diff --git a/docker/proxy/Dockerfile b/docker/proxy/Dockerfile index 0290b144..ed547c88 100644 --- a/docker/proxy/Dockerfile +++ b/docker/proxy/Dockerfile @@ -1,27 +1,33 @@ FROM fedora:35 MAINTAINER Jeroen van Meeuwen ENV container docker RUN dnf -y install \ --setopt 'tsflags=nodocs' \ nginx \ nginx-mod-mail && \ dnf clean all # ENV APP_WEBSITE_DOMAIN # ENV SSL_CERTIFICATE # ENV SSL_CERTIFICATE_KEY COPY rootfs/ / # Forward request logs to Docker log collector RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log STOPSIGNAL SIGTERM +ENV WEBAPP_BACKEND http://webapp:8000 +ENV MEET_BACKEND https://meet:12443 +ENV ROUNDCUBE_BACKEND http://roundcube:8080 +ENV DAV_BACKEND http://imap:11080/dav +ENV COLLABORA_BACKEND http://collabora:9980 + CMD ["/init.sh"] EXPOSE 25/tcp 80/tcp 443/tcp 465/tcp 587/tcp 143/tcp 144/tcp 993/tcp diff --git a/docker/proxy/rootfs/etc/nginx/nginx.conf b/docker/proxy/rootfs/etc/nginx/nginx.conf index 0a4b4c41..66116def 100644 --- a/docker/proxy/rootfs/etc/nginx/nginx.conf +++ b/docker/proxy/rootfs/etc/nginx/nginx.conf @@ -1,301 +1,302 @@ # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen [::]:443 ssl ipv6only=on; listen 443 ssl; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; server_name APP_WEBSITE_DOMAIN; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { - proxy_pass http://webapp:8000; + proxy_pass WEBAPP_BACKEND; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; # Mostly for files, swoole has a 10MB limit client_max_body_size 11m; } location /meetmedia { - proxy_pass https://meet:12443; + proxy_pass MEET_BACKEND; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location /meetmedia/api { - proxy_pass https://meet:12443; + proxy_pass MEET_BACKEND; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /roundcubemail { - proxy_pass http://roundcube:8080; + proxy_pass ROUNDCUBE_BACKEND; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /chwala { - proxy_pass http://roundcube:8080; + proxy_pass ROUNDCUBE_BACKEND; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_no_cache 1; proxy_cache_bypass 1; } location /Microsoft-Server-ActiveSync { auth_request /auth; #auth_request_set $auth_status $upstream_status; - proxy_pass http://roundcube:8080; + proxy_pass ROUNDCUBE_BACKEND; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_send_timeout 910s; proxy_read_timeout 910s; fastcgi_send_timeout 910s; fastcgi_read_timeout 910s; } location ~* ^/\\.well-known/autoconfig { - proxy_pass http://roundcube:8080; + proxy_pass ROUNDCUBE_BACKEND; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~* ^/\\autodiscover/autodiscover.xml { - proxy_pass http://roundcube:8080; + proxy_pass ROUNDCUBE_BACKEND; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~ ^/\\.well-known/(caldav|carddav)(.*)$ { return 301 /dav/$2; } location /dav { #auth_request_set $auth_status $upstream_status; - proxy_pass http://imap:11080/dav; + proxy_pass DAV_BACKEND; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # static files location ^~ /browser { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Host $http_host; } # Capabilities location ^~ /hosting/capabilities { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Host $http_host; } # main websocket location ~ ^/cool/(.*)/ws$ { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/(c|l)ool { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Host $http_host; } # Admin Console websocket location ^~ /cool/adminws { - proxy_pass http://collabora:9980; + proxy_pass COLLABORA_BACKEND; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } location = /auth { internal; - proxy_pass http://webapp:8000/api/webhooks/nginx-httpauth; + proxy_pass WEBAPP_BACKEND/api/webhooks/nginx-httpauth; proxy_pass_request_body off; proxy_set_header Host services.APP_WEBSITE_DOMAIN; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } mail { + #FIXME? server_name imap.hosted.com; - auth_http webapp:8000/api/webhooks/nginx; + auth_http WEBAPP_BACKEND/api/webhooks/nginx; auth_http_header Host services.APP_WEBSITE_DOMAIN; proxy_pass_error_message on; proxy_smtp_auth on; xclient off; server { listen 143; protocol imap; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } # Roundcube specific imap endpoint with proxy-protocol enabled server { listen 144 proxy_protocol; protocol imap; - auth_http webapp:8000/api/webhooks/nginx-roundcube; + auth_http WEBAPP_BACKEND/api/webhooks/nginx-roundcube; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 465 ssl; protocol smtp; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 587; protocol smtp; proxy on; starttls on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } server { listen 993 ssl; protocol imap; proxy on; ssl_certificate SSL_CERTIFICATE_CERT; ssl_certificate_key SSL_CERTIFICATE_KEY; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } } diff --git a/docker/proxy/rootfs/init.sh b/docker/proxy/rootfs/init.sh index 4e83bfa0..d74f382c 100755 --- a/docker/proxy/rootfs/init.sh +++ b/docker/proxy/rootfs/init.sh @@ -1,9 +1,14 @@ #!/bin/bash sed -i -r \ -e "s|APP_WEBSITE_DOMAIN|$APP_WEBSITE_DOMAIN|g" \ -e "s|SSL_CERTIFICATE_CERT|$SSL_CERTIFICATE|g" \ -e "s|SSL_CERTIFICATE_KEY|$SSL_CERTIFICATE_KEY|g" \ + -e "s|WEBAPP_BACKEND|$WEBAPP_BACKEND|g" \ + -e "s|MEET_BACKEND|$MEET_BACKEND|g" \ + -e "s|ROUNDCUBE_BACKEND|$ROUNDCUBE_BACKEND|g" \ + -e "s|DAV_BACKEND|$DAV_BACKEND|g" \ + -e "s|COLLABORA_BACKEND|$COLLABORA_BACKEND|g" \ /etc/nginx/nginx.conf exec nginx -g "daemon off;"