Reverse proxy: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) |
||
| Line 17: | Line 17: | ||
https://github.com/jwilder/nginx-proxy/issues/804 | https://github.com/jwilder/nginx-proxy/issues/804 | ||
=== Let's Encrypt certificate renewal === | === Let's Encrypt certificates === | ||
I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion | |||
I start it in the docker-compose.yml | |||
I used to do it manually. | |||
==== Old way - manual certificate renewal ==== | |||
To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy. | To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy. | ||
Revision as of 18:35, 1 April 2019
Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates in front of a Dockerized nginx web server.
Dockerized!
See details in Bellman source/docker/docker-proxy and [1]
2019-04-01 added HTTPS support.
Reverse proxy
I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.
I address the CORS issues with extra setup files.
https://github.com/jwilder/nginx-proxy/issues/804
Let's Encrypt certificates
I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion I start it in the docker-compose.yml
I used to do it manually.
Old way - manual certificate renewal
To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy.
#Get a report on what certs need renewal sudo certbot certificates cd ~?source/docker/docker-proxy docker-compose down sudo -s certbot certonly --cert-name bellman.wildsong.biz Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for bellman.wildsong.biz Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/bellman.wildsong.biz/fullchain.pem. Your cert will expire on 2019-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Web content
Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content. I mount /var/www/html so that the container can see my old undockerized content.
When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy.
docker run -d --dns=192.168.123.2 --name=web \ -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \ -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \ richarvey/nginx-php-fpm:latest
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
-e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
Then I can tell it I want HTTPS,
docker exec -t web /usr/bin/letsencrypt-setup
uWSGI
uWSGI lets me deploy flask applications without having to run the built in server.
This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/
and this: http://uwsgi-docs.readthedocs.io
apt-get install uwsgi uwsgi-plugin-python
In the virtualenv environment install uwsgi
source venv/bin/activate pip install uwsgi
You can run from command line to test it
uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py
and this should work: http://192.168.1.2:5001/home/
Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.
/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh
I changed nginx to work with it.
Building Nginx for Owncloud and Windows
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a FAIL.
- I cannot convince Windows to store a self-signed certificate.
- I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git cd nginx-1* ./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error make sudo make install
