Add nginx behind traefik in docker-compose + image updates

- support/docker/production/docker-compose.yml: addition of a nginx
image reusing support/nginx/peertube nginx conf to improve performance,
and lessen setup differences between the docker-compose install and the
typical production install.
- support/docker/production/docker-compose.yml: postgres 10 -> postgres
12, redis 4 -> redis 5. Postgres major updates implies manual upgrade.
- support/nginx/peertube: HTTP -> HTTPS redirection is now commented
by default, to allow its reuse in support/docker/production/docker-compose.yml.
pull/2531/head
Rigel Kent 2020-03-03 00:29:52 +01:00
parent 8e98e6124d
commit 1a9b141d83
No known key found for this signature in database
GPG Key ID: 5E53E96A494E452F
8 changed files with 99 additions and 49 deletions

View File

@ -100,7 +100,8 @@ Then set the domain for the webserver configuration file.
Replace `[peertube-domain]` with the domain for the peertube server. Replace `[peertube-domain]` with the domain for the peertube server.
``` ```
$ sudo sed -i 's/peertube.example.com/[peertube-domain]/g' /etc/nginx/sites-available/peertube $ sudo sed -i 's/${WEBSERVER_HOST}/[peertube-domain]/g' /etc/nginx/sites-available/peertube
$ sudo sed -i 's/${PEERTUBE_HOST}/localhost:9000/g' /etc/nginx/sites-available/peertube
``` ```
Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations. Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.

View File

@ -38,8 +38,8 @@ ENV NODE_CONFIG_DIR /config
VOLUME /data VOLUME /data
VOLUME /config VOLUME /config
COPY ./support/docker/production/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY ./support/docker/production/entrypoint.sh /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
# Run the application # Run the application
CMD ["npm", "start"] CMD ["npm", "start"]

View File

@ -0,0 +1,8 @@
FROM nginx:alpine
COPY entrypoint.nginx.sh .
RUN chmod +x entrypoint.nginx.sh
EXPOSE 80
ENTRYPOINT []
CMD ["/bin/sh", "entrypoint.nginx.sh"]

View File

@ -2,44 +2,65 @@ version: "3.3"
services: services:
# The reverse-proxy only does SSL termination and automatic certificate generation. You can
# replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
reverse-proxy: reverse-proxy:
image: traefik:v1.7 image: traefik:v1.7
network_mode: "host" network_mode: "host"
command: command:
- "--docker" # Tells Træfik to listen to docker - "--docker" # Tells Træfik to listen to docker
- "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
- "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
ports: ports:
- "80:80" # The HTTP port - "80:80" # The HTTP port
- "443:443" # The HTTPS port - "443:443" # The HTTPS port
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
- ./docker-volume/traefik/acme.json:/etc/acme.json - ./docker-volume/traefik/acme.json:/etc/acme.json
- ./docker-volume/traefik/traefik.toml:/traefik.toml - ./docker-volume/traefik/traefik.toml:/traefik.toml
restart: "always" restart: "always"
# If you want to use the Traefik dashboard, you should expose it on a
# subdomain with HTTPS and authentification:
# https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
# https://github.com/containous/traefik/issues/880#issuecomment-310301168
peertube: # The webserver is not required, but recommended since a lot of optimizations went to its
# If you don't want to use the official image and build one from sources # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
# build: # so use it in production in tandem with an SSL-terminating reverse-proxy like above.
# context: . webserver:
# dockerfile: ./support/docker/production/Dockerfile.buster build:
image: chocobozzz/peertube:production-buster context: .
dockerfile: Dockerfile.nginx
env_file: env_file:
- .env - .env
# Traefik labels are suggested as an example for people using Traefik, # If you provide your own reverse-proxy, otherwise not suitable for production:
# remove them if you are using another reverse proxy. #ports:
# - "80:80"
volumes:
- type: bind
# Switch sources if you downloaded the nginx configuration without the whole repository
#source: ./peertube
source: ../../nginx/peertube
target: /etc/nginx/conf.d/peertube.template
- assets:/var/www/peertube/peertube-latest/client/dist:ro
- ./docker-volume/data:/var/www/peertube/storage
depends_on:
- peertube
restart: "always"
labels: labels:
traefik.enable: "true" traefik.enable: "true"
traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
traefik.port: "9000" traefik.port: "80"
# If you don't want to use a reverse proxy (not suitable for production!)
# ports: peertube:
# - "80:9000" # If you don't want to use the official image and build one from sources:
#build:
# context: .
# dockerfile: ./support/docker/production/Dockerfile.buster
image: chocobozzz/peertube:production-buster
env_file:
- .env
# If you provide your own webserver and reverse-proxy, otherwise not suitable for production:
#ports:
# - "80:9000"
volumes: volumes:
- assets:/app/client/dist
- ./docker-volume/data:/data - ./docker-volume/data:/data
- ./docker-volume/config:/config - ./docker-volume/config:/config
depends_on: depends_on:
@ -47,6 +68,8 @@ services:
- redis - redis
- postfix - postfix
restart: "always" restart: "always"
labels:
traefik.enable: "false"
postgres: postgres:
image: postgres:10-alpine image: postgres:10-alpine
@ -59,7 +82,7 @@ services:
traefik.enable: "false" traefik.enable: "false"
redis: redis:
image: redis:4-alpine image: redis:5-alpine
volumes: volumes:
- ./docker-volume/redis:/data - ./docker-volume/redis:/data
restart: "always" restart: "always"
@ -82,3 +105,6 @@ networks:
driver: default driver: default
config: config:
- subnet: 172.18.0.0/16 - subnet: 172.18.0.0/16
volumes:
assets:

View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
# Process nginx template
SOURCE="/etc/nginx/conf.d/peertube.template"
TARGET="/etc/nginx/conf.d/default.conf"
export WEBSERVER_HOST="default_server"
export PEERTUBE_HOST="peertube:9000"
envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET
# Remove HTTPS/SSL from nginx conf
sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET
cat $TARGET
nginx -g "daemon off;"

View File

@ -1,26 +1,24 @@
server { # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
listen 80; #server {
listen [::]:80; # listen 80;
server_name peertube.example.com; # listen [::]:80;
# server_name ${WEBSERVER_HOST};
access_log /var/log/nginx/peertube.example.com.access.log; #
error_log /var/log/nginx/peertube.example.com.error.log; # location /.well-known/acme-challenge/ {
# default_type "text/plain";
location /.well-known/acme-challenge/ { # root /var/www/certbot;
default_type "text/plain"; # }
root /var/www/certbot; # location / { return 301 https://$host$request_uri; }
} #}
location / { return 301 https://$host$request_uri; }
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name peertube.example.com; server_name ${WEBSERVER_HOST};
# For example with certbot (you need a certificate to run https) # For example with certbot (you need a certificate to run https)
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
# Security hardening (as of 11/02/2018) # Security hardening (as of 11/02/2018)
ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
@ -51,8 +49,8 @@ server {
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
# client_body_temp_path /var/www/peertube/storage/nginx/; # client_body_temp_path /var/www/peertube/storage/nginx/;
access_log /var/log/nginx/peertube.example.com.access.log; access_log /var/log/nginx/${WEBSERVER_HOST}.access.log;
error_log /var/log/nginx/peertube.example.com.error.log; error_log /var/log/nginx/${WEBSERVER_HOST}.error.log;
location ^~ '/.well-known/acme-challenge' { location ^~ '/.well-known/acme-challenge' {
default_type "text/plain"; default_type "text/plain";
@ -92,7 +90,7 @@ server {
} }
location / { location / {
proxy_pass http://127.0.0.1:9000; proxy_pass http://${PEERTUBE_HOST};
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -177,14 +175,14 @@ server {
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9000; proxy_pass http://${PEERTUBE_HOST};
} }
location /socket.io { location /socket.io {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9000; proxy_pass http://${PEERTUBE_HOST};
# enable WebSockets # enable WebSockets
proxy_http_version 1.1; proxy_http_version 1.1;