Closed ltouro closed 6 years ago
Close #291
We can avoid bind-mounting docker socket on the edge proxy -- considereing it is exposed on the internet -- by using yet another container to generate the nginx templates. Please advise if that is required.
Hi @ltouro, many thanks for that!
I tried it out but got an error:
$ docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
ERROR: yaml.parser.ParserError: while parsing a block mapping
in "./docker-compose.prod.yml", line 1, column 1
expected <block end>, but found '<block mapping start>'
in "./docker-compose.prod.yml", line 22, column 3
I think the proxy
block is indented with 4 spaces and the rest of the services is indented with 2 spaces.
Other comments:
jwilder/nginx-proxy
working with docker-compose.yml
version 3? It used to require version 2
.docker-compose.prod.yml
I guess the How to test it (opening message of the PR) part should be docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
, not only docker-compose up -d
… is that right or am I missing something here?Fixing the indentation issue I got:
ERROR: Named volume "proxy/certs:/etc/nginx/certs:rw" is used in service "proxy" but no declaration was found in the volumes section.
@cuducos Sorry about that. Misunderstood named volumes as I'm still using bind-mount on my case. It should work now.
About jwilder/nginx-proxy, I'm currently using it with compose v3 with no problem.
About testing, you are right. You should use both compose files as they are incremental (did not notice that previously)
I removed the "bridge" network setting in favor of the engine default (which changes to overlay if u are in Swarm mode, cool).
@caduvieira Thanks for the comments. All the content that goes on these named volumes are ephemeral and will be recreated in absence. Only the Diffie–Hellman key take couple minutes to create but I think that is okay.
It seams to be working now. Any way you'd recommend to test it locally (even without HTTPS) just to check before putting it in production servers? Maybe changing VIRTUAL_HOST
and LETSENCRYPT_HOST
to something I could edit in my /etc/hosts
?
Otherwise I'll try setting up the DNS to new servers for a brief one of these days.
BTW my I suggest parametrizing these …_HOST
environment vars so we can easily set up staging and production environments? Something along these lines.
@cuducos /etc/hosts will not work in this case because the process involves external servers that will check the existence of a specific file at domain.tld/.well-know. So you will need the DNS properly configured to test the certificate generation.
@cuducos Should we provide a default value for LETSENCRYPT_EMAIL? It is for expire notices from Let's Encrypt.
LETSENCRYPT_HOST: ${VIRTUAL_HOST_WEB}
VIRTUAL_HOST: ${VIRTUAL_HOST_WEB}
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL-jarbas@serenatadeamor.org}
/etc/hosts will not work in this case because the process involves external servers that will check the existence of a specific file at domain.tld/.well-know
It wouldn't work even with HTTP on port 80? Ok…
Should we provide a default value for LETSENCRYPT_EMAIL? It is for expire notices from Let's Encrypt.
Yep… it could be op.serenatadeamor@gmail.com
; )
Many thanks!
@cuducos I see what you mean. You could test HTTP using HTTPS_METHOD env with "noredirect" value (I parametrized that too). This way, you can still access the container on port 80. Otherwise, the edge-proxy will redirect you to HTTPs automatically.
Hi @ltouro, would you mind helping properly testing the PR?
Not sure if I am forgetting a step or something…
127.0.0.1 local.jarbas.serenatadeamor.org
and 0.0.0.0 local.jarbas.serenatadeamor.org
to my /etc/hosts
VIRTUAL_HOST_WEB=local.jarbas.serenatadeamor.org
and HTTPS_METHOD=noredirect
to .env.prod
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
and waited several minutes (I know it takes a while to generate the proper hashes)80
responds with 502
and 443
non-responsive:$ curl -I local.jarbas.serenatadeamor.org:80
HTTP/1.1 502 Bad Gateway
Server: nginx/1.13.6
Date: Mon, 04 Dec 2017 15:44:24 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
$ curl -I local.jarbas.serenatadeamor.org:443
curl: (52) Empty reply from server
Here are my containers:
$ docker-compose -f docker-compose.yml -f docker-compose.prod.yml ps
WARNING: Some services (proxy) use the 'deploy' key, which will be ignored. Compose does not support 'deploy' configuration - use `docker stack deploy` to deploy to a swarm.
Name Command State Ports
---------------------------------------------------------------------------------------------------------
jarbas_django_1 gunicorn jarbas.wsgi:appli ... Up 8000/tcp
jarbas_elm_1 npm run assets Exit 0
jarbas_memcached_1 docker-entrypoint.sh memcached Up 11211/tcp
jarbas_nginx_1 nginx -g daemon off; Up 80/tcp
jarbas_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp
jarbas_proxy-certs_1 /bin/bash /app/entrypoint. ... Up
jarbas_queue_1 docker-entrypoint.sh rabbi ... Up 25672/tcp, 4369/tcp, 5671/tcp, 5672/tcp
jarbas_tasks_1 /bin/sh -c celery worker - ... Up 8000/tcp
proxy /app/docker-entrypoint.sh ... Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp```
And here are the logs:
I see that nginx
container logged django could not be resolved (3: Host not found)
— so the proxy using django
(name of the container) might not be working… Any idea about what I might be leaving behind?
@cuducos I think the error is related to not including the django container in the newly created network backend
. All HTTP-exposed containers should be added to this network.
We need something like (docker-compose-prod.yml:32~44):
django:
env_file:
- .env
environment:
- DEBUG=False
depends_on:
- memcached
expose:
- "8000"
volumes:
- assets:/code/staticfiles
entrypoint: ["gunicorn", "jarbas.wsgi:application", "--reload", "--bind", "0.0.0.0:8000", "--workers", "4"]
networks:
- backend
Should I update this PR or we follow on #294?
@cuducos I think the error is related to not including the django container in the newly created network backend. All HTTP-exposed containers should be added to this network.
Many thanks, I haven't had the chance to test it yet, but I'll test it soon!
Should I update this PR or we follow on #294?
Baby steps. First let's make sure this PR is merged, then we look at #294 ; ) Would you mind updating it here?
Yay! Now it works : ) Many many thanks for all the support @ltouro! 🎉
I did some minor additions to your branch. Would you mind cherry picking these changes to your PR? This is the branch with my suggestions. Namely:
Idea | Commit |
---|---|
Document new production variables | f8b6f32e1dec6ece93d5f3e37fd5730cf27ba793 |
Auto-set Django ALLOWED_HOSTS with the host name you added as a envvar |
72c550e3c2e82485ce9173b43708b8a1e6e1b96a |
I opted to keep .env with local/dev values and add a .env.prod for production |
bd0d85ee81e7fb95c8b44ebe765872991b9ba72b |
What do you think?
On other news: do you use Twitter? Probably gonna tweet a huge thank you, this contribution is very very important ; )
Picked up your suggestions. First time I cherry-pick, hope I got it right.
I don't use Twitter, but feel congratulated already! Thanks :dog:
Fix #291
I don't use Twitter, but feel congratulated already! Thanks 🐶
Change prod docker-compose file to use proxy to handle SSL Offload and auto SSL certificate renewal.
What is the purpose of this Pull Request? Easy the certificate renewall and related operations
What was done to achieve this purpose? Used jwilder/nginx-proxy and jrcs/letsencrypt-nginx-proxy-companion container images.
How to test if it really works?
Certificate shall be generated on start.
Who can help reviewing it? cuducos
TODO