-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move nginx config to /etc/nginx/dokku.d
#3443
Comments
Note: this is a some-what BC incompatible change, due to where files get included from. We'll include both paths but warn users to move their files to the new path during a deploy. |
In addition to the nginx config, the location of the TLS certificates also seems to be an issue with SELinux. I ended up having to install letsencrypt and run I believe the relevant policies are:
|
Is there a way to ship that with Dokku somehow? If so, that would resolve our SELinux issues and be an alternative to moving files into the correct place... |
Yeah that should be possible, it would be best to avoid providing full access to the whole home directory though, I have found 2 commands that seem to setup permissions correctly where nginx can still read them.
Based on the information provided at https://fedoraproject.org/wiki/PackagingDrafts/SELinux#File_contexts the easiest way to do this following in the RPM spec:
The only disadvantage to this is it adds a dependency on policycoreutils-python which isn't necessary for people who are not using SELinux. |
Thats annoying, and might be OS-specific. May as well fix the underlying issue in that case... |
Updating this to be an enhancement, as we never purported to work with SELinux (though you can now with an alternative proxy implementation like openresty). |
When SELinux is in use, nginx cannot read
nginx.conf
files in/home/dokku/*/dokku.conf
. This causes routing issues, resulting in a terrible experience for our users.We should:
/etc/nginx/conf.d/dokku.conf
file to addinclude /etc/nginx/dokku.d/*.conf
andinclude /etc/nginx/dokku.d/*/*.conf
./home/dokku/APP/nginx.conf
and create the new file in/etc/nginx/dokku.d/APP.conf
.nginx.conf
to include/etc/nginx/dokku.d/APP/*.conf
.dokku-letsencrypt
anddokku-redirect
to handle both cases.nginx:show-conf APP
command that shows the current app config.Marking as a bug as compatibility with SELinux systems is completely broken without this.
The text was updated successfully, but these errors were encountered: