Portainer/docker reverse_proxy chat


(Stéphane de Labrusse) #1

Hi all

With the coming of docker in NS7 I would share some thoughts with you about reverse proxy and docker, but firstly WHY ?

docker creates application running on a specific port, for instances portainer runs on the TCP 9000 but it is not a convenient way to recall it, either portainer.mydomain.com or mydomain.com/portainer could be a better way to retrieve the path.

therefore several manners could be used

  • traefik or ngninx-proxy

It is a docker container, just run it and it will do the reverse proxy, domain based IIRC.
pro: it is easy for us, you even have a little UI
cons: we need to stop httpd running on 80 and 443 because it will be used by the proxy container.

  • apache reverse proxy

we could do our reverse proxy with apache

pro : we could use both web application (installed manually or by rpm) and web container
cons : we have an UI and a backend to do :smiley:

what need a reverse proxy for container

  • reverse /container or domain.com to localhost/TCPport
  • force https
  • restriction by IP access

well now i’m listening you


Whole (sub)domain reverse proxy
(Stéphane de Labrusse) #2

I tested this afternoon to get something workable with apache and docker, as a side note it is not completely relevant to docker, we might need it if you run for example a website in nginx or any application on a tcp port

of course you have cons and pro with this method

  • cons
    all is manual, you must create it with the good docker port
    container ports must be statically set, else it might change with a dockerd restart

  • pro
    it is simple and all our web applications on apache could still run

drop a file in /etc/httpd/conf.d/vhost-proxy.conf, adapt your vhost name and the tcp port of your docker containers

<VirtualHost *:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


<VirtualHost *:80>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel warn

    IncludeOptional conf.d/default-virtualhost.inc

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:443>
    ServerName apache.exemple.com
    SSLEngine On
    ProxyPass / http://127.0.0.1:32770/ retry=0
    ProxyPassReverse / http://127.0.0.1:32770/ retry=0
    <Location "/">
	<RequireAll>
	#Require all granted
	Require ip 192.168.56.0/24
	SSLRequireSSL
	</RequireAll>
    </Location>
 </VirtualHost>

<VirtualHost *:80>
    ServerName apache.exemple.com

    # 20forcessl_redirect enabled
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]


    ProxyPass / http://127.0.0.1:32770/ retry=0
    ProxyPassReverse / http://127.0.0.1:32770/ retry=0
    <Location "/">
        <RequireAll>
        #Require all granted
        Require ip 192.168.56.0/24
        </RequireAll>
    </Location>
 </VirtualHost>

<VirtualHost *:443>
    ServerName apache2.exemple.com
    SSLEngine On
    ProxyPass  / http://127.0.0.1:32769/ retry=0
    ProxyPassReverse / http://127.0.0.1:32769/ retry=0
    <Location "/">
	<RequireAll>
	Require ip 192.168.56.0/24
SSLRequireSSL
	</RequireAll>
    </Location>
</VirtualHost>


<VirtualHost *:80>
    ServerName apache2.exemple.com

    # 20forcessl_redirect enabled
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

    ProxyPass /  http://127.0.0.1:32769/ retry=5
    ProxyPassReverse / http://127.0.0.1:32769/ retry=5
    <Location "/">
        <RequireAll>
        Require ip 192.168.56.0/24
        </RequireAll>
    </Location>
</VirtualHost>

I don’t know if we can go to this direction, but at least it is not a lost of time for coding because it can help in other cases. We could do an UI with nethserver-proxypass and offer

  • Virtualhost to reverse
  • TCP port of docker container/application
  • force or not https
  • restrict or not networks
  • create dns entries for virtualhost like in the virtualhost panel ???
  • use a specific ssl certificate like in the virtualhost panel ???

what do you think @dev_team


(Davide Principi) #3

Yes I agree with you. Traefik does not fulfil the requirement of an UI to configure reverse proxy, so let’s go with an enhancement to the current package: nethserver-proxypass!

A nethserver-docker app can install a template or a .conf file, or generate an esmith DB record… Whatever method we’ll implement, the UI shouldn’t be required to modify the app config, just display it is enough.

Furthermore, if we use Apache as reverse proxy the container IP address must be assigned statically. This is a +1 for a central git repo for all docker-based apps of nethserver.


(Stéphane de Labrusse) #4

Ok just to let you inform on how to design the work on a Reverse proxy for virtualhost

  • UI

A specific panel will be done under the Gateway/Proxypass.
We want two tabs for path and vhost Reverse Proxy

fields will be

Virtualhost to reverse
TCP port of docker container/application
force or not https
restrict or not networks
create dns entries for virtualhost like in the virtualhost panel
use a specific ssl certificate like in the virtualhost panel
  • Templates

Template will be designed to be simple to add more settings by esmith::templates and MORE_DATA

the issue to track the development is https://github.com/NethServer/dev/issues/5454


(Stéphane de Labrusse) #5

Added more

  • reverse to a ssl proxy
  • no certificate verification of proxy
  • ProxyPreserveHost On if wanted

(Davide Principi) #6

Really good! In the meantime, I saw you did a couple of bug fixes for nethserver-virtualhosts. As you’re granted write access to that repo, do you want to release nethserver-virtualhosts?

You need to install nethserver-mock somewhere (I installed it on my F27).

I suggest to generate also a GPG key and add it to your GitHub account, and also to configure your git environment with

git config --global push.followTags true

Then follow carefully this procedure:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/building_rpms.html#creating-a-release-tag


(Stéphane de Labrusse) #7

I released for the first time in the Nethserver infra :sunglasses:


(Davide Principi) #8

Just for the record, Nethbot can build packages and upload to NethForge too :wink: