ReverseProxy Fixes, Nextcloud MariaDB Upgrade (#7)

* Working on getting Reverse Proxy certs to work. * Upgrade mariadb to 10.6. * Checking if anything has missed a check in. * Let's Encrypt is working now after moving the location directive to the conf.d files. Unsure why nginx.conf is not passing it along, so added it to the examples too.
2023-07-21 22:23:46 -07:00 · 2023-07-21 22:23:46 -07:00 · 4c24c30526
commit 4c24c30526
parent 3c46dfec01
9 changed files with 64 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,9 +8,12 @@ Volumes/*
 logs/*

 # Ignore private reverse proxy configurations.
-Config/ReverseProxy/config/conf.d/*.*
-Config/ReverseProxy/config/html/*.*
-Config/ReverseProxy/config/hosts/*.*
+Config/ReverseProxy/config/conf.d/*
+Config/ReverseProxy/config/html/*
+Config/ReverseProxy/config/hosts/*
+Config/ReverseProxy/config/load.conf.d/*
+Config/ReverseProxy/config/mail.conf.d/*

 # Ignore MailServer Files
 Config/MailServer/setup.sh
+
--- a/Config/Nextcloud/docker-compose.yml
+++ b/Config/Nextcloud/docker-compose.yml
@ -2,11 +2,14 @@
 # This is a revised version of the original work here: 
 #   https://hub.docker.com/_/nextcloud

+# Changelog:
+# 2023-07-16 Change from mariadb:10.5 to 10.6.
+
 version: '2'

 services:
  db:
-    image: mariadb:10.5
+    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
--- a/Config/Nextcloud/fixes.sh
+++ b/Config/Nextcloud/fixes.sh
@ -3,7 +3,7 @@
 # Put fixes in a file so they do not need remembered.

 docker exec -it nextcloud-app-1 apt update -y
-docker exec -it nextcloud-app-1 apt install -y sudo libmagickcore-6.q16-6-extra
+docker exec -it nextcloud-app-1 apt install -y sudo libmagickcore-6.q16-6-extra htop

 # 2022-10-30 More additions after moving to Nextcloud version 25.
 docker exec -itu www-data nextcloud-app-1 ./occ db:add-missing-columns
--- a/Config/ReverseProxy/Dockerfile
+++ b/Config/ReverseProxy/Dockerfile
@ -10,7 +10,7 @@ RUN rm -rfv /etc/nginx/conf.d
 # Add all the configuration files to the environment.
 COPY ./config/nginx.conf /etc/nginx/nginx.conf
 COPY ./config/conf.d /etc/nginx/conf.d
-RUN rm -rfv /etc/nginx/nginx.conf/README*
+RUN rm -rfv /etc/nginx/conf.d/README*

 ## Hosted Sites ##
 # Clear old sites.
@ -24,3 +24,8 @@ RUN rm -rfv /etc/nginx/hosts
 COPY ./config/hosts /etc/nginx/hosts
 RUN rm -rfv /etc/nginx/hosts/README*

+## Load Balancing and Host-Based Port Forwarding ##
+RUN rm -rfv /etc/nginx/load.conf.d
+COPY ./config/load.conf.d /etc/nginx/load.conf.d
+RUN rm -rfv /etc/nginx/load.conf.d/README*
+
--- a/Config/ReverseProxy/README.md
+++ b/Config/ReverseProxy/README.md
@ -23,6 +23,15 @@ How to first begin using this subproject.
    # docker logs reverseproxy-app-1
    # docker logs reverseproxy-certbot-1
    ```
+1. Create the real certificates.
+    ```
+    # ./create_letsencrypt_certs.sh
+    ```
+1. Add a job to crontab for keeping the certs valid.
+    ```
+    # crontab -e
+    X Y * * * docker exec reverseproxy-certbot-1 certbot renew
+    ```

 ## DO NOT
 * Edit any configurations or website data inside the container. It is destroyed on each build.
--- a/Config/ReverseProxy/config/conf.d/html.example.com
+++ b/Config/ReverseProxy/config/conf.d/html.example.com
@ -21,8 +21,15 @@ server {
    listen 80;
    server_name html.example.com;

+    location /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /etc/nginx/letsencrypt/;
+    }
+
    # Redirect to a more secure protocol.
+    location / {
        return 301 https://$host$request_uri;
+    }

 }

@ -36,7 +43,14 @@ server {
    ssl_certificate /etc/nginx/certs/html.example.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/html.example.com/privkey.pem;

+    location /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /etc/nginx/letsencrypt/;
+    }
+
    # Load the static web content.
+    location / {
        root /etc/nginx/html/html.example.com;
+    }

 }
--- a/Config/ReverseProxy/config/conf.d/proxy.example.com
+++ b/Config/ReverseProxy/config/conf.d/proxy.example.com
@ -21,8 +21,15 @@ server {
    listen 80;
    server_name proxy.example.com;

+    location /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /etc/nginx/letsencrypt/;
+    }
+
    # Redirect to a more secure protocol.
+    location / {
        return 301 https://$host$request_uri;
+    }

 }

@ -36,6 +43,11 @@ server {
    ssl_certificate /etc/nginx/certs/proxy.example.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/proxy.example.com/privkey.pem;

+    location /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /etc/nginx/letsencrypt/;
+    }
+
    # Send traffic to upstream server
    location / {
        ## General format is PROTOCOL://SERVER:PORT. For example:
--- a/Config/ReverseProxy/config/nginx.conf
+++ b/Config/ReverseProxy/config/nginx.conf
@ -50,9 +50,12 @@ http {

    ## LetsEncrypt Certbot Setup ##
    # Allow nginx to fulfill LetsEncrypt Certbot challenges.
+    #   This is not working from here, but is working from the individual conf files for some reason.
+    #   Have tried adding listen and server_name directives here with no change in functionality.
    server {
-        location /.well-known/acme-challenge/ {
-            root /etc/nginx/letsencrypt;
+        location ^~ /.well-known/acme-challenge/ {
+            default_type "text/plain";
+            root /etc/nginx/letsencrypt/;
        }
    }

@ -69,11 +72,10 @@ mail {
    #include /etc/nginx/mail.conf.d/*;
 }

-# TBD, going live with HTTP first.
 stream {
    ## Service Forwarding and Load Balancing ##
    # If this supports the `listen` and `server_name` directives then this may
    # be a better choice than mail{} since it will not require an auth server.
    # It could also be useful as a frontend for ssh, databases, APIs, etc.
-    #include /etc/nginx/load.conf.d/*;
+    include /etc/nginx/load.conf.d/*;
 }
--- a/Config/ReverseProxy/create_letsencrypt_certs.sh
+++ b/Config/ReverseProxy/create_letsencrypt_certs.sh
@ -59,7 +59,7 @@ ls $DIR/config/conf.d/*.* | while read file; do
 	echo "*** Checking $filename ***"
 	if [[ -d $CERT_DIR/$filename ]]; then
 		echo "Getting the domains which need the cert."
-		domains=`grep server_name $file`
+		domains=`grep -v '$server_name' $file | grep server_name`

 		# Clean up the data by removing the directive and semi-colon, changing
 		#  spaces to commas, and making sure there are no gaps.
@ -70,8 +70,8 @@ ls $DIR/config/conf.d/*.* | while read file; do
 		echo "Domains='$domains'"

 		echo "Attempting to create real certs at $CERT_DIR/$filename."
-		docker exec reverseproxy-certbot-1 certbot certonly -n --standalone \
-				--agree-tos -m $email -d $filename
+		docker exec reverseproxy-certbot-1 certbot certonly -n --webroot \
+				-w /etc/letsencrypt --agree-tos -m $email -d $filename

 		ls -lh $CERT_DIR/$filename/*
 	else