commit 424b39b6d682aa373f9c890071a2c5abaa7ef118 Author: yohan <783b8c87@scimetis.net> Date: Sat Dec 29 02:13:09 2018 +0100 Initial commit. diff --git a/README b/README new file mode 100644 index 0000000..2b9300d --- /dev/null +++ b/README @@ -0,0 +1,45 @@ +Why ? +pour éviter d'utiliser des ports différents +pour centraliser la conf SSL +pour la flexibilité +pour n'avoir besoin des droits root que sur une brique et pouvoir les abandonner ensuite (bind sur ports < 1024) + +Utilisation : + +Les droits des fichiers doivent être corrigés avant de lancer la stack avec docker-compose up -d : +chcon -u system_u -r object_r -t svirt_sandbox_file_t crontab + +# only first time : +docker network create reverse-proxy +docker volume create --name reverse-proxy_conf +docker volume create --name reverse-proxy_conf_enabled +docker volume create --name reverse-proxy_letsencrypt + + +Pour ajouter/modifier un site : +vim /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf +cat /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf + + ServerName name.scimetis.net + ServerAdmin postmaster@scimetis.net + ProxyPreserveHost on + ProxyPass / http://hostname/ + ProxyPassReverse / http://hostname/ + ProxyRequests Off + + +hostname dans la conf ci-dessus est en général le nom du conteneur qui fournit la ressource, +il devra donc rejoindre le réseau du reverse proxy. +C'est en général fait au niveau de la stack (docker-compose). +Sinon : +docker network connect reverse-proxy nomduconteneur + +# if new conf file : +chcon -Rt svirt_sandbox_file_t /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf +docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'a2ensite filetoedit && service apache2 reload' +# test certs : +# docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'certbot --apache --test-cert -vvv --domains name.scimetis.net -m yohan.bataille@scimetis.net --agree-tos --reinstall --redirect --hsts --non-interactive' +docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'certbot --apache -vvv --domains name.scimetis.net -m yohan.bataille@scimetis.net --agree-tos --reinstall --redirect --hsts --non-interactive' + +# if modified conf file : +docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'service apache2 reload' diff --git a/crontab b/crontab new file mode 100644 index 0000000..1856f14 --- /dev/null +++ b/crontab @@ -0,0 +1,11 @@ +# /etc/crontab: system-wide crontab +# Unlike any other crontab you don't have to run the `crontab' +# command to install the new version when you edit this file +# and files in /etc/cron.d. These files also have username fields, +# that none of the other crontabs do. + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# m | h | day of month | month | day of week | user | command +5 2 * * * root docker -H tcp://127.0.0.1:2375 exec dockerreverseproxystack_reverse-proxy_1 certbot renew > /proc/1/fd/2 2>&1 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..03f8e46 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,40 @@ +version: "2.1" + +services: + + reverse-proxy: + image: reverse-proxy:$VERSION + build: "https://git.scimetis.net/yohan/docker-reverse-proxy.git" + restart: always + ports: + - 80:80/tcp + - 443:443/tcp + networks: + - reverse-proxy + volumes: + - reverse-proxy_conf:/etc/apache2/sites-available:Z + - reverse-proxy_conf_enabled:/etc/apache2/sites-enabled:Z + - reverse-proxy_letsencrypt:/etc/letsencrypt:Z + + cron: + image: cron + restart: always + network_mode: "host" + volumes: + - ./crontab:/etc/crontab + +networks: + + reverse-proxy: + external: true + +volumes: + + reverse-proxy_conf: + external: true + + reverse-proxy_conf_enabled: + external: true + + reverse-proxy_letsencrypt: + external: true diff --git a/start_or_update.sh b/start_or_update.sh new file mode 100755 index 0000000..3a851ec --- /dev/null +++ b/start_or_update.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +unset VERSION; VERSION=$(git ls-remote ssh://git@git.scimetis.net:2222/yohan/docker-reverse-proxy.git| head -1 | cut -f 1|cut -c -10) sudo -E bash -c 'docker-compose up -d' +