From 79a6fc158bd4f1c3e93834c255efaf98ebc9eb15 Mon Sep 17 00:00:00 2001 From: nmarcetic Date: Thu, 21 Sep 2017 18:50:00 +0200 Subject: [PATCH] Added Nginx as revrse proxy, Traefik removed. CORS enabled Signed-off-by: nmarcetic --- docker/docker-compose-mainflux.yml | 4 +- docker/docker-compose-nginx.yml | 5 +- docker/docker-compose-traefik.yml | 29 ----------- docker/mainflux-docker.sh | 24 ++++----- docker/nginx.conf | 84 +++++++++++++++++++++++------- docker/traefik.toml | 43 --------------- 6 files changed, 80 insertions(+), 109 deletions(-) delete mode 100644 docker/docker-compose-traefik.yml delete mode 100644 docker/traefik.toml diff --git a/docker/docker-compose-mainflux.yml b/docker/docker-compose-mainflux.yml index 7377209e..a9cf8e86 100644 --- a/docker/docker-compose-mainflux.yml +++ b/docker/docker-compose-mainflux.yml @@ -39,7 +39,7 @@ services: - MESSAGE_WRITER_DB_CLUSTER=cassandra - MESSAGE_WRITER_DB_KEYSPACE=message_writer - MESSAGE_WRITER_NATS_URL=nats://nats:4222 - + ### # MQTT Broker ### @@ -48,7 +48,6 @@ services: container_name: mainflux-mqtt ports: - "1883:1883" - - "8883:8883" network_mode: bridge external_links: - mainflux-nats:nats @@ -68,4 +67,3 @@ services: - mainflux-nats:nats environment: - HTTP_ADAPTER_NATS_URL=nats://nats:4222 - diff --git a/docker/docker-compose-nginx.yml b/docker/docker-compose-nginx.yml index cbfcd5dc..b1d322a7 100644 --- a/docker/docker-compose-nginx.yml +++ b/docker/docker-compose-nginx.yml @@ -23,11 +23,10 @@ services: - $PWD/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem network_mode: bridge ports: - - "3000:80" - - "4443:443" + - "80:80" + - "443:443" - "8883:8883" external_links: - mainflux-manager - mainflux-http - mainflux-mqtt - diff --git a/docker/docker-compose-traefik.yml b/docker/docker-compose-traefik.yml deleted file mode 100644 index 1a4c0889..00000000 --- a/docker/docker-compose-traefik.yml +++ /dev/null @@ -1,29 +0,0 @@ -### -# Copyright (c) 2015-2017 Mainflux -# -# Mainflux server is licensed under an Apache license, version 2.0 license. -# All rights not explicitly granted in the Apache license, version 2.0 are reserved. -# See the included LICENSE file for more details. -### - -version: "3" - -services: - - ### - # Traefik - ### - traefik: - image: traefik:latest - container_name: mainflux-traefik - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - $PWD/traefik.toml:/etc/traefik/traefik.toml - network_mode: bridge - ports: - - "3000:3000" - - "8080:8080" - external_links: - - mainflux-manager - - mainflux-http - diff --git a/docker/mainflux-docker.sh b/docker/mainflux-docker.sh index 719e4131..d6784d5d 100755 --- a/docker/mainflux-docker.sh +++ b/docker/mainflux-docker.sh @@ -66,8 +66,8 @@ HEREDOC _start() { - # Start NATS, Cassandra and Traefik - printf "Starting NATS, Cassandra and Traefik...\n\n" + # Start NATS, Cassandra and Nginx + printf "Starting NATS, Cassandra and Nginx...\n\n" NB_DOCKERS=$(docker ps -a -f name=mainflux-nats -f name=mainflux-cassandra | wc -l) if [[ $NB_DOCKERS -lt 3 ]] @@ -79,7 +79,7 @@ _start() { # Check if C* is alive printf "\nWaiting for Cassandra to start. This takes time, please be patient...\n" - + # Wait until Cassandra is ready to accept cqlsh commands # or timeout after 15 sec c_on=0 @@ -124,16 +124,16 @@ _start() { fi docker-compose -f docker-compose-mainflux.yml start - # Start Traefik - printf "\nStarting Traefik...\n\n" + # Start Nginx + printf "\nStarting Nginx...\n\n" - NB_DOCKERS=$(docker ps -a -f name=traefik | wc -l) + NB_DOCKERS=$(docker ps -a -f name=nginx | wc -l) if [[ $NB_DOCKERS -lt 2 ]] then - docker-compose -f docker-compose-traefik.yml pull - docker-compose -f docker-compose-traefik.yml create + docker-compose -f docker-compose-nginx.yml pull + docker-compose -f docker-compose-nginx.yml create fi - docker-compose -f docker-compose-traefik.yml start + docker-compose -f docker-compose-nginx.yml start if [[ $? -ne 0 ]] then @@ -147,8 +147,8 @@ _start() { } _stop() { - printf "\nStopping Traefik...\n\n" - docker-compose -f docker-compose-traefik.yml stop + printf "\nStopping Nginx...\n\n" + docker-compose -f docker-compose-nginx.yml stop printf "Stopping Mainflux composition...\n\n" docker-compose -f docker-compose-mainflux.yml stop @@ -188,7 +188,7 @@ _main() { if [[ $# -eq 0 ]] ; then _print_help fi - + # Avoid complex option parsing when only one program option is expected. if [[ "${1:-}" =~ ^-h|--help$ ]] then diff --git a/docker/nginx.conf b/docker/nginx.conf index 08b5b2c3..84fd862c 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -54,17 +54,24 @@ http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; + upstream docker-manager { + server mainflux-manager:8180; + } + upstream docker-http { + server mainflux-http:7070; + } + ## # Virtual Host Configs ## - + # HTTP server { listen 80 default_server; listen [::]:80 default_server; - server_name _; - #return 302 https://$server_name$request_uri; + server_name localhost; + return 302 https://$server_name$request_uri; } # HTTPS @@ -85,10 +92,11 @@ http { # Don't use them in a production server! # # include snippets/snakeoil.conf; - + # Certificates ssl_certificate /etc/ssl/certs/mainflux-server.crt; ssl_certificate_key /etc/ssl/private/mainflux-server.key; + ssl_dhparam /etc/ssl/certs/dhparam.pem; # from https://cipherli.st/ @@ -98,9 +106,8 @@ http { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; - ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - ssl_stapling on; + ssl_stapling off; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; @@ -111,12 +118,43 @@ http { add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods '*'; + add_header Access-Control-Allow-Headers "*"; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - - include snippets/mainflux-ssl-params.conf; - server_name _; + server_name localhost; + # Proxy pass to manager service + location /api/ { + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://docker-manager/; + + # Allow OPTIONS method CORS + if ($request_method = OPTIONS ) { + add_header Content-Length 0; + add_header Content-Type text/plain; + return 200; + } + } + # Proxy pass to mainflux-http-adapter + location /pub/ { + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://docker-http/; + # Allow OPTIONS method CORS + if ($request_method = OPTIONS ) { + add_header Content-Length 0; + add_header Content-Type text/plain; + return 200; + } + } } } @@ -124,15 +162,23 @@ http { # MQTT ### stream { - upstream mqtt_broker { - server localhost:1883; - } - - server { - listen 8883 ssl; - proxy_pass mqtt_broker; - include snippets/mainflux-ssl-certs.conf; + upstream docker-mqtt { + server mainflux-mqtt:1883; + } + + server { + listen 8883 ssl; + proxy_pass docker-mqtt; + # Certificates + ssl_certificate /etc/ssl/certs/mainflux-server.crt; + ssl_certificate_key /etc/ssl/private/mainflux-server.key; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; } } - diff --git a/docker/traefik.toml b/docker/traefik.toml deleted file mode 100644 index 4d58e7c9..00000000 --- a/docker/traefik.toml +++ /dev/null @@ -1,43 +0,0 @@ -################################################################ -# Global configuration -################################################################ - -# Entrypoints to be used by frontends that do not specify any entrypoint. -# Each frontend can specify its own entrypoints. -defaultEntryPoints = ["http"] - -# Entrypoints definition -[entryPoints] - [entryPoints.http] - address = ":3000" - -[frontends] - [frontends.frontend_manager] - backend = "backend_manager" - [frontends.frontend_manager.routes.routes_manager] - rule = "Path: /info, /users, /users/{id:[0-9]+}, /tokens, /clients, /clients/{id:[0-9]+}, /channels, /channels/{id:[0,9]+}" -[backends] - [backends.backend_manager] - [backends.backend_manager.servers.server1] - url = "http://mainflux-manager:8180" - - [frontends.frontend_manager.headers.customresponseheaders] - Access-Control-Allow-Origin = "*" - -################################################################ -# Web configuration backend -################################################################ - -# Enable web configuration backend -[web] - -# Web administration port -address = ":8080" - -################################################################ -# File configuration backend -################################################################ - -# Enable File configuration backend -[file] -