Provide a Docker Compose example using a reverse proxy #1010

virtualtam · 2017-11-02T15:43:19Z

Depends on #1153

Goals:

document how Shaarli images are used in a multi-container environment
ease deployments with Compose and other container orchestration solutions
help diagnosing issues related to HTTP proxy setup

Suggested environment example:

shaarli/shaarli:latest image with a volume for user data
Nginx reverse proxy:
- jwilder/nginx-proxy reverse proxy with Docker service discovery
- JrCs/nginx-proxy-companion for Let's Encrypt SSL support

The text was updated successfully, but these errors were encountered:

nbud · 2017-11-02T16:21:28Z

As a first draft, here's a working example using jwilder/nginx-proxy and JrCs/nginx-proxy-companion.

The shaarli container must be launched with VIRTUAL_HOST, LETENCRYPT_HOST and LETSENCRYPT_EMAIL, for example :

docker run -d \
    -e VIRTUAL_HOST=my.domain.com \
    -e LETSENCRYPT_HOST=my.domain.com \
    -e LETSENCRYPT_EMAIL=my.email@domain.com \
    -v /srv/shaarli/data:/var/www/shaarli/data --restart=always \
    --name my_shaarli \
    shaarli/shaarli

The default proxy configuration of jwilder/nginx-proxy does not work out of the box with Shaarli. The proxy configuration is changed by mounting in the proxy container the file /etc/nginx/proxy.conf (see doc). As an example, here is a working /etc/nginx/proxy.conf, obtained by adding to the default configuration the X-Forwered-Host line:

# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Forwarded-Host $host;

# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";

I hope there's no side-effect for other proxified container, because this is a proxy-wide configuration. I haven't managed to change the proxy configuration for the shaarli container only.
As raised in #879, jwilder/nginx-proxy could work out of the box with Shaarli at the cost of a simple change of Shaarli's server_url() function.

virtualtam · 2017-11-02T17:09:19Z

Thanks!

The Nginx setup for Shaarli images was designed to be self-sufficient, so a bit of rework is needed to ease serving Shaarli containers behind a reverse proxy.

I'm considering providing separate images depending on the end-user's setup:

self-sufficient images
proxy-friendly images (though this might be limited to latestand mastertags not to add too much overhead)

You should be able to define container/service-specific configuration under /etc/nginx/vhost.d/<shaarli-domain>, but I'm not sure to which extent it applies to proxy settings (I've used it to add headers and limit payloads/body sizes).

I'd rather avoid adding too much logic to manage HTTP headers, and instead focus on providing sane and well-documented server configuration examples :)

Nginx's support for the HTTP Proxy protocol is also something worth leveraging.

Closes shaarli#1010 TODO: - deploy on a VPS with an actual domain - write a supporting deployment guide / article See: - https://hub.docker.com/r/jwilder/nginx-proxy/ - https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/ - https://docs.docker.com/compose/environment-variables/ Signed-off-by: VirtualTam <virtualtam@flibidi.net>

Closes shaarli#1010 TODO: - deploy on a VPS with an actual domain - write a supporting deployment guide / article See: - https://hub.docker.com/_/traefik/ - https://docs.traefik.io/configuration/backends/docker/ - https://docs.traefik.io/user-guide/docker-and-lets-encrypt/ - traefik/traefik#2798 - traefik/traefik#3298 Signed-off-by: VirtualTam <virtualtam@flibidi.net>

Closes shaarli#1010 See: - https://hub.docker.com/_/traefik/ - https://docs.traefik.io/configuration/backends/docker/ - https://docs.traefik.io/user-guide/docker-and-lets-encrypt/ - traefik/traefik#2798 - traefik/traefik#3298 Signed-off-by: VirtualTam <virtualtam@flibidi.net>

virtualtam added docker containers & cloud documentation proxy hosting behind reverse proxies server labels Nov 2, 2017

virtualtam added this to the 0.10.0 milestone Nov 2, 2017

virtualtam self-assigned this Nov 2, 2017

virtualtam mentioned this issue Nov 2, 2017

server_url() broken in Docker image #879

Closed

This was referenced Dec 2, 2017

Error while creating new bookmark #1031

Closed

Rework and document IP ban management when behind a reverse proxy #1032

Closed

virtualtam mentioned this issue Feb 5, 2018

Manage frontend dependencies with npm/yarn and webpack #1072

Merged

5 tasks

virtualtam modified the milestones: 0.10.0, 0.10.1 Jun 2, 2018

virtualtam modified the milestones: 0.10.1, 0.10.0 Jun 26, 2018

virtualtam mentioned this issue Jun 26, 2018

Provide a Docker Compose example #1168

Merged

virtualtam mentioned this issue Jul 1, 2018

WIP: Provide a Docker Compose example [Træfik] #1170

Closed

virtualtam closed this as completed in #1168 Jul 27, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Provide a Docker Compose example using a reverse proxy #1010

Provide a Docker Compose example using a reverse proxy #1010

virtualtam commented Nov 2, 2017 •

edited

Loading

nbud commented Nov 2, 2017

virtualtam commented Nov 2, 2017

Provide a Docker Compose example using a reverse proxy #1010

Provide a Docker Compose example using a reverse proxy #1010

Comments

virtualtam commented Nov 2, 2017 • edited Loading

nbud commented Nov 2, 2017

virtualtam commented Nov 2, 2017

virtualtam commented Nov 2, 2017 •

edited

Loading