diff options
author | Rigel Kent <sendmemail@rigelk.eu> | 2020-03-03 00:29:52 +0100 |
---|---|---|
committer | Rigel Kent <sendmemail@rigelk.eu> | 2020-11-11 16:45:46 +0100 |
commit | 1a9b141d835cf3bfe9bdca67f881b520975f9058 (patch) | |
tree | 444b35656c7093250181121ccfadb870c5046be4 | |
parent | 8e98e6124d2b006ba9f616b0dfce7369fa7b2684 (diff) | |
download | PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.gz PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.zst PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.zip |
Add nginx behind traefik in docker-compose + image updates
- support/docker/production/docker-compose.yml: addition of a nginx
image reusing support/nginx/peertube nginx conf to improve performance,
and lessen setup differences between the docker-compose install and the
typical production install.
- support/docker/production/docker-compose.yml: postgres 10 -> postgres
12, redis 4 -> redis 5. Postgres major updates implies manual upgrade.
- support/nginx/peertube: HTTP -> HTTPS redirection is now commented
by default, to allow its reuse in support/docker/production/docker-compose.yml.
-rw-r--r-- | support/doc/production.md | 3 | ||||
-rw-r--r-- | support/docker/production/Dockerfile.buster | 4 | ||||
-rw-r--r-- | support/docker/production/Dockerfile.nginx | 8 | ||||
-rw-r--r-- | support/docker/production/config/traefik.toml | 2 | ||||
-rw-r--r-- | support/docker/production/docker-compose.yml | 72 | ||||
-rw-r--r-- | support/docker/production/entrypoint.nginx.sh | 17 | ||||
-rwxr-xr-x | support/docker/production/entrypoint.sh (renamed from support/docker/production/docker-entrypoint.sh) | 0 | ||||
-rw-r--r-- | support/nginx/peertube | 42 |
8 files changed, 99 insertions, 49 deletions
diff --git a/support/doc/production.md b/support/doc/production.md index b8877ca8b..0ee275e9e 100644 --- a/support/doc/production.md +++ b/support/doc/production.md | |||
@@ -100,7 +100,8 @@ Then set the domain for the webserver configuration file. | |||
100 | Replace `[peertube-domain]` with the domain for the peertube server. | 100 | Replace `[peertube-domain]` with the domain for the peertube server. |
101 | 101 | ||
102 | ``` | 102 | ``` |
103 | $ sudo sed -i 's/peertube.example.com/[peertube-domain]/g' /etc/nginx/sites-available/peertube | 103 | $ sudo sed -i 's/${WEBSERVER_HOST}/[peertube-domain]/g' /etc/nginx/sites-available/peertube |
104 | $ sudo sed -i 's/${PEERTUBE_HOST}/localhost:9000/g' /etc/nginx/sites-available/peertube | ||
104 | ``` | 105 | ``` |
105 | 106 | ||
106 | Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations. | 107 | Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations. |
diff --git a/support/docker/production/Dockerfile.buster b/support/docker/production/Dockerfile.buster index 414bf9aac..5af8aa29a 100644 --- a/support/docker/production/Dockerfile.buster +++ b/support/docker/production/Dockerfile.buster | |||
@@ -38,8 +38,8 @@ ENV NODE_CONFIG_DIR /config | |||
38 | VOLUME /data | 38 | VOLUME /data |
39 | VOLUME /config | 39 | VOLUME /config |
40 | 40 | ||
41 | COPY ./support/docker/production/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh | 41 | COPY ./support/docker/production/entrypoint.sh /usr/local/bin/entrypoint.sh |
42 | ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] | 42 | ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] |
43 | 43 | ||
44 | # Run the application | 44 | # Run the application |
45 | CMD ["npm", "start"] | 45 | CMD ["npm", "start"] |
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx new file mode 100644 index 000000000..36ae3c3bc --- /dev/null +++ b/support/docker/production/Dockerfile.nginx | |||
@@ -0,0 +1,8 @@ | |||
1 | FROM nginx:alpine | ||
2 | |||
3 | COPY entrypoint.nginx.sh . | ||
4 | RUN chmod +x entrypoint.nginx.sh | ||
5 | |||
6 | EXPOSE 80 | ||
7 | ENTRYPOINT [] | ||
8 | CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file | ||
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml index 1d7d207fd..d2437fdf8 100644 --- a/support/docker/production/config/traefik.toml +++ b/support/docker/production/config/traefik.toml | |||
@@ -61,4 +61,4 @@ entryPoint = "https" | |||
61 | # | 61 | # |
62 | # Required | 62 | # Required |
63 | # | 63 | # |
64 | entryPoint = "http" | 64 | entryPoint = "http" \ No newline at end of file |
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml index e937c8b9c..62be02467 100644 --- a/support/docker/production/docker-compose.yml +++ b/support/docker/production/docker-compose.yml | |||
@@ -2,44 +2,65 @@ version: "3.3" | |||
2 | 2 | ||
3 | services: | 3 | services: |
4 | 4 | ||
5 | # The reverse-proxy only does SSL termination and automatic certificate generation. You can | ||
6 | # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels. | ||
5 | reverse-proxy: | 7 | reverse-proxy: |
6 | image: traefik:v1.7 | 8 | image: traefik:v1.7 |
7 | network_mode: "host" | 9 | network_mode: "host" |
8 | command: | 10 | command: |
9 | - "--docker" # Tells Træfik to listen to docker | 11 | - "--docker" # Tells Træfik to listen to docker |
10 | - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email | 12 | - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email |
11 | - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list | 13 | - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list |
12 | ports: | 14 | ports: |
13 | - "80:80" # The HTTP port | 15 | - "80:80" # The HTTP port |
14 | - "443:443" # The HTTPS port | 16 | - "443:443" # The HTTPS port |
15 | volumes: | 17 | volumes: |
16 | - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events | 18 | - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events |
17 | - ./docker-volume/traefik/acme.json:/etc/acme.json | 19 | - ./docker-volume/traefik/acme.json:/etc/acme.json |
18 | - ./docker-volume/traefik/traefik.toml:/traefik.toml | 20 | - ./docker-volume/traefik/traefik.toml:/traefik.toml |
19 | restart: "always" | 21 | restart: "always" |
20 | # If you want to use the Traefik dashboard, you should expose it on a | ||
21 | # subdomain with HTTPS and authentification: | ||
22 | # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f | ||
23 | # https://github.com/containous/traefik/issues/880#issuecomment-310301168 | ||
24 | 22 | ||
25 | peertube: | 23 | # The webserver is not required, but recommended since a lot of optimizations went to its |
26 | # If you don't want to use the official image and build one from sources | 24 | # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL, |
27 | # build: | 25 | # so use it in production in tandem with an SSL-terminating reverse-proxy like above. |
28 | # context: . | 26 | webserver: |
29 | # dockerfile: ./support/docker/production/Dockerfile.buster | 27 | build: |
30 | image: chocobozzz/peertube:production-buster | 28 | context: . |
29 | dockerfile: Dockerfile.nginx | ||
31 | env_file: | 30 | env_file: |
32 | - .env | 31 | - .env |
33 | # Traefik labels are suggested as an example for people using Traefik, | 32 | # If you provide your own reverse-proxy, otherwise not suitable for production: |
34 | # remove them if you are using another reverse proxy. | 33 | #ports: |
34 | # - "80:80" | ||
35 | volumes: | ||
36 | - type: bind | ||
37 | # Switch sources if you downloaded the nginx configuration without the whole repository | ||
38 | #source: ./peertube | ||
39 | source: ../../nginx/peertube | ||
40 | target: /etc/nginx/conf.d/peertube.template | ||
41 | - assets:/var/www/peertube/peertube-latest/client/dist:ro | ||
42 | - ./docker-volume/data:/var/www/peertube/storage | ||
43 | depends_on: | ||
44 | - peertube | ||
45 | restart: "always" | ||
35 | labels: | 46 | labels: |
36 | traefik.enable: "true" | 47 | traefik.enable: "true" |
37 | traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" | 48 | traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" |
38 | traefik.port: "9000" | 49 | traefik.port: "80" |
39 | # If you don't want to use a reverse proxy (not suitable for production!) | 50 | |
40 | # ports: | 51 | peertube: |
41 | # - "80:9000" | 52 | # If you don't want to use the official image and build one from sources: |
53 | #build: | ||
54 | # context: . | ||
55 | # dockerfile: ./support/docker/production/Dockerfile.buster | ||
56 | image: chocobozzz/peertube:production-buster | ||
57 | env_file: | ||
58 | - .env | ||
59 | # If you provide your own webserver and reverse-proxy, otherwise not suitable for production: | ||
60 | #ports: | ||
61 | # - "80:9000" | ||
42 | volumes: | 62 | volumes: |
63 | - assets:/app/client/dist | ||
43 | - ./docker-volume/data:/data | 64 | - ./docker-volume/data:/data |
44 | - ./docker-volume/config:/config | 65 | - ./docker-volume/config:/config |
45 | depends_on: | 66 | depends_on: |
@@ -47,6 +68,8 @@ services: | |||
47 | - redis | 68 | - redis |
48 | - postfix | 69 | - postfix |
49 | restart: "always" | 70 | restart: "always" |
71 | labels: | ||
72 | traefik.enable: "false" | ||
50 | 73 | ||
51 | postgres: | 74 | postgres: |
52 | image: postgres:10-alpine | 75 | image: postgres:10-alpine |
@@ -59,7 +82,7 @@ services: | |||
59 | traefik.enable: "false" | 82 | traefik.enable: "false" |
60 | 83 | ||
61 | redis: | 84 | redis: |
62 | image: redis:4-alpine | 85 | image: redis:5-alpine |
63 | volumes: | 86 | volumes: |
64 | - ./docker-volume/redis:/data | 87 | - ./docker-volume/redis:/data |
65 | restart: "always" | 88 | restart: "always" |
@@ -82,3 +105,6 @@ networks: | |||
82 | driver: default | 105 | driver: default |
83 | config: | 106 | config: |
84 | - subnet: 172.18.0.0/16 | 107 | - subnet: 172.18.0.0/16 |
108 | |||
109 | volumes: | ||
110 | assets: | ||
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh new file mode 100644 index 000000000..744385ec8 --- /dev/null +++ b/support/docker/production/entrypoint.nginx.sh | |||
@@ -0,0 +1,17 @@ | |||
1 | #!/bin/sh | ||
2 | set -e | ||
3 | |||
4 | # Process nginx template | ||
5 | SOURCE="/etc/nginx/conf.d/peertube.template" | ||
6 | TARGET="/etc/nginx/conf.d/default.conf" | ||
7 | export WEBSERVER_HOST="default_server" | ||
8 | export PEERTUBE_HOST="peertube:9000" | ||
9 | |||
10 | envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET | ||
11 | |||
12 | # Remove HTTPS/SSL from nginx conf | ||
13 | sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET | ||
14 | |||
15 | cat $TARGET | ||
16 | |||
17 | nginx -g "daemon off;" \ No newline at end of file | ||
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/entrypoint.sh index 7dd626b9f..7dd626b9f 100755 --- a/support/docker/production/docker-entrypoint.sh +++ b/support/docker/production/entrypoint.sh | |||
diff --git a/support/nginx/peertube b/support/nginx/peertube index a17868c5a..7f2c0f263 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -1,26 +1,24 @@ | |||
1 | server { | 1 | # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. |
2 | listen 80; | 2 | #server { |
3 | listen [::]:80; | 3 | # listen 80; |
4 | server_name peertube.example.com; | 4 | # listen [::]:80; |
5 | 5 | # server_name ${WEBSERVER_HOST}; | |
6 | access_log /var/log/nginx/peertube.example.com.access.log; | 6 | # |
7 | error_log /var/log/nginx/peertube.example.com.error.log; | 7 | # location /.well-known/acme-challenge/ { |
8 | 8 | # default_type "text/plain"; | |
9 | location /.well-known/acme-challenge/ { | 9 | # root /var/www/certbot; |
10 | default_type "text/plain"; | 10 | # } |
11 | root /var/www/certbot; | 11 | # location / { return 301 https://$host$request_uri; } |
12 | } | 12 | #} |
13 | location / { return 301 https://$host$request_uri; } | ||
14 | } | ||
15 | 13 | ||
16 | server { | 14 | server { |
17 | listen 443 ssl http2; | 15 | listen 443 ssl http2; |
18 | listen [::]:443 ssl http2; | 16 | listen [::]:443 ssl http2; |
19 | server_name peertube.example.com; | 17 | server_name ${WEBSERVER_HOST}; |
20 | 18 | ||
21 | # For example with certbot (you need a certificate to run https) | 19 | # For example with certbot (you need a certificate to run https) |
22 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; | 20 | ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; |
23 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | 21 | ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; |
24 | 22 | ||
25 | # Security hardening (as of 11/02/2018) | 23 | # Security hardening (as of 11/02/2018) |
26 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 | 24 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 |
@@ -51,8 +49,8 @@ server { | |||
51 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path | 49 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path |
52 | # client_body_temp_path /var/www/peertube/storage/nginx/; | 50 | # client_body_temp_path /var/www/peertube/storage/nginx/; |
53 | 51 | ||
54 | access_log /var/log/nginx/peertube.example.com.access.log; | 52 | access_log /var/log/nginx/${WEBSERVER_HOST}.access.log; |
55 | error_log /var/log/nginx/peertube.example.com.error.log; | 53 | error_log /var/log/nginx/${WEBSERVER_HOST}.error.log; |
56 | 54 | ||
57 | location ^~ '/.well-known/acme-challenge' { | 55 | location ^~ '/.well-known/acme-challenge' { |
58 | default_type "text/plain"; | 56 | default_type "text/plain"; |
@@ -92,7 +90,7 @@ server { | |||
92 | } | 90 | } |
93 | 91 | ||
94 | location / { | 92 | location / { |
95 | proxy_pass http://127.0.0.1:9000; | 93 | proxy_pass http://${PEERTUBE_HOST}; |
96 | proxy_set_header X-Real-IP $remote_addr; | 94 | proxy_set_header X-Real-IP $remote_addr; |
97 | proxy_set_header Host $host; | 95 | proxy_set_header Host $host; |
98 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 96 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
@@ -177,14 +175,14 @@ server { | |||
177 | proxy_http_version 1.1; | 175 | proxy_http_version 1.1; |
178 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 176 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
179 | proxy_set_header Host $host; | 177 | proxy_set_header Host $host; |
180 | proxy_pass http://127.0.0.1:9000; | 178 | proxy_pass http://${PEERTUBE_HOST}; |
181 | } | 179 | } |
182 | 180 | ||
183 | location /socket.io { | 181 | location /socket.io { |
184 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 182 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
185 | proxy_set_header Host $host; | 183 | proxy_set_header Host $host; |
186 | 184 | ||
187 | proxy_pass http://127.0.0.1:9000; | 185 | proxy_pass http://${PEERTUBE_HOST}; |
188 | 186 | ||
189 | # enable WebSockets | 187 | # enable WebSockets |
190 | proxy_http_version 1.1; | 188 | proxy_http_version 1.1; |