• Sign In
  1. Start Page
  2. Klimt installation

Klimt reverse proxy

Resources

Print

Reverse proxy docker image

Common network

For containers to talk to each other, a common network is required. It is a two step process:

  • Manage common network
  • Connect containers to the common network

Common network management

Network is started using ~/bin/startNetwork.sh and equivalent stop script by rproxy user. Network name is docker_network.

Connect containers

Add

network:
   external:
      default:
        name: docker_network

to your docker-compose.yaml. This is assuming, your docker-compose.yaml doesn't do anything special with the network already.

Docker image

A http splitter to sub-resources. So far, a generic nginx page, but switched will be added. General info in table
Userrproxy
Docker Imagenginx
Docker compose~rproxy/config/rproxy-compose.yaml
Page X config~rproxy/config/conf.d/X.conf
Startup script~rproxy/bin/startRproxy.sh
Stop script~rproxy/bin/stopRproxy.sh
Configuration reolad:~rproxy/bin/reloadRproxy.sh

Default landing page, default.conf, klimt.fmf.uni-lj.si

The default landing page points to a rproxy managed site, at ~/www/landing. The SSL is terminated with a NIXLJU-CA certificate, and HTTPS is enforced:

#HTTP -> redirect
server {
    listen       80;
    listen  [::]:80;
    server_name klimt.fmf.uni-lj.si;
    return 301 https://$host$request_uri;
}

#HTTPS
server {
    listen 443 ssl;
    listen [::]:443 ssl; 
    server_name klimt.fmf.uni-lj.si;
    
    [...]
    
    #SSL
    ssl_certificate /var/www/klimtBundle.crt;
    ssl_certificate_key /var/www/klimt.key;
    
    [...]
    
    location /{
        root /var/www/landing;  
    }

The first reverse proxy at rp0.fmf.uni-lj.si is configured with NIXLJU-CA_chain.crt certificate, so connection to klimt is trusted.

Invenio, invenio.conf, invenio.fmf.uni-lj.si

Identically, HTTPS is strictly enforced as for the default page. server_name is set to invenio.fmf.uni-lj.si to enable server name based routing. The processing is delegated to Invenio reverse proxy frontend. A potential scheduler/load-balancer can be extended by adding equivalent sites.


upstream frontend {
  server frontend:443;
  #could add more servers for load balancing
}

#HTTPS
server {
    listen 443 ssl;
    listen [::]:443 ssl; 
    server_name invenio.fmf.uni-lj.si;

    [...]

    location /{
        proxy_ssl_trusted_certificate /var/www/NIXLJU-CA_chain.crt;
        proxy_pass https://frontend;
        proxy_redirect https://frontend https://invenio.fmf.uni-lj.si;
    }

proxy_ssl_trusted_certificate directive makes the NIXLJU-CA certificates trusted by the frontend proxy.

SSL on nginx

SSL helps protect the data between servers.

Certificates must be bundled together, ie. nginx has no SSLCACertificateFile variable in setup. The order matters, the server certificate should precede the CA certificate (chain). For NIX certificates,

cat frontend.crt NIXLJU-CA_chain.crt > frontendBundle.crt

Reverse proxy at FMF

Setup after klimt reboot

If klimt is rebooted, its IP address might change. For named services, this is OK, but at the reverse proxy of the faculty, a temporary name is assigned to maintain name resolution at klimt. The temporary name is stored in /etc/hosts on rp where fixed IP address must be used. So, at rp edit /etc/hosts/ with the correct/new IP address.

Resolved cache

IPs get stuck in cache of systemd-resolved. Clear cache by running:

systemd-resolve --flush-caches

Apache also keeps track of old IPs, so it has to be restarted to drop it:

/etc/init.d/apache2 restart

Discussion

Search

 

Pages

 

previousnext
 
expand all collapse all