From 446cdd5c70c3e874a588018e8cdc4633a90d6623 Mon Sep 17 00:00:00 2001 From: Alex Hyett Date: Wed, 20 Jan 2021 10:44:42 +0000 Subject: [PATCH] Add NGinx and Insecure Traefik --- README.md | 25 +++++++++- docker-compose.nginx.yml | 21 ++++++++ docker-compose.traefik.yml | 28 +++++++++++ nginx/Dockerfile | 26 ++++++++++ nginx/default.conf | 44 +++++++++++++++++ nginx/nginx.conf | 98 ++++++++++++++++++++++++++++++++++++++ nginx/nginx.sh | 18 +++++++ traefik/traefik.toml | 12 +++++ 8 files changed, 271 insertions(+), 1 deletion(-) create mode 100644 docker-compose.nginx.yml create mode 100644 docker-compose.traefik.yml create mode 100644 nginx/Dockerfile create mode 100644 nginx/default.conf create mode 100644 nginx/nginx.conf create mode 100644 nginx/nginx.sh create mode 100644 traefik/traefik.toml diff --git a/README.md b/README.md index 0fb6d0c..29e5ea9 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,25 @@ # traefik-vs-nginx-docker -Examples showing how to use Traefik and Nginx for Reverse Proxy + +Examples showing how to use Traefik and Nginx for Reverse Proxy. + +This repository is to complement my blog post on this topic, [Traefik vs Nginx for Reverse Proxy with Docker on a Raspberry Pi](https://www.alexhyett.com/traefik-vs-nginx-docker-raspberry-pi). + +## NGINX Example + +``` +docker-compose -f docker-compose.nginx.yml up +``` + +You will then be able to access whoami from http://localhost/whoami. + +## Traefik Example + +For traefik I have included 2 version, one insecure version for local use and a SSL password protected version. + +### Insecure version + +``` +docker-compose -f docker-compose.traefik.yml up +``` + +You will then be able to access whoami from http://localhost/whoami and the Traefik dashboard from http://localhost:8080. diff --git a/docker-compose.nginx.yml b/docker-compose.nginx.yml new file mode 100644 index 0000000..dc17898 --- /dev/null +++ b/docker-compose.nginx.yml @@ -0,0 +1,21 @@ +version: '3.4' +services: + nginx: + build: nginx + restart: 'unless-stopped' + networks: + - pi + ports: + - '80:80' + depends_on: + - whoami + + whoami: + image: 'traefik/whoami' + restart: 'unless-stopped' + networks: + - pi + +networks: + pi: + external: true diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml new file mode 100644 index 0000000..a044902 --- /dev/null +++ b/docker-compose.traefik.yml @@ -0,0 +1,28 @@ +version: '3.4' +services: + traefik: + image: 'traefik:2.3' + container_name: 'traefik' + restart: 'unless-stopped' + ports: + - '80:80' + - '8080:8080' + volumes: + - '/var/run/docker.sock:/var/run/docker.sock:ro' + - ./traefik/traefik.toml:/traefik.toml + networks: + - pi + + whoami: + image: 'traefik/whoami' + restart: 'unless-stopped' + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.whoami.rule=PathPrefix(`/whoami{regex:$$|/.*}`)' + - 'traefik.http.services.whoami.loadbalancer.server.port=80' + networks: + - pi + +networks: + pi: + external: true diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..cbdf9f7 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,26 @@ +FROM debian:buster-slim + +# Default timezone to UTC +ENV TMZ UTC + +COPY nginx.sh /usr/bin/nginx.sh +RUN chmod 755 /usr/bin/nginx.sh + +RUN export DEBIAN_FRONTEND='noninteractive' && \ + apt-get update -qq && \ + apt-get install -qqy --no-install-recommends nginx &&\ + apt-get clean && \ + sed -i 's/#gzip/gzip/' /etc/nginx/nginx.conf && \ + sed -i "/http_x_forwarded_for\"';/s/';/ '/" /etc/nginx/nginx.conf && \ + rm -rf /etc/nginx/sites-enabled/* && \ + rm -rf /var/lib/apt/lists/* /tmp/* + +# forward request and error logs to docker log collector +RUN ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY default.conf /etc/nginx/conf.d/ + +EXPOSE 80 443 + +ENTRYPOINT ["nginx.sh"] \ No newline at end of file diff --git a/nginx/default.conf b/nginx/default.conf new file mode 100644 index 0000000..1efc40f --- /dev/null +++ b/nginx/default.conf @@ -0,0 +1,44 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# HTTP Server +server { + listen 80 default_server; + # listen [::]:80 default_server ipv6only=on; + root /srv/www; + + # Make site accessible from http://localhost/ + server_name localhost; + + error_log stderr notice; + + #location-start + location /whoami { + proxy_pass http://whoami; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + + + ## Required for websockets + proxy_http_version 1.1; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_read_timeout 600s; + + ## Optional: Do not log, get it at the destination + access_log off; + } + #location-end +} \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..70e8488 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,98 @@ +user abc; +worker_processes 4; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + client_max_body_size 0; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /config/log/nginx/access.log; + error_log /config/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /config/nginx/site-confs/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} +daemon off; diff --git a/nginx/nginx.sh b/nginx/nginx.sh new file mode 100644 index 0000000..63e44b4 --- /dev/null +++ b/nginx/nginx.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -o nounset # Treat unset variables as an error + +### timezone: Set the timezone for the container +timezone="$TMZ" +[[ -e /usr/share/zoneinfo/$timezone ]] || { + echo "ERROR: invalid timezone specified: $timezone" >&2 + return +} + +if [[ -w /etc/timezone && $(cat /etc/timezone) != $timezone ]]; then + echo "$timezone" >/etc/timezone + ln -sf /usr/share/zoneinfo/$timezone /etc/localtime + dpkg-reconfigure -f noninteractive tzdata >/dev/null 2>&1 +fi + +# Start Nginx +exec nginx -g "daemon off;" \ No newline at end of file diff --git a/traefik/traefik.toml b/traefik/traefik.toml new file mode 100644 index 0000000..eee8a46 --- /dev/null +++ b/traefik/traefik.toml @@ -0,0 +1,12 @@ +[entryPoints] + [entryPoints.web] + address = ":80" + +[api] + dashboard = true + insecure = true + +[providers.docker] + watch = true + network = "web" + exposedByDefault = false \ No newline at end of file