Reverse proxy: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) |
||
| Line 61: | Line 61: | ||
== Dockerized! == | == Dockerized! == | ||
=== Reverse proxy === | |||
You can add | I use [https://github.com/jwilder/nginx-proxy jwilder/nginx-proxy] image. It does a transparent reverse proxy thing | ||
where it watches containers start and stop and adds and removes proxies on the fly. | |||
I address the CORS issues with extra setup files. | |||
https://github.com/jwilder/nginx-proxy/issues/804 | |||
=== Web content === | |||
Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content. | |||
I mount /var/www/html so that the container can see my old undockerized content. | |||
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ | |||
You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. | |||
This would make deployment somewhere else easy. | |||
docker run -d --dns=192.168.123.2 --name=web \ | docker run -d --dns=192.168.123.2 --name=web \ | ||
Revision as of 17:02, 1 April 2019
Bellman runs a plain old web server with Let's Encrypt certificates. I have not gotten the automated renewal to work but this works:
sudo -s certbot certonly --cert-name bellman.wildsong.biz certbot certonly --cert-name owncloud.wildsong.biz certbot certonly --cert-name maps.wildsong.biz certbot certonly --cert-name map46.com
Actually today it's not working because my server is not reachable from outside now. Grr.
I used the option "1: Place files in webroot directory (webroot)". It prompts for webroot which of course is /var/www/hostname/html.
Each server listens on ports 80 and 443, and redirects all traffic from port 80 to port 443 via a thing like this
# Jump over to the HTTPS server if we're not there already.
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
2019-02-14
Today I did it with method 2, method 1 fails and I have lost patience.
First do "certbot certificates" to see what needs renewal.
root@bellman:/etc/nginx/sites-available# systemctl stop nginx root@bellman:/etc/nginx/sites-available# certbot certonly --cert-name owncloud.wildsong.biz Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for owncloud.wildsong.biz Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/owncloud.wildsong.biz/fullchain.pem. Your cert will expire on 2019-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Dockerized!
Reverse proxy
I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.
I address the CORS issues with extra setup files.
https://github.com/jwilder/nginx-proxy/issues/804
Web content
Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content. I mount /var/www/html so that the container can see my old undockerized content.
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy.
docker run -d --dns=192.168.123.2 --name=web \ -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \ -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \ richarvey/nginx-php-fpm:latest
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
-e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
Then I can tell it I want HTTPS,
docker exec -t web /usr/bin/letsencrypt-setup
uWSGI
uWSGI lets me deploy flask applications without having to run the built in server.
This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/
and this: http://uwsgi-docs.readthedocs.io
apt-get install uwsgi uwsgi-plugin-python
In the virtualenv environment install uwsgi
source venv/bin/activate pip install uwsgi
You can run from command line to test it
uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py
and this should work: http://192.168.1.2:5001/home/
Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.
/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh
I changed nginx to work with it.
Building Nginx for Owncloud and Windows
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a FAIL.
- I cannot convince Windows to store a self-signed certificate.
- I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git cd nginx-1* ./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error make sudo make install
