Browse Source

- Add optional Nginx reverse proxy config to docker-compose.yml and nginx directory.

Thanks to MyTheValentinus !
Lauri Ojansivu 5 months ago
parent
commit
c61e44d55b
4 changed files with 118 additions and 3 deletions
  1. 7 3
      CHANGELOG.md
  2. 18 0
      docker-compose.yml
  3. 92 0
      nginx/nginx.conf
  4. 1 0
      nginx/ssl/.gitkeep

+ 7 - 3
CHANGELOG.md

@@ -1,10 +1,14 @@
 # Upcoming Wekan release
 
-This release fixes the following bugs:
+This release adds the following new features:
 
-- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet.
+- Add optional Nginx reverse proxy config to docker-compose.yml and nginx directory. Thanks to MyTheValentinus.
+
+and fixes the following bugs:
+
+- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet. Thanks to xet7.
     
-Thanks to GitHub user xet7 for contributions.
+Thanks to above GitHub users for their contributions.
 
 # v1.97 2018-12-26 Wekan release
 

+ 18 - 0
docker-compose.yml

@@ -145,6 +145,7 @@ services:
       # Docker outsideport:insideport. Do not add anything extra here.
       # For example, if you want to have wekan on port 3001,
       # use 3001:8080 . Do not add any extra address etc here, that way it does not work.
+      # remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network
       - 80:8080
     environment:
       - MONGO_URL=mongodb://wekandb:27017/wekan
@@ -492,6 +493,23 @@ services:
 #      ...COPY CONFIG FROM ABOVE TO HERE...
 #---------------------------------------------------------------------------------
 
+# OPTIONAL NGINX CONFIG FOR REVERSE PROXY
+#  nginx:
+#    image: nginx
+#    container_name: nginx
+#    restart: always
+#    networks:
+#      - wekan-tier
+#    depends_on:
+#      - wekan
+#    ports:
+#      - 80:80
+#      - 443:443
+#    volumes:
+#      - ./nginx/ssl:/etc/nginx/ssl/
+#      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+
+
 volumes:
   wekan-db:
     driver: local

+ 92 - 0
nginx/nginx.conf

@@ -0,0 +1,92 @@
+user  www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    map $http_host $this_host {
+        "" $host;
+        default $http_host;
+    }
+
+    map $http_x_forwarded_proto $the_scheme {
+        default $http_x_forwarded_proto;
+        "" $scheme;
+    }
+
+    map $http_x_forwarded_host $the_host {
+       default $http_x_forwarded_host;
+       "" $this_host;
+    }
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+   	listen 80;
+	listen 443 ssl;
+
+	if ($scheme = http) {
+  	    rewrite ^ https://$host$request_uri? permanent;
+	}
+
+
+  ssl_certificate /etc/nginx/ssl/server.crt;
+	ssl_certificate_key /etc/nginx/ssl/server.key;
+
+
+	ssl_protocols TLSv1.2;	
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
+
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+
+	ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1;
+	add_header Strict-Transport-Security "max-age=31536000; preload";
+
+        # Add headers to serve security related headers
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+
+	add_header Referrer-Policy "same-origin";
+
+        root /var/www/html;
+        client_max_body_size 10G; # 0=unlimited - set max upload size
+        fastcgi_buffers 64 4K;
+
+        gzip off;
+
+	location / {
+		proxy_pass http://wekan:8080;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+    }
+}

+ 1 - 0
nginx/ssl/.gitkeep

@@ -0,0 +1 @@
+PLACE YOUR SSL Certificates in this folder