Reverse proxy: Difference between revisions

From Wildsong
Jump to navigationJump to search
← Older edit
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,471 edits
mNo edit summary
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,471 edits
mNo edit summary
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates in front of a Dockerized nginx web server.
Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates


2021-05-31
I used jwilder's nginx reverse proxy for several years but I am trying swag now.


== Dockerized! ==
== The current set up ==


See details in Bellman source/docker/docker-proxy and [https://github.com/brian32768/docker-proxy]
Read all about it! https://github.com/linuxserver/docker-swag/blob/master/README.md
 
# cd docker/swag
# Add a file to config/nginx/proxy-confs (cp psono.conf newserver.conf; emacs newserver.conf)
# Restart the docker. docker-compose restart
# Start the client docker.
 
* You no longer have to do anything special to the client like add VIRTUAL_HOST environment settings.
* You no longer need a separate ssl certificate for each client.
 
== The old set up ==


2019-04-01 added HTTPS support.  
2019-04-01 added HTTPS support.  
This page is about my Docker proxy set up.
See details in Bellman source/docker/proxy and in github, https://github.com/brian32768/docker-proxy
There are currently 3 services,
# the reverse proxy
# the certificate manager
# the static content web server
== Basics ==


=== Reverse proxy ===
=== Reverse proxy ===
Line 17: Line 40:
https://github.com/jwilder/nginx-proxy/issues/804
https://github.com/jwilder/nginx-proxy/issues/804


=== Let's Encrypt certificate renewal ===
=== Let's Encrypt certificates ===
 
To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy.
 
<pre>
#Get a report on what certs need renewal
sudo certbot certificates
cd ~?source/docker/docker-proxy
docker-compose down
sudo -s
certbot certonly --cert-name bellman.wildsong.biz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bellman.wildsong.biz
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
 
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/bellman.wildsong.biz/fullchain.pem. Your
  cert will expire on 2019-05-15. To obtain a new or tweaked version
  of this certificate in the future, simply run certbot again. To
  non-interactively renew *all* of your certificates, run "certbot
  renew"
- If you like Certbot, please consider supporting our work by:


  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion
  Donating to EFF:                    https://eff.org/donate-le
I start it in the docker-compose.yml; I used to do it manually.
</pre>


=== Web content ===
=== Web content ===


Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content.
I run a plain official nginx image to serve static HTML content.
I mount /var/www/html so that the container can see my old undockerized content.
The compose file mounts the local static_content folder.


When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/
Line 67: Line 54:
This would make deployment somewhere else easy.
This would make deployment somewhere else easy.


  docker run -d --dns=192.168.123.2 --name=web \
  docker run -d --name=web \
  -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
  -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
  -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
  -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
Line 74: Line 61:
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,


  -e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
  -e "WEBROOT=/var/www/htdocs" -v ./static_content:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
 
== Further adventures ==


Then I can tell it I want HTTPS,
I have been using a new domain name everytime I want to set up a new service, so for example,
docker exec -t web /usr/bin/letsencrypt-setup
if I want to set up wiki then I create a domain wiki.wildsong.biz and put it in a container
settings and nginx-proxy and letsencrypt handle it all from there.
 
I also need to be able to put several services behind one domain name, for example, I'd like
to use bellman.wildsong.biz as the front door and put the wiki at bellman.wildsong.biz.


== uWSGI ==
== uWSGI ==
Line 108: Line 101:


I changed nginx to work with it.
I changed nginx to work with it.
== Building Nginx for Owncloud and Windows ==
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a '''FAIL'''.
# I cannot convince Windows to store a self-signed certificate.
# I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
See https://moblog.wiredwings.com/archives/20110406/webdav-windows-7-and-self-signed-certificates-howto.html
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git
cd nginx-1*
./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error
make
sudo make install

Latest revision as of 06:22, 1 June 2021

Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates

2021-05-31 I used jwilder's nginx reverse proxy for several years but I am trying swag now.

The current set up

Read all about it! https://github.com/linuxserver/docker-swag/blob/master/README.md

  1. cd docker/swag
  2. Add a file to config/nginx/proxy-confs (cp psono.conf newserver.conf; emacs newserver.conf)
  3. Restart the docker. docker-compose restart
  4. Start the client docker.
  • You no longer have to do anything special to the client like add VIRTUAL_HOST environment settings.
  • You no longer need a separate ssl certificate for each client.

The old set up

2019-04-01 added HTTPS support.

This page is about my Docker proxy set up.

See details in Bellman source/docker/proxy and in github, https://github.com/brian32768/docker-proxy

There are currently 3 services,

  1. the reverse proxy
  2. the certificate manager
  3. the static content web server

Basics

Reverse proxy

I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.

I address the CORS issues with extra setup files.

https://github.com/jwilder/nginx-proxy/issues/804

Let's Encrypt certificates

I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion I start it in the docker-compose.yml; I used to do it manually.

Web content

I run a plain official nginx image to serve static HTML content. The compose file mounts the local static_content folder.

When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy. 

docker run -d --name=web \
-e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
-e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
richarvey/nginx-php-fpm:latest

Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above, 

-e "WEBROOT=/var/www/htdocs" -v ./static_content:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \

Further adventures

I have been using a new domain name everytime I want to set up a new service, so for example, if I want to set up wiki then I create a domain wiki.wildsong.biz and put it in a container settings and nginx-proxy and letsencrypt handle it all from there.

I also need to be able to put several services behind one domain name, for example, I'd like to use bellman.wildsong.biz as the front door and put the wiki at bellman.wildsong.biz.

uWSGI

uWSGI lets me deploy flask applications without having to run the built in server.

This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/

and this: http://uwsgi-docs.readthedocs.io 

apt-get install uwsgi uwsgi-plugin-python

In the virtualenv environment install uwsgi 

source venv/bin/activate
pip install uwsgi

You can run from command line to test it 

uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py

and this should work: http://192.168.1.2:5001/home/

Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.

/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh

I changed nginx to work with it.

Retrieved from "https://wiki.wildsong.biz//index.php?title=Reverse_proxy&oldid=12793"