Reverse proxy

From Wildsong
Revision as of 02:06, 4 June 2019 by Brian Wilson (talk | contribs)
Jump to navigationJump to search

Bellman runs a Dockerized reverse proxy with Let's Encrypt certificates in front of a Dockerized nginx web server.


Dockerized!

See details in Bellman source/docker/proxy and [1]

2019-04-01 added HTTPS support.

Reverse proxy

I use jwilder/nginx-proxy image. It does a transparent reverse proxy thing where it watches containers start and stop and adds and removes proxies on the fly.

I address the CORS issues with extra setup files.

https://github.com/jwilder/nginx-proxy/issues/804

Let's Encrypt certificates

I am using the nginx-proxy companion, see https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion I start it in the docker-compose.yml

I used to do it manually.

Old way - manual certificate renewal

To renew certifcates, stop the nginx proxy, run the certbot, and then restart the proxy.

#Get a report on what certs need renewal
sudo certbot certificates
cd ~?source/docker/docker-proxy
docker-compose down
sudo -s
certbot certonly --cert-name bellman.wildsong.biz
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bellman.wildsong.biz
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/bellman.wildsong.biz/fullchain.pem. Your
   cert will expire on 2019-05-15. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Web content

Currently I don't care about PHP at all so I run a plain official nginx image to service HTML content. I mount /var/www/html so that the container can see my old undockerized content.

When I need PHP I use richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ You can add also add environment settings to have it pull code from github instead of using the volume mentioned above. This would make deployment somewhere else easy.

docker run -d --dns=192.168.123.2 --name=web \
-e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \
-e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \
richarvey/nginx-php-fpm:latest

Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,

-e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \

Then I can tell it I want HTTPS,

docker exec -t web /usr/bin/letsencrypt-setup

uWSGI

uWSGI lets me deploy flask applications without having to run the built in server.

This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/

and this: http://uwsgi-docs.readthedocs.io

apt-get install uwsgi uwsgi-plugin-python

In the virtualenv environment install uwsgi

source venv/bin/activate
pip install uwsgi

You can run from command line to test it

uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py 

and this should work: http://192.168.1.2:5001/home/

Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.

/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh

I changed nginx to work with it.

Building Nginx for Owncloud and Windows

The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.

So far this is a FAIL.

  1. I cannot convince Windows to store a self-signed certificate.
  2. I can't get digest authentication to work with owncloud.

If I did succeed then I would need a Docker container so that I can load it in the Synology server.

Windows is a pain.

See https://moblog.wiredwings.com/archives/20110406/webdav-windows-7-and-self-signed-certificates-howto.html

and https://www.nginx.com/resources/wiki/modules/auth_digest/

git clone https://github.com/samizdatco/nginx-http-auth-digest.git
cd nginx-1*
./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error
make
sudo make install