aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRigel Kent <sendmemail@rigelk.eu>2020-03-03 00:29:52 +0100
committerRigel Kent <sendmemail@rigelk.eu>2020-11-11 16:45:46 +0100
commit1a9b141d835cf3bfe9bdca67f881b520975f9058 (patch)
tree444b35656c7093250181121ccfadb870c5046be4
parent8e98e6124d2b006ba9f616b0dfce7369fa7b2684 (diff)
downloadPeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.gz
PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.zst
PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.zip
Add nginx behind traefik in docker-compose + image updates
- support/docker/production/docker-compose.yml: addition of a nginx image reusing support/nginx/peertube nginx conf to improve performance, and lessen setup differences between the docker-compose install and the typical production install. - support/docker/production/docker-compose.yml: postgres 10 -> postgres 12, redis 4 -> redis 5. Postgres major updates implies manual upgrade. - support/nginx/peertube: HTTP -> HTTPS redirection is now commented by default, to allow its reuse in support/docker/production/docker-compose.yml.
-rw-r--r--support/doc/production.md3
-rw-r--r--support/docker/production/Dockerfile.buster4
-rw-r--r--support/docker/production/Dockerfile.nginx8
-rw-r--r--support/docker/production/config/traefik.toml2
-rw-r--r--support/docker/production/docker-compose.yml72
-rw-r--r--support/docker/production/entrypoint.nginx.sh17
-rwxr-xr-xsupport/docker/production/entrypoint.sh (renamed from support/docker/production/docker-entrypoint.sh)0
-rw-r--r--support/nginx/peertube42
8 files changed, 99 insertions, 49 deletions
diff --git a/support/doc/production.md b/support/doc/production.md
index b8877ca8b..0ee275e9e 100644
--- a/support/doc/production.md
+++ b/support/doc/production.md
@@ -100,7 +100,8 @@ Then set the domain for the webserver configuration file.
100Replace `[peertube-domain]` with the domain for the peertube server. 100Replace `[peertube-domain]` with the domain for the peertube server.
101 101
102``` 102```
103$ sudo sed -i 's/peertube.example.com/[peertube-domain]/g' /etc/nginx/sites-available/peertube 103$ sudo sed -i 's/${WEBSERVER_HOST}/[peertube-domain]/g' /etc/nginx/sites-available/peertube
104$ sudo sed -i 's/${PEERTUBE_HOST}/localhost:9000/g' /etc/nginx/sites-available/peertube
104``` 105```
105 106
106Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations. 107Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
diff --git a/support/docker/production/Dockerfile.buster b/support/docker/production/Dockerfile.buster
index 414bf9aac..5af8aa29a 100644
--- a/support/docker/production/Dockerfile.buster
+++ b/support/docker/production/Dockerfile.buster
@@ -38,8 +38,8 @@ ENV NODE_CONFIG_DIR /config
38VOLUME /data 38VOLUME /data
39VOLUME /config 39VOLUME /config
40 40
41COPY ./support/docker/production/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh 41COPY ./support/docker/production/entrypoint.sh /usr/local/bin/entrypoint.sh
42ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] 42ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
43 43
44# Run the application 44# Run the application
45CMD ["npm", "start"] 45CMD ["npm", "start"]
diff --git a/support/docker/production/Dockerfile.nginx b/support/docker/production/Dockerfile.nginx
new file mode 100644
index 000000000..36ae3c3bc
--- /dev/null
+++ b/support/docker/production/Dockerfile.nginx
@@ -0,0 +1,8 @@
1FROM nginx:alpine
2
3COPY entrypoint.nginx.sh .
4RUN chmod +x entrypoint.nginx.sh
5
6EXPOSE 80
7ENTRYPOINT []
8CMD ["/bin/sh", "entrypoint.nginx.sh"] \ No newline at end of file
diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml
index 1d7d207fd..d2437fdf8 100644
--- a/support/docker/production/config/traefik.toml
+++ b/support/docker/production/config/traefik.toml
@@ -61,4 +61,4 @@ entryPoint = "https"
61 # 61 #
62 # Required 62 # Required
63 # 63 #
64 entryPoint = "http" 64 entryPoint = "http" \ No newline at end of file
diff --git a/support/docker/production/docker-compose.yml b/support/docker/production/docker-compose.yml
index e937c8b9c..62be02467 100644
--- a/support/docker/production/docker-compose.yml
+++ b/support/docker/production/docker-compose.yml
@@ -2,44 +2,65 @@ version: "3.3"
2 2
3services: 3services:
4 4
5 # The reverse-proxy only does SSL termination and automatic certificate generation. You can
6 # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
5 reverse-proxy: 7 reverse-proxy:
6 image: traefik:v1.7 8 image: traefik:v1.7
7 network_mode: "host" 9 network_mode: "host"
8 command: 10 command:
9 - "--docker" # Tells Træfik to listen to docker 11 - "--docker" # Tells Træfik to listen to docker
10 - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email 12 - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
11 - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list 13 - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
12 ports: 14 ports:
13 - "80:80" # The HTTP port 15 - "80:80" # The HTTP port
14 - "443:443" # The HTTPS port 16 - "443:443" # The HTTPS port
15 volumes: 17 volumes:
16 - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events 18 - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
17 - ./docker-volume/traefik/acme.json:/etc/acme.json 19 - ./docker-volume/traefik/acme.json:/etc/acme.json
18 - ./docker-volume/traefik/traefik.toml:/traefik.toml 20 - ./docker-volume/traefik/traefik.toml:/traefik.toml
19 restart: "always" 21 restart: "always"
20 # If you want to use the Traefik dashboard, you should expose it on a
21 # subdomain with HTTPS and authentification:
22 # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
23 # https://github.com/containous/traefik/issues/880#issuecomment-310301168
24 22
25 peertube: 23 # The webserver is not required, but recommended since a lot of optimizations went to its
26 # If you don't want to use the official image and build one from sources 24 # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
27 # build: 25 # so use it in production in tandem with an SSL-terminating reverse-proxy like above.
28 # context: . 26 webserver:
29 # dockerfile: ./support/docker/production/Dockerfile.buster 27 build:
30 image: chocobozzz/peertube:production-buster 28 context: .
29 dockerfile: Dockerfile.nginx
31 env_file: 30 env_file:
32 - .env 31 - .env
33 # Traefik labels are suggested as an example for people using Traefik, 32 # If you provide your own reverse-proxy, otherwise not suitable for production:
34 # remove them if you are using another reverse proxy. 33 #ports:
34 # - "80:80"
35 volumes:
36 - type: bind
37 # Switch sources if you downloaded the nginx configuration without the whole repository
38 #source: ./peertube
39 source: ../../nginx/peertube
40 target: /etc/nginx/conf.d/peertube.template
41 - assets:/var/www/peertube/peertube-latest/client/dist:ro
42 - ./docker-volume/data:/var/www/peertube/storage
43 depends_on:
44 - peertube
45 restart: "always"
35 labels: 46 labels:
36 traefik.enable: "true" 47 traefik.enable: "true"
37 traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}" 48 traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
38 traefik.port: "9000" 49 traefik.port: "80"
39 # If you don't want to use a reverse proxy (not suitable for production!) 50
40 # ports: 51 peertube:
41 # - "80:9000" 52 # If you don't want to use the official image and build one from sources:
53 #build:
54 # context: .
55 # dockerfile: ./support/docker/production/Dockerfile.buster
56 image: chocobozzz/peertube:production-buster
57 env_file:
58 - .env
59 # If you provide your own webserver and reverse-proxy, otherwise not suitable for production:
60 #ports:
61 # - "80:9000"
42 volumes: 62 volumes:
63 - assets:/app/client/dist
43 - ./docker-volume/data:/data 64 - ./docker-volume/data:/data
44 - ./docker-volume/config:/config 65 - ./docker-volume/config:/config
45 depends_on: 66 depends_on:
@@ -47,6 +68,8 @@ services:
47 - redis 68 - redis
48 - postfix 69 - postfix
49 restart: "always" 70 restart: "always"
71 labels:
72 traefik.enable: "false"
50 73
51 postgres: 74 postgres:
52 image: postgres:10-alpine 75 image: postgres:10-alpine
@@ -59,7 +82,7 @@ services:
59 traefik.enable: "false" 82 traefik.enable: "false"
60 83
61 redis: 84 redis:
62 image: redis:4-alpine 85 image: redis:5-alpine
63 volumes: 86 volumes:
64 - ./docker-volume/redis:/data 87 - ./docker-volume/redis:/data
65 restart: "always" 88 restart: "always"
@@ -82,3 +105,6 @@ networks:
82 driver: default 105 driver: default
83 config: 106 config:
84 - subnet: 172.18.0.0/16 107 - subnet: 172.18.0.0/16
108
109volumes:
110 assets:
diff --git a/support/docker/production/entrypoint.nginx.sh b/support/docker/production/entrypoint.nginx.sh
new file mode 100644
index 000000000..744385ec8
--- /dev/null
+++ b/support/docker/production/entrypoint.nginx.sh
@@ -0,0 +1,17 @@
1#!/bin/sh
2set -e
3
4# Process nginx template
5SOURCE="/etc/nginx/conf.d/peertube.template"
6TARGET="/etc/nginx/conf.d/default.conf"
7export WEBSERVER_HOST="default_server"
8export PEERTUBE_HOST="peertube:9000"
9
10envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET
11
12# Remove HTTPS/SSL from nginx conf
13sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET
14
15cat $TARGET
16
17nginx -g "daemon off;" \ No newline at end of file
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/entrypoint.sh
index 7dd626b9f..7dd626b9f 100755
--- a/support/docker/production/docker-entrypoint.sh
+++ b/support/docker/production/entrypoint.sh
diff --git a/support/nginx/peertube b/support/nginx/peertube
index a17868c5a..7f2c0f263 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,26 +1,24 @@
1server { 1# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
2 listen 80; 2#server {
3 listen [::]:80; 3# listen 80;
4 server_name peertube.example.com; 4# listen [::]:80;
5 5# server_name ${WEBSERVER_HOST};
6 access_log /var/log/nginx/peertube.example.com.access.log; 6#
7 error_log /var/log/nginx/peertube.example.com.error.log; 7# location /.well-known/acme-challenge/ {
8 8# default_type "text/plain";
9 location /.well-known/acme-challenge/ { 9# root /var/www/certbot;
10 default_type "text/plain"; 10# }
11 root /var/www/certbot; 11# location / { return 301 https://$host$request_uri; }
12 } 12#}
13 location / { return 301 https://$host$request_uri; }
14}
15 13
16server { 14server {
17 listen 443 ssl http2; 15 listen 443 ssl http2;
18 listen [::]:443 ssl http2; 16 listen [::]:443 ssl http2;
19 server_name peertube.example.com; 17 server_name ${WEBSERVER_HOST};
20 18
21 # For example with certbot (you need a certificate to run https) 19 # For example with certbot (you need a certificate to run https)
22 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; 20 ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
23 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; 21 ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
24 22
25 # Security hardening (as of 11/02/2018) 23 # Security hardening (as of 11/02/2018)
26 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 24 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
@@ -51,8 +49,8 @@ server {
51 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path 49 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
52 # client_body_temp_path /var/www/peertube/storage/nginx/; 50 # client_body_temp_path /var/www/peertube/storage/nginx/;
53 51
54 access_log /var/log/nginx/peertube.example.com.access.log; 52 access_log /var/log/nginx/${WEBSERVER_HOST}.access.log;
55 error_log /var/log/nginx/peertube.example.com.error.log; 53 error_log /var/log/nginx/${WEBSERVER_HOST}.error.log;
56 54
57 location ^~ '/.well-known/acme-challenge' { 55 location ^~ '/.well-known/acme-challenge' {
58 default_type "text/plain"; 56 default_type "text/plain";
@@ -92,7 +90,7 @@ server {
92 } 90 }
93 91
94 location / { 92 location / {
95 proxy_pass http://127.0.0.1:9000; 93 proxy_pass http://${PEERTUBE_HOST};
96 proxy_set_header X-Real-IP $remote_addr; 94 proxy_set_header X-Real-IP $remote_addr;
97 proxy_set_header Host $host; 95 proxy_set_header Host $host;
98 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 96 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -177,14 +175,14 @@ server {
177 proxy_http_version 1.1; 175 proxy_http_version 1.1;
178 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 176 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
179 proxy_set_header Host $host; 177 proxy_set_header Host $host;
180 proxy_pass http://127.0.0.1:9000; 178 proxy_pass http://${PEERTUBE_HOST};
181 } 179 }
182 180
183 location /socket.io { 181 location /socket.io {
184 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 182 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
185 proxy_set_header Host $host; 183 proxy_set_header Host $host;
186 184
187 proxy_pass http://127.0.0.1:9000; 185 proxy_pass http://${PEERTUBE_HOST};
188 186
189 # enable WebSockets 187 # enable WebSockets
190 proxy_http_version 1.1; 188 proxy_http_version 1.1;