Live Docker NocoDB Django Postgres Project:

• https://launch.rentals

6. Nginx Reverse Proxy Introduction

Nginx reverse proxy setup for this branch or local instance (repo/nginx_ssl/README.md)

How to generate SSL certificates

Workflow use:

The workflow will obtain them automatically from Github secrets, make sure the Github secrets (WORKFLOW_PROD_SERVER_DOMAIN, WORKFLOW_PROD_SERVER_CERT, WORKFLOW_PROD_SERVER_KEY) are set up correctly.

Production use:

Use the certbot tool (uses Let's Encrypt) to generate a certificate and key for the main domain.
The server where this code is run must point to the production server IP address used in DNS or you will need DNS access to add 2 TXT records and wait quite a while for DNS to propagate.

sudo su -
apt install certbot
certbot certonly --manual --preferred-challenges=dns --email spanik11@gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d launch.rentals -d *.launch.rentals
# make sure you're copying the latest .pem in archive directory: (we aren't using live directory from certbot command as its a symlink)
cp /etc/letsencrypt/archive/launch.rentals/fullchain1.pem nginx.crt
cp /etc/letsencrypt/archive/launch.rentals/privkey1.pem nginx.key
chown ga:ga nginx.crt
chown ga:ga nginx.key

Save the resulting certificate and key to Github secrets (WORKFLOW_PROD_SERVER_CERT, WORKFLOW_PROD_SERVER_KEY).

Important! Certificate is only valid for 90 days! Make sure to add an event to your calendar in ~75-80day range for manual resigning or setup auth hook (no idea, never done that).

Alternative (untrusted certificate):

Generate a certificate and key for the main domain:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.key -out nginx.crt

The current certificate is available in Github secrets (WORKFLOW_PROD_SERVER_CERT, WORKFLOW_PROD_SERVER_KEY) and /home/osp on the production server.
Certificate must include BEGIN header and END footer otherwise nginx won't recognize it!

DNS:

Add the following DNS records for production:

• A launch.rentals -> WORKFLOW_PROD_SERVER_IP
• A *.launch.rentals -> WORKFLOW_PROD_SERVER_IP

Docker Compose Snippet

Port mapping gets remapped to empty dynamic ports by Github Actions CI/CD workflow for Nginx Gateway to take over given ports. Nginx Gateway then points subdomains to individual Nginx Reverse proxy instances by branch.

  # Local development only - ssl certificate generator and nginx.template.conf reconfigurator
  nginx-dev-reconfig:
    image: alpine:...
    profiles:
      - dev
    command: ...
    environment:
      - SERVER_DOMAIN_PRESENTATION=${NGINX_ALLOW_SERVER_DOMAIN_PRESENTATION}
      - SERVER_DOMAIN_COMPANY=${NGINX_ALLOW_SERVER_DOMAIN_COMPANY}
    volumes:
      - ./nginx_ssl:...
    networks:
      - common_network

  # Reverse proxy for main and company domains to handle HTTPS and combine frontend and backend ports
  nginx_reverse_proxy:
    image: nginx:...
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
      - "8443:8443"
    environment:
      - DEV_ENV=${DEV_ENV}
      - NGINX_ALLOW_...
    command: ...
    volumes:
      - ./nginx_ssl:...
    depends_on:
      presentation_frontend:
        condition: service_healthy
      company_admin_frontend:
        condition: service_healthy
      presentation_backend:
        condition: service_healthy
      company_admin_backend:
        condition: service_healthy
    networks:
      - common_network
    restart: unless-stopped
    logging:
      driver: ...
      options:
        syslog-address: ...
        tag: ...