Reverse proxy: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
mNo edit summary
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
Bellman runs a plain old web server with Let's Encrypt certificates.
Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates
I have not gotten the automated renewal to work but this works:


sudo -s
2021-05-31
certbot certonly --cert-name bellman.wildsong.biz
I used jwilder's nginx reverse proxy for several years but I am trying swag now.
certbot certonly --cert-name owncloud.wildsong.biz
certbot certonly --cert-name maps.wildsong.biz
certbot certonly --cert-name map46.com


Actually today it's not working because my server is not reachable from outside now. Grr.
== The current set up ==


I used the option "1: Place files in webroot directory (webroot)".
Read all about it! https://github.com/linuxserver/docker-swag/blob/master/README.md
It prompts for webroot which of course is /var/www/'''hostname'''/html.


Each server listens on ports 80 and 443, and redirects all traffic from port 80 to port 443 via a thing like this
# cd docker/swag
# Add a file to config/nginx/proxy-confs (cp psono.conf newserver.conf; emacs newserver.conf)
# Restart the docker. docker-compose restart
# Start the client docker.


    # Jump over to the HTTPS server if we're not there already.
* You no longer have to do anything special to the client like add VIRTUAL_HOST environment settings.
    if ($scheme != "https") {
* You no longer need a separate ssl certificate for each client.
        return 301 https://$host$request_uri;
    } # managed by Certbot


== 2019-02-14 ==
== The old set up ==


Today I did it with method 2, method 1 fails and I have lost patience.
2019-04-01 added HTTPS support.  


First do "certbot certificates" to see what needs renewal.  
This page is about my Docker proxy set up.


<pre>
See details in Bellman source/docker/proxy and in github, https://github.com/brian32768/docker-proxy
root@bellman:/etc/nginx/sites-available# systemctl stop nginx
root@bellman:/etc/nginx/sites-available# certbot certonly --cert-name owncloud.wildsong.biz
Saving debug log to /var/log/letsencrypt/letsencrypt.log


How would you like to authenticate with the ACME CA?
There are currently 3 services,
-------------------------------------------------------------------------------
# the reverse proxy
1: Place files in webroot directory (webroot)
# the certificate manager
2: Spin up a temporary webserver (standalone)
# the static content web server
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for owncloud.wildsong.biz
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem


IMPORTANT NOTES:
== Basics ==
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/owncloud.wildsong.biz/fullchain.pem. Your
  cert will expire on 2019-05-15. To obtain a new or tweaked version
  of this certificate in the future, simply run certbot again. To
  non-interactively renew *all* of your certificates, run "certbot
  renew"
- If you like Certbot, please consider supporting our work by:


  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
=== Reverse proxy ===
  Donating to EFF:                    https://eff.org/donate-le
</pre>


== Dockerized! ==
I use [https://github.com/jwilder/nginx-proxy jwilder/nginx-proxy] image. It does a transparent reverse proxy thing
where it watches containers start and stop and adds and removes proxies on the fly.


For a plain old web server, I am using richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/
I address the CORS issues with extra setup files.
It supports PHP. If I start it up like this
and go to the page at http://bellman.wildsong.biz I see its PHP info.  


You can add all the environment settings to have it pull code from github
https://github.com/jwilder/nginx-proxy/issues/804


docker run -d --dns=192.168.123.2 --name=web \
=== Let's Encrypt certificates ===
 
I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion
I start it in the docker-compose.yml; I used to do it manually.
 
=== Web content ===
 
I run a plain official nginx image to serve static HTML content.
The compose file mounts the local static_content folder.
 
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/
You can add also add environment settings to have it pull code from github instead of using the volume mentioned above.
This would make deployment somewhere else easy.
 
docker run -d --name=web \
  -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
  -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
  -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
  -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
Line 74: Line 61:
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,


  -e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
  -e "WEBROOT=/var/www/htdocs" -v ./static_content:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
 
== Further adventures ==
 
I have been using a new domain name everytime I want to set up a new service, so for example,
if I want to set up wiki then I create a domain wiki.wildsong.biz and put it in a container
settings and nginx-proxy and letsencrypt handle it all from there.


Then I can tell it I want HTTPS,
I also need to be able to put several services behind one domain name, for example, I'd like
docker exec -t web /usr/bin/letsencrypt-setup
to use bellman.wildsong.biz as the front door and put the wiki at bellman.wildsong.biz.


== uWSGI ==
== uWSGI ==
Line 108: Line 101:


I changed nginx to work with it.
I changed nginx to work with it.
== Building Nginx for Owncloud and Windows ==
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a '''FAIL'''.
# I cannot convince Windows to store a self-signed certificate.
# I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
See https://moblog.wiredwings.com/archives/20110406/webdav-windows-7-and-self-signed-certificates-howto.html
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git
cd nginx-1*
./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error
make
sudo make install

Latest revision as of 06:22, 1 June 2021

Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates

2021-05-31 I used jwilder's nginx reverse proxy for several years but I am trying swag now.

The current set up

Read all about it! https://github.com/linuxserver/docker-swag/blob/master/README.md

  1. cd docker/swag
  2. Add a file to config/nginx/proxy-confs (cp psono.conf newserver.conf; emacs newserver.conf)
  3. Restart the docker. docker-compose restart
  4. Start the client docker.
  • You no longer have to do anything special to the client like add VIRTUAL_HOST environment settings.
  • You no longer need a separate ssl certificate for each client.

The old set up

2019-04-01 added HTTPS support.

This page is about my Docker proxy set up.

See details in Bellman source/docker/proxy and in github, https://github.com/brian32768/docker-proxy

There are currently 3 services,

  1. the reverse proxy
  2. the certificate manager
  3. the static content web server

Basics

Reverse proxy

I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.

I address the CORS issues with extra setup files.

https://github.com/jwilder/nginx-proxy/issues/804

Let's Encrypt certificates

I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion I start it in the docker-compose.yml; I used to do it manually.

Web content

I run a plain official nginx image to serve static HTML content. The compose file mounts the local static_content folder.

When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy.

docker run -d --name=web \
-e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
-e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
richarvey/nginx-php-fpm:latest

Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,

-e "WEBROOT=/var/www/htdocs" -v ./static_content:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \

Further adventures

I have been using a new domain name everytime I want to set up a new service, so for example, if I want to set up wiki then I create a domain wiki.wildsong.biz and put it in a container settings and nginx-proxy and letsencrypt handle it all from there.

I also need to be able to put several services behind one domain name, for example, I'd like to use bellman.wildsong.biz as the front door and put the wiki at bellman.wildsong.biz.

uWSGI

uWSGI lets me deploy flask applications without having to run the built in server.

This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/

and this: http://uwsgi-docs.readthedocs.io

apt-get install uwsgi uwsgi-plugin-python

In the virtualenv environment install uwsgi

source venv/bin/activate
pip install uwsgi

You can run from command line to test it

uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py 

and this should work: http://192.168.1.2:5001/home/

Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.

/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh

I changed nginx to work with it.