Support ACME feature of autopilotpattern/nginx #34
Conversation
| @@ -0,0 +1,95 @@ | |||
| user nginx; | |||
| worker_processes 1; | |||
There was a problem hiding this comment.
It seems confusing to me to have separate config templates. It certainly introduces a lot of duplication.
Instead, can't the templating system switch config details based on conditionals in the template, rather than switching the whole template?
There was a problem hiding this comment.
I personally felt it was easier to reason about and follow by making it two separate config files, simply because of the differences. By combining them, there's a lot of conditionals that increase cognitive overhead when trying to reason about what the file will look like after it's parsed. This is personal preference and I'll gladly change it (here and in the Nginx blueprint) if others feel strongly about this.
In order to determine if SSL is ready, I need to test whether two files exist on disk. I do not believe that consul-template provides a way of doing this natively, so I would do the test in the Nginx reload.sh script and pass an environment variable to the consul-template call.
There was a problem hiding this comment.
I would do the test in the Nginx reload.sh script and pass an environment variable to the consul-template call.
Makes sense.
It looks like there'd be two conditional blocks (and they could be collapsed into one), but that's from the person reading it, not implementing it ;-).
There was a problem hiding this comment.
I'll code up that version for comparison.
There was a problem hiding this comment.
This one can be deleted/merged now that autopilotpattern/nginx#32 is upstream.
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
| '$status $body_bytes_sent "$http_referer" ' | ||
| '"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
|
||
| access_log /var/log/nginx/access.log main; | ||
|
|
||
| sendfile on; | ||
| #tcp_nopush on; |
There was a problem hiding this comment.
Do we want to add config items that are commented out?
There was a problem hiding this comment.
We do not. I simply did not prune them. I copied these files form the Nginx repo, where that line has existed since last November, and modified them to suit.
|
|
||
| location /nginx-health { | ||
| stub_status; | ||
| allow 127.0.0.1; | ||
| deny all; | ||
| access_log /var/log/nginx/access.log main if=$isError; |
There was a problem hiding this comment.
Does this cause the image to generate log files on disk?
There was a problem hiding this comment.
This corresponding line has existed for sometime; I've not checked to see if this results in an on-disk file. The line I've added, in question, will result in LESS logging whatever the case may be.
jasonpincin
changed the title
…e ACME tasks, etc.
|
@misterbisson Here's the PR that re-combines the Nginx config templates in autopilotpattern/nginx: autopilotpattern/nginx#32 |
|
This will also need changes in echo '# Nginx LetsEncrypt (ACME) config' >> _env
echo '# be sure ACME_DOMAIN and WORDPRESS_URL are the same, if using automated SSL via LetsEncrypt' >> _env
echo '#ACME_ENV=production' >> _env
echo '#ACME_DOMAIN=you.custom.domain' >> _env |
| @@ -1,5 +1,5 @@ | |||
| # a minimal Nginx container including containerbuddy and a simple virtulhost config | |||
| FROM autopilotpattern/nginx:latest | |||
| FROM autopilotpattern/nginx:1-r6.0.0 | |||
…n blocks added code to wp-config.php to pick up that header and set $_SERVER['HTTPS']='on' docker-compose.yml still contains refrences to the images I built from these files and pushed to my dockerhub.
…pincin-issue-33 tags
| {{ if service "wordpress" }} | ||
| rewrite ^/wp-admin/?(.*) /wordpress/wp-admin/$1; | ||
|
|
||
| location ^~ / { | ||
| proxy_pass http://wordpress; | ||
| proxy_set_header Host $http_host; |
There was a problem hiding this comment.
I've been stuck on how I made this work before without adding HTTP_X_FORWARDED_PROTO and a conditional in the wp_config.php. It's taken me a while, but the answer is this:
proxy_set_header Host $host:$server_port;
That's actually in the sample Nginx config in #19, but I wasn't able to recognize it until looking yet again.
There was a problem hiding this comment.
While at it, adding the following headers might be worthwhile as well:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
| @@ -19,6 +19,12 @@ define( 'DB_PASSWORD', '{{env "MYSQL_PASSWORD"}}' ); | |||
| define( 'DB_HOST', '{{if service "mysql-primary"}}{{with index (service "mysql-primary") 0}}{{.Address}}:{{.Port}}{{end}}{{end}}' ); | |||
|
|
|||
| /** | |||
| * Handle SSL reverse proxy | |||
There was a problem hiding this comment.
See https://github.com/autopilotpattern/wordpress/pull/34/files#r85470880 for how to eliminate this conditional
There was a problem hiding this comment.
Fix PR'd in jasonpincin#2 and jasonpincin#3
| - 9090 | ||
| env_file: _env | ||
| environment: | ||
| - CONSUL_AGENT=1 | ||
| - ACME_DOMAIN=joyent.pincin.me |
| @@ -85,15 +85,17 @@ memcached: | |||
|
|
|||
| # Nginx as a load-balancing tier and reverse proxy | |||
| nginx: | |||
| image: autopilotpattern/wordpress-nginx:latest | |||
| image: autopilotpattern/wordpress-nginx:branch-jasonpincin-issue-33 | |||
| @@ -1,6 +1,6 @@ | |||
| # An demo version of WordPress for easy scaling | |||
| wordpress: | |||
| image: autopilotpattern/wordpress:latest | |||
| image: autopilotpattern/wordpress:branch-jasonpincin-issue-33 | |||
|
Looking good. I pedantically called out some changes to be reverted before merging, but you knew about those. The thing I'm really ashamed of is how long it took me to figure out how I'd made this work previously. I didn't use the conditional (which we'd want to avoid just because it's an extra conditional on every request), but it took me forever to spot the I PR'd those changes in jasonpincin#2 and jasonpincin#3, though if you're guessing I didn't build and test images with those changes.... |
misterbisson
changed the title
|
From looking at https://hub.docker.com/r/autopilotpattern/wordpress/tags/ and https://hub.docker.com/r/autopilotpattern/wordpress-nginx/tags/, it looks like this should be tagged |
This PR updates the local Nginx configs so that the ACME features of latest autopilotpattern/nginx are supported.