examples on deployment

README.md

@@ -40,6 +40,8 @@ each note has a 512bit generated <i>id</i> that is used to retrieve the note. da
 
 ℹ️ `https` is required otherwise browsers will not support the cryptographic functions.
 
+### Docker
+
 Docker is the easiest way. There is the [official image here](https://hub.docker.com/r/cupcakearmy/cryptgeon).
 
 ```yaml
@@ -60,6 +62,47 @@ services:
       - 80:5000
 ```
 
+### NGINX Proxy
+
+See the [examples/nginx](https://github.com/cupcakearmy/cryptgeon/tree/main/examples/nginx) folder. There an example with a simple proxy, and one with https. You need to specify the server names and certificates.
+
+### Traefik 2
+
+Assumptions:
+
+- External proxy docker network `proxy`
+- A certificate resolver `le`
+- A https entrypoint `secure`
+- Domain name `example.org`
+
+```yaml
+version: '3.8'
+
+networks:
+  proxy:
+    external: true
+
+services:
+  memcached:
+    image: memcached:1-alpine
+    restart: unless-stopped
+    entrypoint: memcached -m 128 # Limit to 128 MB Ram, customize at free will.
+
+  app:
+    image: cupcakearmy/cryptgeon:latest
+    restart: unless-stopped
+    depends_on:
+      - memcached
+    networks:
+      - default
+      - proxy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.cryptgeon.rule=Host(`example.org`)
+      - traefik.http.routers.cryptgeon.entrypoints=secure
+      - traefik.http.routers.cryptgeon.tls.certresolver=le
+```
+
 ## Development
 
 1. Clone

examples/nginx/docker-compose.yaml

@@ -0,0 +1,22 @@
+version: '3.8'
+
+services:
+  memcached:
+    image: memcached:1-alpine
+    entrypoint: memcached -m 128 # Limit to 128 MB Ram, customize at free will.
+
+  app:
+    image: cupcakearmy/cryptgeon:latest
+    depends_on:
+      - memcached
+    
+  proxy:
+    image: nginx:alpine
+    depends_on:
+      - app
+    volumes:
+      - ./nginx-plain.conf:/etc/nginx/conf.d/default.conf
+      # Or with tls
+      # - ./nginx-tls.conf:/etc/nginx/conf.d/default.conf
+    ports:
+      - 80:80

examples/nginx/nginx-plain.conf

@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    location / {
+      proxy_pass http://app:5000/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

examples/nginx/nginx-tls.conf

@@ -0,0 +1,29 @@
+# You should change the server_name to something sensible.
+# Also you need to specify the path to the ssl certificates.
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # Enforce HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+    server_name _;
+
+    ssl_certificate     /path/to/fullchain.pem;
+    ssl_certificate_key /path/to/privkey.pem;
+    ssl_trusted_certificate /path/to/fullchain.pem;
+
+    location / {
+      proxy_pass http://app:5000/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}