Brief Compose-File VHPportal-rp VHP-webserver
This cluster is responsible for accepting and routing all public network traffic. It becomes unique in the live network because we elect to use https for better security on our network. In dev or test networks it may not be necessary to support the ssl cert in the nginx server. These difference will be outlined below in the VHPportal-rp section, for this is the true public reverse proxy.
All all service in the cluster are routed from here:
vhp-webserver - container to serve the webs-apps associated with vhpportal.
vhp-static-repo - directory in the vhpportal-rp container to serve any assets required by the pages in the vhp-webserver.
It is also in the vhpportal-rp that routing to other clusters takes place:
version: '0.1'
services:
webserver:
restart: always
image: cmv343/vhp-webserver:<tag>
nginx:
restart: always
image: cmv343/vhpportal-rp:<tag>
ports:
- 80:80
depends_on:
- webserver
This is simply without the added certs
FROM alpine as gset
RUN apk add --no-cache openssh-client git
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
RUN echo v69
RUN --mount=type=ssh git clone -b <branch> git@github.com:VHP1946/vhp-static-repository.git
WORKDIR /vhp-static-repository
FROM nginx:alpine
COPY .. /home/ec2-user/repo
RUN echo n2
COPY nginx.conf /etc/nginx/nginx.conf
Below has been the working configuration from our “old” network setup. We have not tested it inside a docker container, but have no reason to believe it should not work.
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 443 ssl;
listen [::]:443;
server_name vhp-front;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
ssl_certificate /home/ec2-user/ssl/vhpportal/f1056fba3fb60aff.pem;
ssl_certificate_key /home/ec2-user/ssl/vhpportal/vhp-key.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
location / {
proxy_pass http://10.0.1.191:4000;
}
location /repo {
if ($request_method ~* '(GET|POST)') {
add_header 'Access-Control-Allow-Origin' '*';
}
root /home/ec2-user;
}
location /api {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'application/json';
add_header 'Content-Length' 0;
}
proxy_buffering off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection '';
proxy_http_version 1.1;
proxy_pass http://10.0.1.220:5000;
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
Different from the above requirements, we are able to achieve the same things with a log less. The following is a working nginx server configuration for our development network. It may act as a template when creating for dev networks.
events {
worker_connections 1024;
}
http {
upstream webservers {
server webserver:4000;
}
upstream core {
server 10.0.2.212:80;
}
server_tokens off;
include mime.types;
default_type application/octet-stream;
server {
listen 80;
server_name nginx-pp;
location / {
proxy_pass http://webservers;
}
location /api {
proxy_pass http://core;
}
location /repo {
if ($request_method ~* '(GET|POST)') {
add_header 'Access-Control-Allow-Origin' '*';
}
root /home/ec2-user;
}
}
}