Reverse proxy: Difference between revisions
Brian Wilson (talk | contribs) |
Brian Wilson (talk | contribs) mNo edit summary |
||
| Line 1: | Line 1: | ||
Bellman runs a | Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates in front of a Dockerized nginx web server. | ||
== Dockerized! == | |||
See details in Bellman source/docker/docker-proxy and [https://github.com/brian32768/docker-proxy] | |||
2019-04-01 added HTTPS support. | |||
=== Reverse proxy === | |||
I use [https://github.com/jwilder/nginx-proxy jwilder/nginx-proxy] image. It does a transparent reverse proxy thing | |||
where it watches containers start and stop and adds and removes proxies on the fly. | |||
I address the CORS issues with extra setup files. | |||
https://github.com/jwilder/nginx-proxy/issues/804 | |||
=== Let's Encrypt certificate renewal === | |||
To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy. | |||
<pre> | <pre> | ||
#Get a report on what certs need renewal | |||
sudo certbot certificates | |||
cd ~?source/docker/docker-proxy | |||
docker-compose down | |||
sudo -s | |||
certbot certonly --cert-name bellman.wildsong.biz | |||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | Saving debug log to /var/log/letsencrypt/letsencrypt.log | ||
| Line 40: | Line 39: | ||
Renewing an existing certificate | Renewing an existing certificate | ||
Performing the following challenges: | Performing the following challenges: | ||
http-01 challenge for | http-01 challenge for bellman.wildsong.biz | ||
Waiting for verification... | Waiting for verification... | ||
Cleaning up challenges | Cleaning up challenges | ||
| Line 48: | Line 47: | ||
IMPORTANT NOTES: | IMPORTANT NOTES: | ||
- Congratulations! Your certificate and chain have been saved at | - Congratulations! Your certificate and chain have been saved at | ||
/etc/letsencrypt/live/ | /etc/letsencrypt/live/bellman.wildsong.biz/fullchain.pem. Your | ||
cert will expire on 2019-05-15. To obtain a new or tweaked version | cert will expire on 2019-05-15. To obtain a new or tweaked version | ||
of this certificate in the future, simply run certbot again. To | of this certificate in the future, simply run certbot again. To | ||
| Line 58: | Line 57: | ||
Donating to EFF: https://eff.org/donate-le | Donating to EFF: https://eff.org/donate-le | ||
</pre> | </pre> | ||
=== Web content === | === Web content === | ||
Revision as of 18:07, 1 April 2019
Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates in front of a Dockerized nginx web server.
Dockerized!
See details in Bellman source/docker/docker-proxy and [1]
2019-04-01 added HTTPS support.
Reverse proxy
I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.
I address the CORS issues with extra setup files.
https://github.com/jwilder/nginx-proxy/issues/804
Let's Encrypt certificate renewal
To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy.
#Get a report on what certs need renewal sudo certbot certificates cd ~?source/docker/docker-proxy docker-compose down sudo -s certbot certonly --cert-name bellman.wildsong.biz Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for bellman.wildsong.biz Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/bellman.wildsong.biz/fullchain.pem. Your cert will expire on 2019-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Web content
Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content. I mount /var/www/html so that the container can see my old undockerized content.
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy.
docker run -d --dns=192.168.123.2 --name=web \ -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \ -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \ richarvey/nginx-php-fpm:latest
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
-e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
Then I can tell it I want HTTPS,
docker exec -t web /usr/bin/letsencrypt-setup
uWSGI
uWSGI lets me deploy flask applications without having to run the built in server.
This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/
and this: http://uwsgi-docs.readthedocs.io
apt-get install uwsgi uwsgi-plugin-python
In the virtualenv environment install uwsgi
source venv/bin/activate pip install uwsgi
You can run from command line to test it
uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py
and this should work: http://192.168.1.2:5001/home/
Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.
/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh
I changed nginx to work with it.
Building Nginx for Owncloud and Windows
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a FAIL.
- I cannot convince Windows to store a self-signed certificate.
- I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git cd nginx-1* ./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error make sudo make install
