nginx: Fix issues, consolidate naming
Naming for services has been consolidated to `nginx-proxy` and `nginx-serve`, and issues with resolving underlying containers in the case of restarts have been fixed by way of resolver configuration.
This commit is contained in:
parent
3ace3b517b
commit
176f65f998
|
@ -1,7 +1,8 @@
|
|||
FROM docker.io/nginx:1.19-alpine
|
||||
FROM docker.io/nginx:1.21
|
||||
|
||||
COPY container/config /etc/nginx
|
||||
COPY container/run-nginx /run-nginx
|
||||
RUN nginx -t
|
||||
|
||||
EXPOSE 80 443
|
||||
ENTRYPOINT ["nginx", "-g", "daemon off;"]
|
||||
ENTRYPOINT ["/run-nginx"]
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
# Default service, when no other service host matches.
|
||||
server {
|
||||
listen 80;
|
||||
server_name localhost;
|
||||
return 204;
|
||||
}
|
|
@ -257,7 +257,7 @@ http {
|
|||
# Add X-Frame-Options for HTML documents.
|
||||
# conf/security/x-frame-options.conf
|
||||
map $sent_http_content_type $x_frame_options {
|
||||
~*text/html DENY;
|
||||
~*text/html SAMEORIGIN;
|
||||
}
|
||||
|
||||
# Add Content-Security-Policy for HTML documents.
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Set NGINX resolver from system-wide configuration.
|
||||
awk '/^nameserver/ {printf "resolver %s;\n", $2; exit}' /etc/resolv.conf > /etc/nginx/resolver.conf
|
||||
|
||||
# Start NGINX as foreground process.
|
||||
nginx -g 'daemon off;'
|
|
@ -11,11 +11,14 @@ server {
|
|||
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}.crt;
|
||||
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}.key;
|
||||
|
||||
include resolver.conf;
|
||||
set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT};
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass http://${UPSTREAM_HOST}:${UPSTREAM_PORT};
|
||||
proxy_pass $upstream_endpoint;
|
||||
}
|
||||
}
|
|
@ -6,11 +6,11 @@ storage:
|
|||
local: service/nginx/systemd/
|
||||
systemd:
|
||||
units:
|
||||
- name: nginx-ingress.service
|
||||
- name: nginx.service
|
||||
enabled: true
|
||||
- name: nginx-ingress-http@.service
|
||||
- name: nginx-proxy-http@.service
|
||||
enabled: true
|
||||
- name: nginx-static@.service
|
||||
- name: nginx-serve-static@.service
|
||||
enabled: true
|
||||
- name: nginx-php@.service
|
||||
- name: nginx-serve-php@.service
|
||||
enabled: true
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
[Unit]
|
||||
Description=Nginx HTTP/S ingress for %I
|
||||
Wants=nginx-ingress.service %i.service
|
||||
After=nginx-ingress.service %i.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT' \
|
||||
< ${NGINX_CONF} > /var/lib/container-service/nginx-ingress/conf.d/%i.conf"
|
||||
ExecStartPost=/bin/systemctl reload nginx-ingress
|
||||
ExecStop=/bin/rm /var/lib/container-service/nginx-ingress/conf.d/%i.conf
|
||||
ExecStopPost=/bin/systemctl reload nginx-ingress
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,20 +0,0 @@
|
|||
[Unit]
|
||||
Description=Nginx ingress controller
|
||||
Wants=container-build@nginx.service container-network@%N.service
|
||||
After=container-build@nginx.service container-network@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/letsencrypt/private
|
||||
ExecStartPre=/bin/install -d /var/lib/container-service/%N/conf.d
|
||||
ExecStart=/bin/podman run --replace --pull never --net %N \
|
||||
--publish 80:80 --publish 443:443 \
|
||||
--volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
|
||||
--volume /var/lib/container-service/%N/conf.d:/etc/nginx/conf.d:z \
|
||||
--name %N localhost/nginx:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
ExecReload=/bin/podman exec %N nginx -s reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,28 +0,0 @@
|
|||
[Unit]
|
||||
Description=Nginx PHP web service for %I
|
||||
Wants=container-build@nginx.service container-build@%i.service container-network@nginx-ingress.service container-network@internal.service
|
||||
After=container-build@nginx.service container-build@%i.service container-network@nginx-ingress.service container-network@internal.service
|
||||
Before=nginx-ingress-http@%i.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
Environment=SERVER_NAME=%i
|
||||
Environment=SERVICE_DATA_DIRECTORY=/data
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStartPre=/bin/install --owner 33 --group 33 -d /var/lib/container-service/%i
|
||||
ExecStartPre=/bin/podman pod create --replace --net internal,nginx-ingress --name %i
|
||||
ExecStartPre=/bin/podman create --replace --pull never --pod %i --env-file /etc/container-service/%i/%i.env \
|
||||
--volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \
|
||||
--name %i-php localhost/%i:latest
|
||||
ExecStartPre=/bin/podman create --replace --pull never --pod %i \
|
||||
--volumes-from=%i-php:z,ro \
|
||||
--name %i-nginx localhost/nginx:latest
|
||||
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
|
||||
ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
|
||||
ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
|
||||
ExecStop=/bin/podman pod stop --time 10 %i
|
||||
ExecStopPost=/bin/podman pod rm --force %i
|
||||
|
||||
[Install]
|
||||
Alias=%i.service
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,19 @@
|
|||
[Unit]
|
||||
Description=NGINX HTTP/S proxy for %I
|
||||
Wants=nginx.service %i.service
|
||||
After=nginx.service %i.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT' \
|
||||
< ${NGINX_CONF} > /tmp/%i.conf"
|
||||
ExecStartPost=/bin/sh -c 'podman cp /tmp/%i.conf nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
|
||||
ExecStartPost=/bin/podman exec nginx nginx -s reload
|
||||
ExecStop=/bin/podman exec nginx rm --force /etc/nginx/conf.d/%i.conf
|
||||
ExecStopPost=/bin/podman exec nginx nginx -s reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,28 @@
|
|||
[Unit]
|
||||
Description=NGINX PHP web service for %I
|
||||
Wants=container-build@%i.service nginx.service nginx-proxy-http@%i.service
|
||||
After=container-build@%i.service nginx.service
|
||||
Before=nginx-proxy-http@%i.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStartPre=/bin/podman pod create --replace --name %i --net internal
|
||||
ExecStartPre=/bin/podman create --replace --pull never --name %i-php --pod %i \
|
||||
--env-file /etc/container-service/%i/%i.env \
|
||||
--volume %i:${SERVICE_DATA_DIRECTORY}:z,rshared \
|
||||
localhost/%i:latest
|
||||
ExecStartPre=/bin/podman init %i-php
|
||||
ExecStartPre=/bin/podman create --replace --pull never --name %i-nginx --pod %i \
|
||||
--volumes-from=%i-php:z,ro \
|
||||
localhost/nginx:latest
|
||||
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
|
||||
ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
|
||||
ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
|
||||
ExecStop=/bin/podman pod stop --time 10 %i
|
||||
ExecStopPost=/bin/podman pod rm --force %i
|
||||
|
||||
[Install]
|
||||
Alias=%i.service
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,22 @@
|
|||
[Unit]
|
||||
Description=NGINX static web service for %I
|
||||
Wants=container-build@%i.service nginx.service nginx-proxy-http@%i.service
|
||||
After=container-build@%i.service nginx.service
|
||||
Before=nginx-proxy-http@%i.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStartPre=/bin/podman create --replace --pull never --name %i --net internal \
|
||||
--volume %i:${SERVICE_DATA_DIRECTORY}:z,ro \
|
||||
localhost/%i:latest
|
||||
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
|
||||
ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
|
||||
ExecStart=/bin/podman start --attach %i
|
||||
ExecStop=/bin/podman stop --time 10 %i
|
||||
ExecStopPost=/bin/podman rm --force %i
|
||||
|
||||
[Install]
|
||||
Alias=%i.service
|
||||
WantedBy=multi-user.target
|
|
@ -1,24 +0,0 @@
|
|||
[Unit]
|
||||
Description=Nginx static web service for %I
|
||||
Wants=container-build@%i.service container-network@nginx-ingress.service
|
||||
After=container-build@%i.service container-network@nginx-ingress.service
|
||||
Before=nginx-ingress-http@%i.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
Environment=SERVER_NAME=%i
|
||||
Environment=SERVICE_DATA_DIRECTORY=/data
|
||||
Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
|
||||
ExecStartPre=/bin/install -d /var/lib/container-service/%i
|
||||
ExecStartPre=/bin/podman create --replace --pull never --net nginx-ingress \
|
||||
--volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \
|
||||
--name %i localhost/%i:latest
|
||||
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
|
||||
ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
|
||||
ExecStart=/bin/podman start --attach %i
|
||||
ExecStop=/bin/podman stop --time 10 %i
|
||||
ExecStopPost=/bin/podman rm --force %i
|
||||
|
||||
[Install]
|
||||
Alias=%i.service
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,18 @@
|
|||
[Unit]
|
||||
Description=NGINX web server
|
||||
Wants=container-build@%N.service
|
||||
After=container-build@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--publish 80:80 --publish 443:443 \
|
||||
--volume nginx-conf:/etc/nginx/conf.d:z \
|
||||
--volume letsencrypt:/etc/ssl/private:z,rshared,ro \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
ExecReload=/bin/podman exec %N %N -s reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -44,29 +44,22 @@ systemd:
|
|||
contents: |
|
||||
[Unit]
|
||||
After=container-build@nginx.service
|
||||
- name: nginx-static@static.localhost.service
|
||||
|
||||
- name: nginx-serve-static@static.localhost.service
|
||||
enabled: true
|
||||
- name: nginx-ingress-http@static.localhost.service
|
||||
- name: nginx-proxy-http@static.localhost.service
|
||||
enabled: true
|
||||
dropins:
|
||||
- name: wait-for-service.conf
|
||||
contents: |
|
||||
[Unit]
|
||||
After=nginx-static@static.localhost.service
|
||||
- name: use-localhost-cert.conf
|
||||
contents: |
|
||||
[Service]
|
||||
Environment=SSL_CERT_NAME=localhost
|
||||
|
||||
- name: nginx-php@php.localhost.service
|
||||
- name: nginx-serve-php@php.localhost.service
|
||||
enabled: true
|
||||
- name: nginx-ingress-http@php.localhost.service
|
||||
- name: nginx-proxy-http@php.localhost.service
|
||||
enabled: true
|
||||
dropins:
|
||||
- name: wait-for-service.conf
|
||||
contents: |
|
||||
[Service]
|
||||
After=nginx-php@php.localhost.service
|
||||
- name: use-localhost-cert.conf
|
||||
contents: |
|
||||
[Service]
|
||||
|
@ -79,7 +72,7 @@ systemd:
|
|||
contents: |
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/bin/podman create --replace --name letsencrypt-register-%i \
|
||||
ExecStart=/bin/podman create --replace --pull never --name letsencrypt-register-%i \
|
||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||
--entrypoint true localhost/letsencrypt:latest
|
||||
ExecStartPost=/bin/podman init letsencrypt-register-%i
|
||||
|
|
Loading…
Reference in New Issue