search

NathanVaughn / webtrees-docker

Up-to-date Docker image for webtrees with all the bells and whistles.
https://hub.docker.com/r/nathanvaughn/webtrees
MIT License
59 stars 15 forks source link

Transitioning from local access to public external access #72

Closed AlexKalopsia closed 2 years ago

AlexKalopsia commented 2 years ago

Hi and thanks for this Docker image. I have been using WebTrees for a week or so now and I love it. I initially tried to setup external HTTPS access, but I cound't manage to (I kept failing to reach WebTrees), so I ended up going for a simpler local access.

I currently reach WebTrees on http://myip:port. I am running the Docker comtainer on a Synology NAS, connecting to a separate MariaDB container. Note that I use swag (nginx) as reverse proxy solution to reach all my containers externally.

My docker-compose currently looks like this:

webtrees:
    image: ghcr.io/nathanvaughn/webtrees:latest
    container_name: webtrees
    depends_on:
      - mariadb
    #build: .
    ports:
      - 9980:80
      - 9943:443
    volumes:
      - ${DOCKER_PATH}/webtrees/certs:/certs/
      - ${DOCKER_PATH}/webtrees/data:/var/www/webtrees/data/
      - ${DOCKER_PATH}/webtrees/media:/var/www/webtrees/media/
      - ${DOCKER_PATH}/webtrees/themes:/var/www/webtrees/themes/
      - ${DOCKER_PATH}/webtrees/modules:/var/www/webtrees/modules_v4/
    environment:
      #- PRETTY_URLS=0
      #- HTTPS=0
      #- HTTPS_REDIRECT=0
      - LANG=en-US
      - BASE_URL=http://192.168.X.X:9980
      - DB_TYPE=mysql
      - DB_HOST=${IP}
      - DB_PORT=3306
      - DB_USER=${WEBTREESDB_USER}
      - DB_PASS=${WEBTREESDB_PSW}
      - DB_NAME=${WEBTREESDB_DB}
      - DB_PREFIX=wt_
      - WT_USER=${WEBTREES_USER}
      - WT_NAME=Alex
      - WT_PASS=${WEBTREES_PSW}
      - WT_EMAIL=${LE_EMAIL}
    restart: unless-stopped

Now that I have a pretty big tree, I would like to share it with other family members, but I am obviously still struggling to understand how to do that. The goal is to reach WebTrees via a subdomain using HTTPS. This is what I did so far:

  1. In the database, under wt_site_setting, i have added LOGIN_URL with value https://tree.domain.com/login.php, and SERVER_URL with value http://tree.domain.com. Is this necessary? Also, is it intentional that the second uses HTTP protocol instead of HTTPS?
  2. In CloudFlare I have a CNAME record that points to my DDNS url, which then routes the traffic to my Synology NAS. I am unsure if I should add trusted_headers="cf-connecting-ip" to my config.ini.php file, or trusted_proxies="192.168.x.x" (server ip).
  3. The docs say that I have to put a crt and a key file in the /cert folder. Can you explain if there is a common/proper way of generating those? I do have SSL certificates for my server, but they are in .pem format. I also tried following this commands, but I am not sure if that's a valid option.
  4. set PRETTY_URLS=1, HTTPS=1, HTTPS_REDIRECT=1 in the docker-compose. This seems fine, but I noticed that I started getting some really odd redirect from https://my.domain.com to my server homepage (rather than the correct container port. Is HTTPS_REDIRECT necessary?

  5. My nginx config looks like this:

    server {
  listen 443 ssl;
   listen [::]:443 ssl;
   server_name tree.*;
   include /config/nginx/ssl.conf;
   client_max_body_size 0;

   location / {
      include /config/nginx/proxy.conf;
      include /config/nginx/resolver.conf;
      set $upstream_app 192.168.X.X;
      set $upstream_port 9980;
      set $upstream_proto http;
      proxy_pass $upstream_proto://$upstream_app:$upstream_port;
  }
}
  6. From what I understand, the docker-compose environment variables are only used to do the initial database setup. Is that correct? Does that mean I have to now do some manual changes to the database to transition from internal to external access?

I think this pretty much covers all my questions, I hope someone can help me out with this process. Thank you!

NathanVaughn commented 2 years ago
  1. I'm not sure if it's necessary anymore, I had this issue a long time ago setting up webtrees so I added that comment in case anyone else ran into it. The http was intentional, yes. At the time, it didn't like it when I set that to https. In my own installation of webtrees behind a reverse proxy, I have both LOGIN_URL and SERVER_URL set to the external address with https and it works fine
  2. I'm not sure, I haven't had any issues with Cloudflare needing to trust proxies
  3. That's only if you want the Apache server inside the container to serve the site via HTTPS. Really, I don't recommend this. I personally use Traefik as a reverse proxy in front of all my web apps to manage the SSL certificates with Let's Encrypt. If you really want to generate these, this answer on stackoverflow show be what you need, along with some file re-naming. Though, you're going to get self-signed certificate errors
  4. PRETTY_URLS doesn't do anything other make the URLs look nicer. HTTPS_REDIRECT isn't necessary, but if you have HTTPS enabled, it redirects from HTTP to HTTPS automatically. You issue here likely is BASE_URL. That absolutely must be the domain/hostname you're accessing webtrees by. For example with my own installation, while you could access it via http://localdockerip:80 I access it as https://webtrees.nathanv.app, so I set BASE_URL to that.
  5. I'm not familiar with nginx, sorry.
  6. Anything that starts with DB is used every time you start the container to generate a config file for webtrees to connect to the database, so that's fine. It's anything that starts with WT is used exactly once to initialize the database with the first user account. There's no changes needed there to externalize it. The only two things you might need to change are LOGIN_URL and SERVER_URL in the table wt_site_setting as discussed above. I'm not positive is webtrees changes this automatically from the config file.

My own docker-compose.yml for reference:

version: '3'

services:
  app:
    env_file:
      - ./.env
    image: ghcr.io/nathanvaughn/webtrees:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webtrees.rule=Host(`webtrees.nathanv.app`)"
      - "traefik.http.routers.webtrees.service=webtrees"
      - "traefik.http.services.webtrees.loadbalancer.server.port=80"
      - "traefik.http.routers.webtrees.entrypoints=secure"
      - "traefik.http.routers.webtrees.tls=true"
      - "traefik.http.routers.webtrees.tls.certresolver=le"
      - "traefik.http.routers.webtrees.tls.domains[0].sans=*.nathanv.app"
    networks:
      - db_net
      - proxy_net
    restart: unless-stopped
    volumes:
      - app_data:/var/www/webtrees/data/
      - app_media:/var/www/webtrees/media/
      - app_modules:/var/www/webtrees/modules_v4/
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone

volumes:
  app_data:
    driver: local
  app_media:
    driver: local
  app_modules:
    driver: local

networks:
  db_net:
    external: true
  proxy_net:
    external: true

And .env

PRETTY_URLS=1
LANG=en-US
BASE_URL=https://webtrees.nathanv.app
DB_TYPE=mysql
DB_HOST=mariadb
DB_PORT=3306
DB_USER=webtrees
DB_PASS=<databasepassword>
DB_NAME=webtrees
DB_PREFIX=wt_
WT_USER=nathan
WT_NAME="Nathan Vaughn"
WT_PASS=<userpassword>
WT_EMAIL=<useremail>
NathanVaughn commented 2 years ago

Closing due to several months with no response

AlexKalopsia commented 2 years ago

Hi Nathan,

I somehow missed all the replies. Just wanted to let you know that I eventually managed to make this work. The only thing I did were:

1) Manually add LOGIN_URL to the database, and make it point to https://tree.mydomain.com 2) Manually add SERVER_URL to the database, and make it point to https://tree.mydomain.com 3) Set BASE_URL to https://tree.mydomain.com 4) Set PRETTY_URLS to 1

Thanks again for the support

NathanVaughn commented 2 years ago

Interesting, I'll add the note about setting SERVER_URL to the database. Webtrees is definitely a little finnicky about running behind a reverse proxy.