From 6b6230152ba60335e7d6e41fe05723d013712656 Mon Sep 17 00:00:00 2001
From: Bachynin Ivan <bachynin.i@gmail.com>
Date: Sat, 3 Aug 2019 01:15:06 +0300
Subject: [PATCH] add nignx service

---
 docker-compose.override.example.yml | 10 ++++--
 docker-compose.yml                  | 16 ++++++++++
 nginx/Dockerfile                    |  5 +++
 nginx/default.conf                  | 44 +++++++++++++++++++++++++++
 nginx/dev.conf                      |  9 ++++++
 nginx/nginx.conf                    | 47 +++++++++++++++++++++++++++++
 nginx/proxy_params                  |  4 +++
 nginx/ssl_params                    |  4 +++
 8 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 nginx/Dockerfile
 create mode 100644 nginx/default.conf
 create mode 100644 nginx/dev.conf
 create mode 100644 nginx/nginx.conf
 create mode 100644 nginx/proxy_params
 create mode 100644 nginx/ssl_params

diff --git a/docker-compose.override.example.yml b/docker-compose.override.example.yml
index e6d3240..3f05f3a 100644
--- a/docker-compose.override.example.yml
+++ b/docker-compose.override.example.yml
@@ -8,9 +8,15 @@ x-app: &app
     - ./backend:/app
 
 services:
-  db:
+  nginx:
     ports:
-      - 5432:5432
+      - 443
+    volumes:
+      - ./nginx/dev.conf:/etc/nginx/conf.d/default.conf
+      - /etc/letsencrypt
+      - /usr/share/nginx/html
+
+  db:
     env_file:
       - .envs/.local/postgres.env
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 6f088b7..68e0826 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,6 +27,22 @@ services:
     volumes:
       - redisdata:/data
 
+  nginx:
+    build: ./nginx
+    hostname: nginx
+    ports:
+      - 80:80
+      - 443:443
+      - 5432:5432
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /var/www/certbot:/usr/share/nginx/html
+    depends_on:
+      - app
+      - db
+
   app:
     <<: *app
     command: ["./scripts/run.sh", "prod"]
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
new file mode 100644
index 0000000..9ea36bf
--- /dev/null
+++ b/nginx/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx:1.17
+
+COPY ./proxy_params /etc/nginx
+COPY ./ssl_params /etc/nginx
+COPY ./default.conf /etc/nginx/conf.d/default.conf
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..a593b57
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,44 @@
+server {
+    listen 80 default_server;
+    server_name _;
+    return 444;
+}
+
+server {
+    listen 80;
+    server_name _;
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name _;
+    include ssl_params;
+
+    client_max_body_size 1M;
+
+    location / {
+        proxy_pass http://app:8000;
+    }
+}
+
+
+server {
+    listen 5432;
+    server_name _;
+    include ssl_params;
+
+    client_max_body_size 1M;
+
+    location / {
+        proxy_pass http://db:5432;
+    }
+}
diff --git a/nginx/dev.conf b/nginx/dev.conf
new file mode 100644
index 0000000..5151ae7
--- /dev/null
+++ b/nginx/dev.conf
@@ -0,0 +1,9 @@
+server {
+  listen 80 default_server;
+  server_name _;
+  client_max_body_size 1M;
+
+  location / {
+    proxy_pass http://app:8000;
+  }
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..02d74f5
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,47 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+  '$status $body_bytes_sent "$http_referer" '
+  '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile        on;
+  #tcp_nopush     on;
+
+  keepalive_timeout  65;
+
+  gzip on;
+  gzip_comp_level 4;
+  gzip_min_length 100;
+  gzip_proxied any;
+  gzip_types
+    text/plain text/css text/xml image/svg+xml application/xml
+    application/xml+rss application/xml+atom text/javascript
+    application/x-javascript application/javascript application/json;
+  gzip_disable "msie6";
+
+  include /etc/nginx/conf.d/*.conf;
+}
+
+
+stream {
+  server {
+    listen 5432;
+    proxy_pass db:5432;
+  }
+}
diff --git a/nginx/proxy_params b/nginx/proxy_params
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/nginx/proxy_params
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/nginx/ssl_params b/nginx/ssl_params
new file mode 100644
index 0000000..da3233a
--- /dev/null
+++ b/nginx/ssl_params
@@ -0,0 +1,4 @@
+ssl_certificate /etc/letsencrypt/live/sane.ml/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/sane.ml/privkey.pem;
+include /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;