-------- | :---------------- | :------------------------ | :----------------------------------- |
| **1** | Isolate-Guests | **Deny** | Network → VLAN 70 | Network → VLAN 10, 20, 30 | All |
| **2** | Isolate-Servers | **Deny** | Network → VLAN 10 | Network → VLAN 30 (USER) | All |
| **3** | Block-User-to-Mgmt | **Deny** | Network → VLAN 30 | Network → VLAN 20 (MGMT) | All |
| **4** | Allow-User-to-Services | **Allow** | Network → VLAN 30 | IP → QNAP (192.168.10.8) | Port Group → Web (443, 80, 81, 2222) |
| **5** | Allow-MGMT-to-All | **Allow** | Network → VLAN 20 | Any | All |
| **6** | Allow-Server-Internal | **Allow** | IP → 192.168.10.8 | IP → 192.168.10.9 | All (QNAP ↔ ASUSTOR) |
| **7** | (Default) | Deny | Any | Any | All |
---
## 7. สรุปการตั้งค่า Port Forwarding (สำหรับ Omada ER7206)
นี่คือรายการกฎที่คุณต้องสร้างใน **Settings > Transmission > Port Forwarding**:
| Name | External Port | Internal IP | Internal Port | Protocol |
| :-------------- | :------------ | :----------- | :------------ | :------- |
| Allow-NPM-HTTPS | 443 | 192.168.10.8 | 443 | TCP |
| Allow-NPM-HTTP | 80 | 192.168.10.8 | 80 | TCP |
> **หมายเหตุ**: Port forwarding ไปที่ QNAP (NPM) เท่านั้น, ASUSTOR ไม่ควรเปิดรับ traffic จากภายนอก
---
## 8. Container Service Distribution
### QNAP (192.168.10.8) - Application Services
| Container | Port | Domain | Network |
| :------------ | :--- | :------------------ | :------ |
| npm | 81 | npm.np-dms.work | lcbp3 |
| frontend | 3000 | lcbp3.np-dms.work | lcbp3 |
| backend | 3000 | backend.np-dms.work | lcbp3 |
| mariadb | 3306 | (internal) | lcbp3 |
| cache (redis) | 6379 | (internal) | lcbp3 |
| search (es) | 9200 | (internal) | lcbp3 |
| gitea | 3000 | git.np-dms.work | lcbp3 |
| n8n | 5678 | n8n.np-dms.work | lcbp3 |
| pma | 80 | pma.np-dms.work | lcbp3 |
### ASUSTOR (192.168.10.9) - Infrastructure Services
| Container | Port | Domain | Network |
| :------------ | :--- | :--------------------- | :------ |
| portainer | 9443 | portainer.np-dms.work | lcbp3 |
| prometheus | 9090 | prometheus.np-dms.work | lcbp3 |
| grafana | 3000 | grafana.np-dms.work | lcbp3 |
| uptime-kuma | 3001 | uptime.np-dms.work | lcbp3 |
| registry | 5000 | registry.np-dms.work | lcbp3 |
| node-exporter | 9100 | (internal) | lcbp3 |
| cadvisor | 8080 | (internal) | lcbp3 |
| loki | 3100 | (internal) | lcbp3 |
| restic/borg | N/A | (scheduled job) | host |
---
## 9. Backup Flow
```
┌────────────────────────────────────────────────────────────────────────┐
│ BACKUP STRATEGY │
├────────────────────────────────────────────────────────────────────────┤
│ │
│ QNAP (Source) ASUSTOR (Target) │
│ ┌──────────────┐ ┌──────────────────────┐ │
│ │ MariaDB │ ──── Daily 2AM ────▶ │ /volume1/backup/db/ │ │
│ │ (mysqldump) │ │ (Restic Repository) │ │
│ └──────────────┘ └──────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────────────┐ │
│ │ Redis RDB │ ──── Daily 3AM ────▶ │ /volume1/backup/ │ │
│ │ + AOF │ │ redis/ │ │
│ └──────────────┘ └──────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────────────┐ │
│ │ App Config │ ──── Weekly ───────▶ │ /volume1/backup/ │ │
│ │ + Volumes │ Sunday 4AM │ config/ │ │
│ └──────────────┘ └──────────────────────┘ │
│ │
│ Retention Policy: │
│ • Daily: 7 days │
│ • Weekly: 4 weeks │
│ • Monthly: 6 months │
│ │
└────────────────────────────────────────────────────────────────────────┘
```
---
> 📝 **หมายเหตุ**: เอกสารนี้อ้างอิงจาก Architecture Document **v1.8.0** - Last updated: 2026-01-28
Reference in New Issue View Git Blame Copy Permalink