From 19cd9b850719afcfc8de7e4213716e94a4451db0 Mon Sep 17 00:00:00 2001 From: cupcakearmy Date: Thu, 16 Dec 2021 13:54:15 +0100 Subject: [PATCH] examples on deployment --- README.md | 43 ++++++++++++++++++++++++++++++ examples/nginx/docker-compose.yaml | 22 +++++++++++++++ examples/nginx/nginx-plain.conf | 13 +++++++++ examples/nginx/nginx-tls.conf | 29 ++++++++++++++++++++ 4 files changed, 107 insertions(+) create mode 100644 examples/nginx/docker-compose.yaml create mode 100644 examples/nginx/nginx-plain.conf create mode 100644 examples/nginx/nginx-tls.conf diff --git a/README.md b/README.md index 5848f88..573386c 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ each note has a 512bit generated id that is used to retrieve the note. da ℹ️ `https` is required otherwise browsers will not support the cryptographic functions. +### Docker + Docker is the easiest way. There is the [official image here](https://hub.docker.com/r/cupcakearmy/cryptgeon). ```yaml @@ -60,6 +62,47 @@ services: - 80:5000 ``` +### NGINX Proxy + +See the [examples/nginx](https://github.com/cupcakearmy/cryptgeon/tree/main/examples/nginx) folder. There an example with a simple proxy, and one with https. You need to specify the server names and certificates. + +### Traefik 2 + +Assumptions: + +- External proxy docker network `proxy` +- A certificate resolver `le` +- A https entrypoint `secure` +- Domain name `example.org` + +```yaml +version: '3.8' + +networks: + proxy: + external: true + +services: + memcached: + image: memcached:1-alpine + restart: unless-stopped + entrypoint: memcached -m 128 # Limit to 128 MB Ram, customize at free will. + + app: + image: cupcakearmy/cryptgeon:latest + restart: unless-stopped + depends_on: + - memcached + networks: + - default + - proxy + labels: + - traefik.enable=true + - traefik.http.routers.cryptgeon.rule=Host(`example.org`) + - traefik.http.routers.cryptgeon.entrypoints=secure + - traefik.http.routers.cryptgeon.tls.certresolver=le +``` + ## Development 1. Clone diff --git a/examples/nginx/docker-compose.yaml b/examples/nginx/docker-compose.yaml new file mode 100644 index 0000000..ee2fb10 --- /dev/null +++ b/examples/nginx/docker-compose.yaml @@ -0,0 +1,22 @@ +version: '3.8' + +services: + memcached: + image: memcached:1-alpine + entrypoint: memcached -m 128 # Limit to 128 MB Ram, customize at free will. + + app: + image: cupcakearmy/cryptgeon:latest + depends_on: + - memcached + + proxy: + image: nginx:alpine + depends_on: + - app + volumes: + - ./nginx-plain.conf:/etc/nginx/conf.d/default.conf + # Or with tls + # - ./nginx-tls.conf:/etc/nginx/conf.d/default.conf + ports: + - 80:80 diff --git a/examples/nginx/nginx-plain.conf b/examples/nginx/nginx-plain.conf new file mode 100644 index 0000000..5ca3be9 --- /dev/null +++ b/examples/nginx/nginx-plain.conf @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + server_name _; + + location / { + proxy_pass http://app:5000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/examples/nginx/nginx-tls.conf b/examples/nginx/nginx-tls.conf new file mode 100644 index 0000000..9a2a999 --- /dev/null +++ b/examples/nginx/nginx-tls.conf @@ -0,0 +1,29 @@ +# You should change the server_name to something sensible. +# Also you need to specify the path to the ssl certificates. + +server { + listen 80; + listen [::]:80; + server_name _; + + # Enforce HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name _; + + ssl_certificate /path/to/fullchain.pem; + ssl_certificate_key /path/to/privkey.pem; + ssl_trusted_certificate /path/to/fullchain.pem; + + location / { + proxy_pass http://app:5000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +}