selfhosted
/
padloc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

allow using nginx amplify for monitoring

This commit is contained in:
Martin Kleinschrodt 2021-09-14 07:53:04 +02:00
parent 85aa8787e1
commit 613e9907b9
5 changed files with 220 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docker-compose.yml
View File

@ -47,15 +47,26 @@ services:
command: ["build"]
restart: on-failure
nginx:
image: nginx
container_name: nginx
env_file: .env
environment:
- API_KEY=${PL_AMPLIFY_API_KEY}
- AMPLIFY_IMAGENAME=${PL_HOSTNAME}
build:
context: ./nginx
dockerfile: Dockerfile
depends_on:
- server
restart: always
volumes:
- pwa:/pwa
- ./nginx.conf:/etc/nginx/nginx.conf
# - ${PL_TLS_CERT:-./tls/cert.pem}:/tls/cert
# - ${PL_TLS_KEY:-./tls/key.pem}:/tls/key
# - ${PL_TLS_CONF:-./tls/tls.conf}:/tls/tls.conf
# - logs:/var/log
- /var/www/certbot:/certbot
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ${PL_SSL_CERT}:/ssl/cert
- ${PL_SSL_KEY}:/ssl/key
- /etc/letsencrypt/options-ssl-nginx.conf:/ssl/ssl.conf
- /etc/letsencrypt/ssl-dhparams.pem:/ssl/dhparams.pem
ports:
- 80:80
- 443:443

56
nginx.conf
View File

@ -1,56 +0,0 @@
http {
# This is required if you want to upload attachments
client_max_body_size 10m;
include mime.types;
# Redirect all http traffic to https
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# return 301 https://$host$request_uri;
# }
server {
# We don't need a host name here since we're only
# dealing with one domain, but you may insert your domain here.
server_name _;
# Both server and pwa are served over https
# listen 443 ssl http2;
listen 80 default_server;
gzip on;
gzip_types text/css application/javascript application/json;
add_header X-Frame-Options deny;
# This will resolve to the server instance
location /server/ {
proxy_pass http://padloc_server:3000;
# rewrite ^/padloc_server(.*)$ $1 break;
}
# This will resolve to the web app
location / {
root /pwa;
index index.html;
try_files $uri /index.html;
}
# SSL certificate
# ssl_certificate /ssl/cert;
# # SSL private key
# ssl_certificate_key /ssl/key;
# Add this file to add advanced ssl configuration
# include /ssl/ssl.conf;
}
}
# This section is required by nginx
events {}

25
nginx/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM nginx:1.21
# Install the NGINX Amplify Agent
RUN apt-get update \
&& apt-get install -qqy curl python apt-transport-https apt-utils gnupg1 procps \
&& echo 'deb https://packages.amplify.nginx.com/debian/ stretch amplify-agent' > /etc/apt/sources.list.d/nginx-amplify.list \
&& curl -fs https://nginx.org/keys/nginx_signing.key | apt-key add - > /dev/null 2>&1 \
&& apt-get update \
&& apt-get install -qqy nginx-amplify-agent \
&& apt-get purge -qqy curl apt-transport-https apt-utils gnupg1 \
&& rm -rf /etc/apt/sources.list.d/nginx-amplify.list \
&& rm -rf /var/lib/apt/lists/*
# Keep the nginx logs inside the container
RUN unlink /var/log/nginx/access.log \
&& unlink /var/log/nginx/error.log \
&& touch /var/log/nginx/access.log \
&& touch /var/log/nginx/error.log \
&& chown nginx /var/log/nginx/*log \
&& chmod 644 /var/log/nginx/*log
COPY ./entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

77
nginx/entrypoint.sh Normal file
View File

@ -0,0 +1,77 @@
#!/bin/sh
#
# This script launches nginx and the NGINX Amplify Agent.
#
# Unless already baked in the image, a real API_KEY is required for the
# NGINX Amplify Agent to be able to connect to the backend.
#
# If AMPLIFY_IMAGENAME is set, the script will use it to generate
# the 'imagename' to put in the /etc/amplify-agent/agent.conf
#
# If several instances use the same imagename, the metrics will
# be aggregated into a single object in Amplify. Otherwise NGINX Amplify
# will create separate objects for monitoring (an object per instance).
#
# Variables
agent_conf_file="/etc/amplify-agent/agent.conf"
agent_log_file="/var/log/amplify-agent/agent.log"
nginx_status_conf="/etc/nginx/conf.d/stub_status.conf"
api_key=""
amplify_imagename=""
# Launch nginx
echo "starting nginx ..."
nginx -g "daemon off;" &
nginx_pid=$!
test -n "${API_KEY}" && \
api_key=${API_KEY}
test -n "${AMPLIFY_IMAGENAME}" && \
amplify_imagename=${AMPLIFY_IMAGENAME}
if [ -n "${api_key}" -o -n "${amplify_imagename}" ]; then
echo "updating ${agent_conf_file} ..."
if [ ! -f "${agent_conf_file}" ]; then
test -f "${agent_conf_file}.default" && \
cp -p "${agent_conf_file}.default" "${agent_conf_file}" || \
{ echo "no ${agent_conf_file}.default found! exiting."; exit 1; }
fi
test -n "${api_key}" && \
echo " ---> using api_key = ${api_key}" && \
sh -c "sed -i.old -e 's/api_key.*$/api_key = $api_key/' \
${agent_conf_file}"
test -n "${amplify_imagename}" && \
echo " ---> using imagename = ${amplify_imagename}" && \
sh -c "sed -i.old -e 's/imagename.*$/imagename = $amplify_imagename/' \
${agent_conf_file}"
test -f "${agent_conf_file}" && \
chmod 644 ${agent_conf_file} && \
chown nginx ${agent_conf_file} > /dev/null 2>&1
test -f "${nginx_status_conf}" && \
chmod 644 ${nginx_status_conf} && \
chown nginx ${nginx_status_conf} > /dev/null 2>&1
fi
if ! grep '^api_key.*=[ ]*[[:alnum:]].*' ${agent_conf_file} > /dev/null 2>&1; then
echo "no api_key found in ${agent_conf_file}! exiting."
fi
echo "starting amplify-agent ..."
service amplify-agent start > /dev/null 2>&1 < /dev/null
if [ $? != 0 ]; then
echo "couldn't start the agent, please check ${agent_log_file}"
exit 1
fi
wait ${nginx_pid}
echo "nginx master process has stopped, exiting."

102
nginx/nginx.conf Normal file
View File

@ -0,0 +1,102 @@
user nginx;
worker_processes auto;
http {
# BASIC SETTINGS
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Required for attachments
client_max_body_size 10m;
# Enable gzip
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
include mime.types;
# Disallow embedding in iFrames
add_header X-Frame-Options deny;
# use custom log format for nginx amplify monitoring
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main_ext;
error_log /var/log/nginx/error.log warn;
# nginx stub status for monitoring
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Challenge for certificate renewal
location /.well-known/acme-challenge/ {
root /certbot;
}
# Redirect all http traffic to https
return 301 https://$host$request_uri;
}
server {
# We don't need a host name here since we're only
# dealing with one domain, but you may insert your domain here.
server_name _;
# Both server and pwa are served over https
listen 443 ssl http2;
# Challenge for certificate renewal
location /.well-known/acme-challenge/ {
root /certbot;
}
# This will resolve to the server instance
location /server {
proxy_pass http://padloc_server:3000;
rewrite ^/padloc_server(.*)$ $1 break;
}
# This will resolve to the web app
location / {
root /pwa;
index index.html;
try_files $uri /index.html;
}
# SSL certificate
ssl_certificate /ssl/cert;
# SSL private key
ssl_certificate_key /ssl/key;
# Advanced SSL configuration
include /ssl/ssl.conf;
# Diffie-Hellman parameters
ssl_dhparam /ssl/dhparams.pem;
}
}
events {
}