yohan/docker-reverse-proxy-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit.

Browse Source
This commit is contained in:
yohan 2018-12-29 02:13:09 +01:00
commit 424b39b6d6
4 changed files with 100 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
README Normal file
View File

@ -0,0 +1,45 @@
Why ?
pour éviter d'utiliser des ports différents
pour centraliser la conf SSL
pour la flexibilité
pour n'avoir besoin des droits root que sur une brique et pouvoir les abandonner ensuite (bind sur ports < 1024)
Utilisation :
Les droits des fichiers doivent être corrigés avant de lancer la stack avec docker-compose up -d :
chcon -u system_u -r object_r -t svirt_sandbox_file_t crontab
# only first time :
docker network create reverse-proxy
docker volume create --name reverse-proxy_conf
docker volume create --name reverse-proxy_conf_enabled
docker volume create --name reverse-proxy_letsencrypt
Pour ajouter/modifier un site :
vim /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf
cat /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf
<VirtualHost *:80>
ServerName name.scimetis.net
ServerAdmin postmaster@scimetis.net
ProxyPreserveHost on
ProxyPass / http://hostname/
ProxyPassReverse / http://hostname/
ProxyRequests Off
</VirtualHost>
hostname dans la conf ci-dessus est en général le nom du conteneur qui fournit la ressource,
il devra donc rejoindre le réseau du reverse proxy.
C'est en général fait au niveau de la stack (docker-compose).
Sinon :
docker network connect reverse-proxy nomduconteneur
# if new conf file :
chcon -Rt svirt_sandbox_file_t /var/lib/docker-latest/volumes/reverse-proxy_conf/_data/filetoedit.conf
docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'a2ensite filetoedit && service apache2 reload'
# test certs :
# docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'certbot --apache --test-cert -vvv --domains name.scimetis.net -m yohan.bataille@scimetis.net --agree-tos --reinstall --redirect --hsts --non-interactive'
docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'certbot --apache -vvv --domains name.scimetis.net -m yohan.bataille@scimetis.net --agree-tos --reinstall --redirect --hsts --non-interactive'
# if modified conf file :
docker exec -it dockerreverseproxystack_reverse-proxy_1 sh -c 'service apache2 reload'

11
crontab Normal file
View File

@ -0,0 +1,11 @@
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m | h | day of month | month | day of week | user | command
5 2 * * * root docker -H tcp://127.0.0.1:2375 exec dockerreverseproxystack_reverse-proxy_1 certbot renew > /proc/1/fd/2 2>&1

40
docker-compose.yml Normal file
View File

@ -0,0 +1,40 @@
version: "2.1"
services:
reverse-proxy:
image: reverse-proxy:$VERSION
build: "https://git.scimetis.net/yohan/docker-reverse-proxy.git"
restart: always
ports:
- 80:80/tcp
- 443:443/tcp
networks:
- reverse-proxy
volumes:
- reverse-proxy_conf:/etc/apache2/sites-available:Z
- reverse-proxy_conf_enabled:/etc/apache2/sites-enabled:Z
- reverse-proxy_letsencrypt:/etc/letsencrypt:Z
cron:
image: cron
restart: always
network_mode: "host"
volumes:
- ./crontab:/etc/crontab
networks:
reverse-proxy:
external: true
volumes:
reverse-proxy_conf:
external: true
reverse-proxy_conf_enabled:
external: true
reverse-proxy_letsencrypt:
external: true

4
start_or_update.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
unset VERSION; VERSION=$(git ls-remote ssh://git@git.scimetis.net:2222/yohan/docker-reverse-proxy.git| head -1 | cut -f 1|cut -c -10) sudo -E bash -c 'docker-compose up -d'