Proxy container

[davidmerfield]

• Think about how to handle autossl – does it need volumes mounted?
  • Yes it does: at least these, if not more: /etc/resty-auto-ssl/letsencrypt /etc/ssl/
• Use openresty config locally
• Write cache purge integration tests
• Use host network when deploying for latency
  • Update node containers to use host network and deploy them on their own ports
• Containerize the proxy (openresty/nginx)
• use ip table shifting for deployment of new containers
• test ip table shifting for random ports as proof of concept

---

Ensure the new volume has access to the following directories:

• /etc/resty-auto-ssl/letsencrypt
• /etc/ssl/

---

Migrating OpenResty to Docker with iptables Redirects

1. Start Temporary OpenResty Container

Launch OpenResty on alternate ports (8080 for HTTP, 8443 for HTTPS):

docker run -d --name openresty-temp -p 8080:80 -p 8443:443 your-openresty-image

2. Redirect Traffic Using iptables

Redirect incoming traffic on ports 80 and 443 to the container:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Verify traffic redirection:

curl -I http://yourdomain.com
curl -I --insecure https://yourdomain.com

3. Launch Final OpenResty Container on Ports 80 & 443

Once verified, start a second container on the correct ports:

docker run -d --name openresty-final -p 80:80 -p 443:443 your-openresty-image

Confirm it works directly:

curl -I http://localhost
curl -I --insecure https://localhost

4. Remove iptables Redirects

Now that OpenResty is handling traffic natively, remove the iptables rules:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

5. Cleanup Temporary Container

Stop and remove the temporary container:

docker stop openresty-temp
docker rm openresty-temp

6. Final Checks & Persistence

• Monitor logs:

  docker logs -f openresty-final

• Restart Docker to ensure persistence:

  systemctl restart docker

• Enable automatic restart for OpenResty:

  docker update --restart unless-stopped openresty-final

[davidmerfield]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate required BLOT_HOST before invoking acme-nginx

The entrypoint prints BLOT_HOST=$BLOT_HOST but never fails fast when the variable is empty. If the container starts without BLOT_HOST set, the script still executes acme-nginx with DOMAIN="-d ", which causes certificate generation to error and the proxy never starts. Consider checking the value and exiting with a clear message before attempting to create certificates.

Useful? React with 👍 / 👎.

[davidmerfield]

@codex fix:

The entrypoint prints BLOT_HOST=$BLOT_HOST but never fails fast when the variable is empty. If the container starts without BLOT_HOST set, the script still executes acme-nginx with DOMAIN="-d ", which causes certificate generation to error and the proxy never starts. Consider checking the value and exiting with a clear message before attempting to create certificates.

[chatgpt-codex-connector]

Summary

• Added a guard in the proxy entrypoint to require BLOT_HOST and exit with a clear error before invoking certificate generation, while retaining the existing host logging. proxy/entrypoint.shL14-L48

Testing

• ⚠️ Not run (not requested)

View task →