diff --git a/Dockerfile.nginx b/Dockerfile.nginx new file mode 100644 index 0000000..915b01b --- /dev/null +++ b/Dockerfile.nginx @@ -0,0 +1,18 @@ +FROM nginx + +RUN apt-get update -qq && apt-get -y install apache2-utils + +ENV RAILS_ROOT /app +WORKDIR $RAILS_ROOT + +RUN mkdir log + +COPY public /app/public/ +COPY nginx.conf /tmp/docker.nginx + +RUN envsubst '$RAILS_ROOT' < /tmp/docker.nginx > /etc/nginx/conf.d/default.conf + +EXPOSE 80 +EXPOSE 443 + +CMD [ "nginx", "-g", "daemon off;" ] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 6219804..90b4760 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,17 @@ version: '3' services: + web: + build: + context: . + dockerfile: Dockerfile.nginx + depends_on: + - app + ports: + - 80:80 + - 443:443 + volumes: app: + - /home/dockerexec/.local/share/docker/certs:/etc/ssl/certs build: . volumes: - decidim_uploads:/app/public/uploads @@ -16,7 +27,6 @@ services: - REDIS_URL=${REDIS_URL:-redis://redis:6379/0} - WEB_CONCURRENCY=${WEB_CONCURRENCY:-2} - LOG_LEVEL=${LOG_LEVEL:-info} - - MAPS_PROVIDER=${MAPS_PROVIDER:-here} - DECIDIM_ENABLE_HTML_HEADER_SNIPPETS=${DECIDIM_ENABLE_HTML_HEADER_SNIPPETS:-true} - DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS=${DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS:-0} - CHANGE_ACTIVE_STEP=${CHANGE_ACTIVE_STEP:-enabled} @@ -34,8 +44,6 @@ services: - MAPS_PROVIDER=${MAPS_PROVIDER:-here} - RACK_ATTACK_SECRET - CENSUS_URL - ports: - - 3000:3000 depends_on: - db - redis @@ -55,7 +63,6 @@ services: - RUN_SIDEKIQ=true - SIDEKIQ_CONCURRENCY=${SIDEKIQ_CONCURRENCY:-5} - LOG_LEVEL=${LOG_LEVEL:-info} - - MAPS_PROVIDER=${MAPS_PROVIDER:-here} - DECIDIM_ENABLE_HTML_HEADER_SNIPPETS=${DECIDIM_ENABLE_HTML_HEADER_SNIPPETS:-true} - DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS=${DECIDIM_ADMIN_PASSWORD_EXPIRATION_DAYS:-0} - CHANGE_ACTIVE_STEP=${CHANGE_ACTIVE_STEP:-enabled} @@ -83,6 +90,7 @@ services: - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-decidim} - POSTGRES_DB=${POSTGRES_DB:-decidim} volumes: + - /home/dockerexec/.local/share/docker/certs:/certs - pg_data:/var/lib/postgresql/data redis: image: redis diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..dd5e7bc --- /dev/null +++ b/nginx.conf @@ -0,0 +1,79 @@ +upstream app { + server 'app:3000'; +} + +server { + server_name _; + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + listen 443 ssl; + listen [::]:443 ipv6only=on ssl; + + ssl_certificate /etc/ssl/certs/ssl-bundle.pem; + ssl_certificate_key /etc/ssl/certs/privatekeymultidominiogetxo.pem; + + # ~2 seconds is often enough for most folks to parse HTML/CSS and + # retrieve needed images/icons/frames, connections are cheap in + # nginx so increasing this is generally safe... + keepalive_timeout 5; # path for static files + + root /app/public; + access_log /app/log/nginx.access.log; + error_log /app/log/nginx.error.log info; + + # this rewrites all the requests to the maintenance.html + # page if it exists in the doc root. This is for capistrano's + # disable web task + if (-f $document_root/maintenance.html) { + rewrite ^(.*)$ /maintenance.html last; + break; + } + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + + # If the file exists as a static file serve it directly without + # running all the other rewrite tests on it + if (-f $request_filename) { + break; + } + + # check for index.html for directory index + # if it's there on the filesystem then rewrite + # the url to add /index.html to the end of it + # and then break to send it to the next config rules. + if (-f $request_filename/index.html) { + rewrite (.*) $1/index.html break; + } + + # this is the meat of the rack page caching config + # it adds .html to the end of the url and then checks + # the filesystem for that file. If it exists, then we + # rewrite the url to have explicit .html on the end + # and then send it on its way to the next config rule. + # if there is no file on the fs then it sets all the + # necessary headers and proxies to our upstream pumas + if (-f $request_filename.html) { + rewrite (.*) $1.html break; + } + + if (!-f $request_filename) { + proxy_pass http://app; + break; + } + } + + # Now this supposedly should work as it gets the filenames with querystrings that Rails provides. + # BUT there's a chance it could break the ajax calls. + location ~* \.(ico|css|gif|jpe?g|png|js)(\?[0-9]+)?$ { + expires max; + break; + } + + # Error pages + # error_page 500 502 503 504 /500.html; + location = /500.html { + root /app/current/public; + } +} \ No newline at end of file