search

docker-taiga / taiga

docker-compose.yml for simple taiga setup
218 stars 74 forks source link

Apache configuration #28

Closed ctreton closed 4 years ago

ctreton commented 5 years ago

Hi, First of all I'm not used to Nginx, I have a debian server with apache2 server who reverse proxy to taiga docker container with Nginx. SSL is enable. It works for front but webservice and back doesn't. I have a 406 code for websocket and 502 for the back. Here is the console error reporting :

Error

```http GET https://taiga.mydomain.com/api/v1/stats/discover 502 (Bad Gateway) GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&order_by=-total_fans_last_week 502 (Bad Gateway) GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&order_by=-total_activity_last_week 502 (Bad Gateway) GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&is_featured=true 502 (Bad Gateway) WebSocket connection to 'wss://taiga.mydomain.com/events/' failed: Error during WebSocket handshake: Unexpected response code: 426 ```

Here is my Apache configuration :

mydomain.conf

```apache ServerName taiga.mydomain.com ServerAdmin dev@mydomain.com Redirect / https://taiga.mydomain.com/ ServerName taiga.mydomain.com ServerAdmin dev@mydomain.com Header Set X-Robots-Tag "noindex, nofollow, noarchive, nosnippet" SetOutputFilter SUBSTITUTE,DEFLATE SSLProxyEngine On ProxyPreserveHost On ProxyPass / https://localhost:3002/ ProxyPassReverse / https://localhost:3002/ AddOutputFilterByType SUBSTITUTE text/html Substitute "s|https://localhost:3002/|https://taiga.mydomain.com/|i" ErrorLog ${APACHE_LOG_DIR}/taiga_error.log CustomLog ${APACHE_LOG_DIR}/taiga_access.log combined SSLCertificateFile /etc/letsencrypt/live/taiga.mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/taiga.mydomain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf Order deny,allow Allow from all Allow from localhost ```

Here is my Nginx configuration :

nginx.conf

```nginx server { server_name taiga.mydomain.com; listen 80; location / { return 302 https://$server_name$request_uri; } } server { server_name taiga.mydomain.com; listen 443 ssl; ssl_certificate /taiga-cert/fullchain.pem; ssl_certificate_key /taiga-cert/privkey.pem; location ^~ /events { proxy_pass http://events:8888/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 7d; proxy_send_timeout 7d; proxy_read_timeout 7d; } location ^~ /api { include proxy_params; proxy_pass http://back; } location ^~ /admin { include proxy_params; proxy_pass http://back; } location ^~ /static { include proxy_params; proxy_pass http://back; } location ^~ /media { include proxy_params; proxy_pass http://back; } location / { include proxy_params; proxy_pass http://front; } } ```

And here is the docker compose configuration :

docker-compose.yml

```yml version: '3' services: back: image: dockertaiga/back container_name: taiga-back restart: unless-stopped depends_on: - db - events networks: - default volumes: - ./data/media:/taiga-media - ./conf/back:/taiga-conf env_file: - variables.env front: image: dockertaiga/front container_name: taiga-front restart: unless-stopped networks: - default volumes: - ./conf/front:/taiga-conf env_file: - variables.env db: image: postgres:11-alpine container_name: taiga-db restart: unless-stopped networks: - default env_file: - variables.env volumes: - ./data/db:/var/lib/postgresql/data rabbit: image: dockertaiga/rabbit container_name: taiga-rabbit restart: unless-stopped networks: - default env_file: - variables.env events: image: dockertaiga/events container_name: taiga-events restart: unless-stopped depends_on: - rabbit networks: - default env_file: - variables.env proxy: image: dockertaiga/proxy container_name: taiga-proxy restart: unless-stopped depends_on: - back - front - events networks: - default ports: - 3002:443 - 3003:80 volumes: - /etc/letsencrypt/live/taiga.mydomain.com/:/taiga-cert - /etc/letsencrypt/archive/:/archive - ./conf/proxy:/taiga-conf env_file: - variables.env networks: default: ```

Any ideas ?

ctreton commented 5 years ago

Ok, I just found for the websocket. There was some missing lines on apache configuration.

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/events/(.*)    wss://localhost:3002/events/$1 [P,L]

Thanks to https://stackoverflow.com/a/43592531

I'm still in trouble with the 502 on back calls with sadly no logs...

ctreton commented 5 years ago

@michaelr-iq you seems to get over this but i don't understand how :) Could you please help me ?

w1ck3dg0ph3r commented 4 years ago

@ctreton Hi! Sorry, I haven't used Apache in ages, but it seems you are terminating SSL on Apache's side and then also proxying to taiga-proxy's https port, could that be the cause? Also, if you'd like to use Apache, you can ditch the nginx proxy container altogether, theres not much sense in double reverse proxying, I suppose.

mich4xD commented 4 years ago

@ctreton sorry for the very late reply!

Here's my conf.d file for the apache routing:

<VirtualHost *:80>

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ServerName project.YOURDOMAIN.com
ServerAlias www.project.YOURDOMAIN.com

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>

<VirtualHost *:443>

ServerName project.YOURDOMAIN.com
ServerAlias www.project.YOURDOMAIN.com

Header add X-Forwarded-Proto "https"
RequestHeader add X-Forwarded-Proto "https"

# Logging
LogLevel warn
ErrorLog project.YOURDOMAIN.com-error_log
CustomLog project.YOURDOMAIN.com-access_log combined

# Reverse proxy configuration
<Location />
ProxyPass http://localhost:10380/
ProxyPassReverse http://localhost:10380/
</Location>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.com/chain.pem

</VirtualHost>

Make sure that your SELINUX is disabled just in case. With that in mind, I'd recommend you look into apache alternatives such as traefik.

Me and my co-worker have made docker based start up environment for projects. It includes a project managment tool, docker repo, nuget/npm package repo, ci/cd, and a git repo. The taiga docker compose uses trafeik labels for externall exposing it, so you can look into that for inspiration. Here's the link for it: https://github.com/shrideio/shoebox

Also, @w1ck3dg0ph3r, good job on this. I'm sure it's helpful for many people that can't afford to pay for project managment tools!

gerroon commented 4 years ago

I need to use this conf but I want to makre sure that I can proxy Taiga under a subpath. Is it possible to proxy it to something like https://MYDOMAIN/taiga?

ctreton commented 4 years ago

Sorry for the delay too, but we choose another tool to manage our projects since I didn't succeed to make it working.