Merge 241a5ff2e6 into 968c720aab

.env.example

@@ -7,6 +7,8 @@ USE_HTTPS=true
 
 DOMAIN=your.domain.here
 EMAIL=your@email.here
+# docker compose NGINX setup: development, production, reverse_proxy
+NGINX_SETUP=development
 
 # Instance default language (see options at bookwyrm/settings.py "LANGUAGES"
 LANGUAGE_CODE="en-us"

bw-dev

@@ -93,6 +93,9 @@ case "$CMD" in
     initdb)
         initdb "$@"
         ;;
+    init_ssl)
+        $DOCKER_COMPOSE --file ./docker-compose-init_letsencrypt.yml up --exit-code-from=certbot
+        ;;
     resetdb)
         prod_error
         $DOCKER_COMPOSE rm -svf

docker-compose-init_letsencrypt.yml

@@ -0,0 +1,28 @@
+services:
+  nginx:
+    image: nginx:1.25.2
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - main
+    environment:
+      - DOMAIN=${DOMAIN}
+    volumes:
+      - ./nginx/locations:/etc/nginx/conf.d/locations
+      - ./nginx/server_config:/etc/nginx/conf.d/server_config
+      - ./nginx/server_name:/etc/nginx/conf.d/server_name
+      - ./nginx/ssl_bootstrap:/etc/nginx/templates/default.conf.template
+      - ./certbot/conf:/etc/nginx/ssl
+      - ./certbot/data:/var/www/certbot
+  certbot:
+    image: certbot/certbot:latest
+    command: certonly --webroot --webroot-path=/var/www/certbot --keep-until-expiring --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN} -d www.${DOMAIN}
+    depends_on:
+      - nginx
+    volumes:
+      - ./certbot/conf:/etc/letsencrypt
+      - ./certbot/logs:/var/log/letsencrypt
+      - ./certbot/data:/var/www/certbot
+networks:
+  main:

docker-compose.yml

@@ -3,13 +3,21 @@ services:
     image: nginx:1.25.2
     restart: unless-stopped
     ports:
-      - "1333:80"
+      - "${PORT:-80}:80"
+      - "${PORT:-443:443}"
     depends_on:
       - web
     networks:
       - main
+    environment:
+      - DOMAIN=${DOMAIN}
     volumes:
-      - ./nginx:/etc/nginx/conf.d
+      - ./nginx/locations:/etc/nginx/conf.d/locations
+      - ./nginx/server_config:/etc/nginx/conf.d/server_config
+      - ./nginx/server_name:/etc/nginx/conf.d/server_name
+      - ./nginx/${NGINX_SETUP:-development}:/etc/nginx/templates/default.conf.template
+      - ./certbot/conf:/etc/nginx/ssl
+      - ./certbot/data:/var/www/certbot
       - static_volume:/app/static
       - media_volume:/app/images
   db:

nginx/development

@@ -3,6 +3,9 @@ include /etc/nginx/conf.d/server_config;
 upstream web {
     server web:8000;
 }
+upstream flower {
+    server flower:8888;
+}
 
 server {
     access_log /var/log/nginx/access.log cache_log;
@@ -39,53 +42,5 @@ server {
     proxy_no_cache      $cookie_sessionid;
     proxy_cache_bypass  $cookie_sessionid;
 
-    # tell the web container the address of the outside client
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_redirect off;
-
-    # rate limit the login or password reset pages
-    location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
-        limit_req zone=loginlimit;
-        proxy_pass http://web;
-    }
-
-    # do not log periodic polling requests from logged in users
-    location /api/updates/ {
-        access_log off;
-        proxy_pass http://web;
-    }
-
-    # forward any cache misses or bypass to the web container
-    location / {
-        proxy_pass http://web;
-    }
-
-    # directly serve static files from the
-    # bookwyrm filesystem using sendfile.
-    # make the logs quieter by not reporting these requests
-    location /static/ {
-        root /app;
-        try_files $uri =404;
-        add_header X-Cache-Status STATIC;
-        access_log off;
-    }
-
-    # same with image files not in static folder
-    location /images/ {
-        location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
-            root /app;
-            try_files $uri =404;
-            add_header X-Cache-Status STATIC;
-            access_log off;
-        }
-        # block access to any non-image files from images
-        return 403;
-    }
-
-    # monitor the celery queues with flower, no caching enabled
-    location /flower/ {
-       proxy_pass http://flower:8888;
-       proxy_cache_bypass 1;
-    }
+    include /etc/nginx/conf.d/locations;
 }

nginx/locations

@@ -0,0 +1,48 @@
+
+# tell the web container the address of the outside client
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $host;
+proxy_redirect off;
+
+location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
+    limit_req zone=loginlimit;
+    proxy_pass http://web;
+}
+
+# do not log periodic polling requests from logged in users
+location /api/updates/ {
+    access_log off;
+    proxy_pass http://web;
+}
+
+location / {
+    proxy_pass http://web;
+}
+
+# directly serve static files from the
+# bookwyrm filesystem using sendfile.
+# make the logs quieter by not reporting these requests
+location /static/ {
+    root /app;
+    try_files $uri =404;
+    add_header X-Cache-Status STATIC;
+    access_log off;
+}
+
+# same with image files not in static folder
+location /images/ {
+    location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
+        root /app;
+        try_files $uri =404;
+        add_header X-Cache-Status STATIC;
+        access_log off;
+    }
+    # block access to any non-image files from images
+    return 403;
+}
+
+# monitor the celery queues with flower, no caching enabled
+location /flower/ {
+   proxy_pass http://flower;
+   proxy_cache_bypass 1;
+}

nginx/production

@@ -3,144 +3,82 @@ include /etc/nginx/conf.d/server_config;
 upstream web {
     server web:8000;
 }
+upstream flower{
+    server flower:8888;
+}
 
 server {
     listen [::]:80;
     listen 80;
 
-    server_name your-domain.com www.your-domain.com;
+    include /etc/nginx/conf.d/server_name;
 
     location ~ /.well-known/acme-challenge {
         allow all;
         root /var/www/certbot;
     }
 
-#     # redirect http to https
-#     return 301 https://your-domain.com$request_uri;
+    # redirect http to https
+    return 301 https://${DOMAIN}$request_uri;
 }
 
 
-# server {
-#     access_log /var/log/nginx/access.log cache_log;
-#
-#     listen [::]:443 ssl http2;
-#     listen 443 ssl http2;
-#
-#     server_name your-domain.com;
-#
-#     client_max_body_size 3M;
-#
-#     if ($host != "your-domain.com") {
-#         return 301 $scheme://your-domain.com$request_uri;
-#     }
-#
-#     # SSL code
-#     ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
-#     ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
-#
-#     location ~ /.well-known/acme-challenge {
-#         allow all;
-#         root /var/www/certbot;
-#     }
-#
-#     sendfile on;
-#     tcp_nopush on;
-#     tcp_nodelay on;
-#     keepalive_timeout 65;
-#     types_hash_max_size 2048;
-#     #include /etc/nginx/mime.types;
-#     #default_type application/octet-stream;
-#
-#     gzip on;
-#     gzip_disable "msie6";
-#
-#     proxy_read_timeout 1800s;
-#     chunked_transfer_encoding on;
-#
-#     # store responses to anonymous users for up to 1 minute
-#     proxy_cache bookwyrm_cache;
-#     proxy_cache_valid any 1m;
-#     add_header X-Cache-Status $upstream_cache_status;
-#
-#     # ignore the set cookie header when deciding to
-#     # store a response in the cache
-#     proxy_ignore_headers Cache-Control Set-Cookie Expires;
-#
-#     # PUT requests always bypass the cache
-#     # logged in sessions also do not populate the cache
-#     # to avoid serving personal data to anonymous users
-#     proxy_cache_methods GET HEAD;
-#     proxy_no_cache      $cookie_sessionid;
-#     proxy_cache_bypass  $cookie_sessionid;
-#
-#     # tell the web container the address of the outside client
-#     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#     proxy_set_header Host $host;
-#     proxy_redirect off;
-#
-#     location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
-#         limit_req zone=loginlimit;
-#         proxy_pass http://web;
-#     }
-#
-#     # do not log periodic polling requests from logged in users
-#     location /api/updates/ {
-#         access_log off;
-#         proxy_pass http://web;
-#     }
-#
-#     location / {
-#         proxy_pass http://web;
-#     }
-#
-#     # directly serve static files from the
-#     # bookwyrm filesystem using sendfile.
-#     # make the logs quieter by not reporting these requests
-#     location /static/ {
-#         root /app;
-#         try_files $uri =404;
-#         add_header X-Cache-Status STATIC;
-#         access_log off;
-#     }
-#
-#     # same with image files not in static folder
-#     location /images/ {
-#         location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
-#             root /app;
-#             try_files $uri =404;
-#             add_header X-Cache-Status STATIC;
-#             access_log off;
-#         }
-#         # block access to any non-image files from images
-#         return 403;
-#     }
-#
-#     # monitor the celery queues with flower, no caching enabled
-#     location /flower/ {
-#        proxy_pass http://flower:8888;
-#        proxy_cache_bypass 1;
-#     }
-# }
+server {
+    access_log /var/log/nginx/access.log cache_log;
 
-# Reverse-Proxy server
-# server {
-#     listen [::]:8001;
-#     listen 8001;
+    listen [::]:443 ssl;
+    listen 443 ssl;
 
-#     server_name your-domain.com www.your-domain.com;
+    http2 on;
 
-#     location / {
-#         proxy_pass http://web;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header Host $host;
-#         proxy_redirect off;
-#     }
+    include /etc/nginx/conf.d/server_name;
 
-#     location /images/ {
-#         alias /app/images/;
-#     }
+    client_max_body_size 3M;
+
+    if ($host != "${DOMAIN}") {
+        return 301 $scheme://${DOMAIN}$request_uri;
+    }
+
+    # SSL code
+    ssl_certificate /etc/nginx/ssl/live/${DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/${DOMAIN}/privkey.pem;
+
+    location ~ /.well-known/acme-challenge {
+        allow all;
+        root /var/www/certbot;
+    }
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    #include /etc/nginx/mime.types;
+    #default_type application/octet-stream;
+
+    gzip on;
+    gzip_disable "msie6";
+
+    proxy_read_timeout 1800s;
+    chunked_transfer_encoding on;
+
+    # store responses to anonymous users for up to 1 minute
+    proxy_cache bookwyrm_cache;
+    proxy_cache_valid any 1m;
+    add_header X-Cache-Status $upstream_cache_status;
+
+    # ignore the set cookie header when deciding to
+    # store a response in the cache
+    proxy_ignore_headers Cache-Control Set-Cookie Expires;
+
+    # PUT requests always bypass the cache
+    # logged in sessions also do not populate the cache
+    # to avoid serving personal data to anonymous users
+    proxy_cache_methods GET HEAD;
+    proxy_no_cache      $cookie_sessionid;
+    proxy_cache_bypass  $cookie_sessionid;
+
+    include /etc/nginx/conf.d/locations;
+
+}
 
-#     location /static/ {
-#         alias /app/static/;
-#     }
-# }

nginx/reverse_proxy

@@ -0,0 +1,19 @@
+include /etc/nginx/conf.d/server_config;
+
+upstream web {
+    server web:8000;
+}
+
+upstream flower{
+    server flower:8888;
+}
+
+# Reverse-Proxy server
+server {
+    listen [::]:8001;
+    listen 8001;
+
+    include /etc/nginx/conf.d/server_name;
+
+    include /etc/nginx/conf.d/locations;
+}

nginx/server_name

@@ -0,0 +1 @@
+server_name ${DOMAIN} www.${DOMAIN};

nginx/ssl_bootstrap

@@ -0,0 +1,11 @@
+server {
+    listen [::]:80;
+    listen 80;
+
+    include /etc/nginx/conf.d/server_name;
+
+    location ~ /.well-known/acme-challenge {
+        allow all;
+        root /var/www/certbot;
+    }
+}