Reverse proxy for web app docker containers

Forums › Self-hosted › Reverse proxy for web app docker containers

mdf

3516 posts

Uber Geek

Trusted

#240374 4-Sep-2018 22:16

TL;DR version: recommendations as to reverse proxies for web app docker containers please. Emphasis on straightforward/good documentation rather than performance etc.

I am *very* new to web applications, but am trying to teach myself something new (more for the sake of it that anything; no specific projects in mind). There are a few web apps I've used previously without docker containers; right now, I am trying to figure out how to deploy the same apps inside containers. As I understand it, I need a reverse proxy to route traffic to the correct container.

I've had a look at both Apache and Nginx (as the web servers even I had heard of) and also have come across traefik.io, which seems to be designed for docker containers. However, the guides I've found seem to start of simple enough but then take off on a very steep learning curve that is beyond me so far (exhibit A: https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04 - I did sort of get this one working, but did something wrong on the Let's Encrypt implementation).

Recommendations to help me stop flip flopping between options? Or particular guides/how tos/tutorials that you've found particularly helpful?

1 | 2

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2084113 4-Sep-2018 23:26

I'd recommend learning Nginx first. Works great as a reverse proxy as well as a regular webserver. There are lots of tutorials out there, especially the LEMP tutorials on the Digital Ocean site. You don't need to run Nginx in a Docker container - you can just run it on the host and then use port forwarding on your Docker containers to determine where the traffic should go. But once you're comfortable working with Nginx it's easy to take what you've learned and bundle it up into a container.

Tinkerisk

4235 posts

Uber Geek

#2084128 5-Sep-2018 05:51

NGINX contains a reverse proxy.

*Example*

- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter

chevrolux

4962 posts

Uber Geek
Inactive user

#2084134 5-Sep-2018 06:54

Nginx!!!

Lots of the common "web apps" even have demo configs for Nginx in their wiki's.

To get started though, I found one of digital oceans guides very helpful.

@michaelmurfy helped with a config for the Unifi controller too.

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2084151 5-Sep-2018 07:55

I'm guilty with not using NGINX where I should just because I know Apache so well - but either one will work for you.

With me, I've got a Debian VM running on my UnRaid server acting as both an Apache server and a reverse proxy. It hosts multiple sites.

An example of a site hosted from my home server is https://quake.murfy.nz - the Quake site is running in Docker (on the VM - I didn't want it on my local UnRaid server). The configuration for it (in /etc/apache2/sites-available/quake.conf) is as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName quake.murfy.nz
ServerAdmin michael@murfy.nz
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header unset X-Powered-By
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ProxyPreserveHost On
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule /(.*) ws://127.0.0.1:49160/$1 [P,L]
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://127.0.0.1:49160/
ProxyPassReverse / http://127.0.0.1:49160/
SSLCertificateFile /etc/letsencrypt/live/home.murfy.nz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home.murfy.nz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

A few things to note in this configuration:
1) You're needing to run "a2enmod proxy_http" and "a2enmod proxy" - since I am using Websockets with this app "a2enmod proxy_wstunnel" is needed too. This enables these modules in Apache.
2) The RewriteRules are for the websocket connections running on quake. You can omit this if your app doesn't use websockets (inspect this using the Chrome inspect tool).
3) I am using LetsEncrypt for this so have rules to allow access to /.well-known/acme-challenge hosted in /var/www/html - this means LetsEncrypt can renew the SSL certificate for this site without just hitting the Proxied site every time it checks.
4) All my sites don't listen on Port 80 - they're SSL only. It is a good practice to get in to. I've got a strict transport policy set on all my sites with preloading enabled on my root domain (murfy.nz) so it is all HTTPS only.
5) The SSLCertificateFile and SSLCertificateKeyFile links to the LetsEncrypt keys on the server for SSL. I've got other sites hosted (for example - https://home.murfy.nz).
6) I've got a Cron job to automatically renew LetsEncrypt and reload the Apache configuration when that time comes. This updates the SSL on all domains hosted on this server.

For beginners - I think Apache is easier to configure and works just as well. The configuration for NGINX running on the UniFi server to achieve the same thing is much much bigger. NGINX is fast, but Apache is almost just as fast in most cases. I've got a site that gets over 2mil hits per day that uses Apache for example.

My VM on UnRaid is simply a Debian 9 VM running with 512mb of ram, it also runs a few things locally in Docker just to prevent potentially exposing my NAS to the internet. I however don't see any issues with running something like NextCloud on the NAS docker and using a VM to reverse proxy it (which I assume is what you're trying to do). With NextCloud omit the RewriteCond in bold as you don't need websockets proxied.

@mdf feel free to flick me a message at any time if you'd like me to configure some virtual servers on Apache or NGINX so you can then reuse the configuration for other things. Quite happy to help out if you're unable to figure it out.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

marpada

476 posts

Ultimate Geek

#2084155 5-Sep-2018 08:09

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

darylblake

1162 posts

Uber Geek

Trusted

#2084163 5-Sep-2018 08:40

Was using NGINX but have moved to HA proxy.

http://www.loadbalancer.org/blog/nginx-vs-haproxy/

Hell for testing you can even containerise the proxy.

FROM haproxy:1.7

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

BlackHand

131 posts

Master Geek

#2084180 5-Sep-2018 09:32

https://traefik.io/

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

stinger

628 posts

Ultimate Geek
Inactive user

#2084214 5-Sep-2018 10:28

marpada:

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

^ this. It's what I do, and works great.

mdf

3516 posts

Uber Geek

Trusted

#2089925 13-Sep-2018 11:53

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

There are bound to be follow up queries the deeper I get into this.

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2089932 13-Sep-2018 11:59

mdf:

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

There are bound to be follow up queries the deeper I get into this.

Excellent - may need to try traefik. Looks quite good!

Tracer

343 posts

Ultimate Geek

#2091283 16-Sep-2018 02:28

HAProxy is the way to go, especially if you're dealing with WebSockets etc. They posted a great article the other day https://www.haproxy.com/blog/introduction-to-haproxy-acls/

mdf

3516 posts

Uber Geek

Trusted

#2092891 18-Sep-2018 21:57

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

This is very much still just in the learning experimenting phase. I don't have specific use cases in mind, beyond having a server run a few web apps that I can then muck around with without fear of consequence when I break something important. I am not silly enough to actually use anything I build myself for any kind of live/important deployment.

stinger

628 posts

Ultimate Geek
Inactive user

#2092899 18-Sep-2018 22:06

mdf:

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

The number of spaces doesn't matter, as long as it is consistent at the same level. That, not not mixing tabs and spaces (been there, done that :) )

mdf:

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

Definitely a separate container for your databases. Having your database in the same container as the app is the docker way™. The only time I would use a database in an application container is a SQLite database, since that doesn't have a daemon running.

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique.

mdf

3516 posts

Uber Geek

Trusted

#2092904 18-Sep-2018 22:14

stinger:

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique.

Thanks @stinger. If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?

stinger

628 posts

Ultimate Geek
Inactive user

#2092905 18-Sep-2018 22:25

mdf:

If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?

I have the database password in my docker-compose file (by setting .POSTGRES_PASSWORD in the environment). Given that the password needs to be stored unencrypted in the application container (or mounted to that container), I don't see any real benefit in trying to hide the password in the yml file (by using docker secrets for example). All my database passwords are random 24 character strings (generated with "pwgen 24 1"), and are different for each database. Of course you must trust everyone that has shell access on the docker host, but in my case, that is me, myself and I :)

1 | 2