diff options
| -rw-r--r-- | CHANGELOG.md | 10 | ||||
| -rw-r--r-- | docker-compose.yml | 18 | ||||
| -rw-r--r-- | nginx/nginx.conf | 92 | ||||
| -rw-r--r-- | nginx/ssl/.gitkeep | 1 |
4 files changed, 118 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f517504..82e98421 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,14 @@ # Upcoming Wekan release -This release fixes the following bugs: +This release adds the following new features: -- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet. +- Add optional Nginx reverse proxy config to docker-compose.yml and nginx directory. Thanks to MyTheValentinus. + +and fixes the following bugs: + +- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet. Thanks to xet7. -Thanks to GitHub user xet7 for contributions. +Thanks to above GitHub users for their contributions. # v1.97 2018-12-26 Wekan release diff --git a/docker-compose.yml b/docker-compose.yml index 9d635a33..abcaa48b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -145,6 +145,7 @@ services: # Docker outsideport:insideport. Do not add anything extra here. # For example, if you want to have wekan on port 3001, # use 3001:8080 . Do not add any extra address etc here, that way it does not work. + # remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network - 80:8080 environment: - MONGO_URL=mongodb://wekandb:27017/wekan @@ -492,6 +493,23 @@ services: # ...COPY CONFIG FROM ABOVE TO HERE... #--------------------------------------------------------------------------------- +# OPTIONAL NGINX CONFIG FOR REVERSE PROXY +# nginx: +# image: nginx +# container_name: nginx +# restart: always +# networks: +# - wekan-tier +# depends_on: +# - wekan +# ports: +# - 80:80 +# - 443:443 +# volumes: +# - ./nginx/ssl:/etc/nginx/ssl/ +# - ./nginx/nginx.conf:/etc/nginx/nginx.conf + + volumes: wekan-db: driver: local diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 00000000..9029a2b4 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,92 @@ +user www-data; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + map $http_host $this_host { + "" $host; + default $http_host; + } + + map $http_x_forwarded_proto $the_scheme { + default $http_x_forwarded_proto; + "" $scheme; + } + + map $http_x_forwarded_host $the_host { + default $http_x_forwarded_host; + "" $this_host; + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + listen 443 ssl; + + if ($scheme = http) { + rewrite ^ https://$host$request_uri? permanent; + } + + + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; + + + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1; + add_header Strict-Transport-Security "max-age=31536000; preload"; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + add_header Referrer-Policy "same-origin"; + + root /var/www/html; + client_max_body_size 10G; # 0=unlimited - set max upload size + fastcgi_buffers 64 4K; + + gzip off; + + location / { + proxy_pass http://wekan:8080; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Forwarded-For $remote_addr; + } + } +} diff --git a/nginx/ssl/.gitkeep b/nginx/ssl/.gitkeep new file mode 100644 index 00000000..1fe3dd24 --- /dev/null +++ b/nginx/ssl/.gitkeep @@ -0,0 +1 @@ +PLACE YOUR SSL Certificates in this folder |