HDK/nginx-sauna
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
1 commit 1 branch 0 tags 28 KiB
Find a file
Exact
Stefan Maier c87640f0dc initial commit
2025-09-02 10:02:04 +02:00
.gitignore initial commit 2025-09-02 10:02:04 +02:00
compose.override.yml initial commit 2025-09-02 10:02:04 +02:00
compose.yml initial commit 2025-09-02 10:02:04 +02:00
example.env initial commit 2025-09-02 10:02:04 +02:00
nginx.default.conf.template initial commit 2025-09-02 10:02:04 +02:00
README.md initial commit 2025-09-02 10:02:04 +02:00
setup.sh initial commit 2025-09-02 10:02:04 +02:00

README.md

Nginx Reverse Proxy Setup

This repository contains a Docker Compose setup for running an nginx reverse proxy that handles SSL termination and PROXY protocol support for two domains:

  • pretix (ticket shop)
  • wordpress (sauna website)

Architecture

This setup provides a reverse proxy with the following components:

  • nginx: Reverse proxy with SSL termination and PROXY protocol support
  • External services: pretix and wordpress applications (assumed to be running separately)

The nginx configuration is designed to run behind an upstream proxy or load balancer and properly handle client IP addresses and headers.

⚠️ Important: Designed for Proxy/Load Balancer Deployment

This setup is specifically designed to run behind a proxy or load balancer. The nginx configuration includes PROXY protocol support to properly handle client IP addresses and headers from upstream proxies.

Key Features for Proxy Deployment:

  • PROXY Protocol Support: Accepts PROXY protocol headers from load balancers
  • Real IP Forwarding: Properly extracts and forwards original client IP addresses
  • Header Preservation: Maintains all necessary headers for proper proxy operation
  • SSL Termination: Handles SSL termination at the nginx level
  • Multi-domain Support: Handles two separate domains with different backend services

Common Deployment Scenarios:

  • Behind a cloud load balancer (AWS ALB, Google Cloud Load Balancer, etc.)
  • Behind a reverse proxy (HAProxy, Traefik, etc.)
  • Behind a CDN or edge proxy
  • In a container orchestration environment (Kubernetes, Docker Swarm)

Prerequisites

  • Docker and Docker Compose installed
  • SSL certificates for your domains
  • Upstream proxy/load balancer (if not testing locally)
  • Backend services (pretix and wordpress) running and accessible

Quick Start

  1. Clone or download this repository

    git clone <repository-url>
cd nginx-reverse-proxy

  2. Create environment file

    cp example.env .env

  3. Configure environment variables

    # Edit .env with your values
SSL_CERTS_NGINX=/etc/ssl/private/yourdomain.com
DOMAIN_PRETIX=ticketshop.yourdomain.com
DOMAIN_WORDPRESS=wordpress.yourdomain.com

  4. Run the setup script

    # This will automatically generate the nginx configuration
# using the DOMAIN_* variables from your .env file
./setup.sh

  5. Start the nginx service

    docker compose up -d

    Docker Compose automatically applies compose.override.yml, which connects nginx to the external reverse-proxy network.

  6. Access your services

Configuration

Compose Override

This project includes a compose.override.yml that Docker Compose loads automatically. It attaches the nginx service to the external reverse-proxy network.

  • Ensure the reverse-proxy network exists (created by setup.sh).
  • Make sure your backend services (e.g., pretix, wordpress) also join the reverse-proxy network in their own Compose files.

Environment Variables

Variable Description Example
SSL_CERTS_NGINX Path to SSL certificates /etc/ssl/private/yourdomain.com
DOMAIN_PRETIX Domain name for pretix service ticketshop.yourdomain.com
DOMAIN_WORDPRESS Domain name for wordpress service wordpress.yourdomain.com

Volume Mappings

Host Path Container Path Purpose
./nginx /etc/nginx/conf.d nginx configuration
${SSL_CERTS_NGINX} /etc/ssl/certs SSL certificates

Ports

Service Host Port Container Port Purpose
nginx 80 80 HTTP (redirects to HTTPS)
nginx 443 443 HTTPS (main access)

Services

nginx

  • Image: nginx:alpine
  • Purpose: Reverse proxy with SSL termination and PROXY protocol support
  • Features:
    • HTTP to HTTPS redirect
    • PROXY protocol support for load balancers
    • Real IP address forwarding
    • Proper header preservation
    • Multi-domain routing
  • Configuration: Mounted from ./nginx directory
  • Backend Services:
    • pretix:80 for pretix domain
    • wordpress:80 for wordpress domain

Proxy Configuration

PROXY Protocol Support

The nginx configuration includes PROXY protocol support to properly handle requests from upstream proxies:

listen 443 ssl proxy_protocol default_server;
real_ip_header proxy_protocol;
set_real_ip_from 0.0.0.0/0;
set_real_ip_from ::/0;

Required Headers

The setup automatically sets these headers for proper proxy operation:

  • X-Real-IP: Original client IP address
  • X-Forwarded-For: Client IP address chain
  • X-Forwarded-Proto: Protocol (https)
  • X-Forwarded-Host: Original host header
  • X-Forwarded-Port: Port (443)
  • X-Forwarded-Server: Server name

Upstream Proxy Requirements

If you're using an upstream proxy or load balancer, ensure it:

  1. Sends PROXY protocol headers (v1 or v2)
  2. Forwards the original client IP in the PROXY protocol
  3. Preserves the Host header from the original request
  4. Handles SSL termination properly if terminating SSL

Setup Script

The setup.sh script performs the following operations:

  1. Loads environment variables from .env file
  2. Creates Docker network reverse-proxy if it doesn't exist
  3. Generates nginx configuration from template using domain variables
  4. Validates configuration before starting services

Customization

SSL Configuration

The setup expects SSL certificates in the following format:

  • Certificate: /etc/ssl/certs/fullchain.pem
  • Private key: /etc/ssl/certs/privkey.pem

You can customize SSL settings by editing the generated nginx/default.conf file.

Testing

Test your proxy configuration:

# Test HTTP to HTTPS redirect
curl -I http://ticketshop.yourdomain.com

# Test HTTPS connection
curl -I https://ticketshop.yourdomain.com

# Test with PROXY protocol (if using a proxy)
# Use appropriate tools for your proxy setup

Debugging

# Check nginx configuration
docker compose exec nginx nginx -t

# View nginx logs
docker compose logs nginx

# Check network connectivity
docker compose exec nginx ping pretix
docker compose exec nginx ping wordpress

Network Configuration

Docker Networks

The setup uses the reverse-proxy network to communicate with backend services:

# Create network if not exists
docker network create reverse-proxy

# Connect backend services to network
docker network connect reverse-proxy pretix
docker network connect reverse-proxy wordpress

Note: nginx is attached to reverse-proxy via compose.override.yml. Prefer adding reverse-proxy to your backend services' Compose files under their networks to persist the configuration across restarts.

Backend Service Requirements

Your pretix and wordpress services should:

  1. Be accessible on the reverse-proxy network
  2. Listen on port 80 (or be configured for the expected ports)
  3. Handle forwarded headers properly
  4. Be configured for HTTPS (since nginx terminates SSL)

Support

License

This setup is provided as-is. nginx is licensed under the 2-clause BSD license.