From 2119b8c666f7cf71ea8f7f08f67b9febbbe434c5 Mon Sep 17 00:00:00 2001 From: thomasabishop Date: Sun, 9 Mar 2025 15:51:47 +0000 Subject: [PATCH] proxy: set up reverse proxy --- proxy/nginx/conf.d/grafana.conf | 33 ++++++++++++++++++++++++++ proxy/nginx/docker-compose.yml | 16 +++++++++++++ services/grafana/README.md | 36 +++++++++++++++++++++++++++++ services/grafana/docker-compose.yml | 8 +++++++ 4 files changed, 93 insertions(+) create mode 100644 proxy/nginx/conf.d/grafana.conf create mode 100644 proxy/nginx/docker-compose.yml diff --git a/proxy/nginx/conf.d/grafana.conf b/proxy/nginx/conf.d/grafana.conf new file mode 100644 index 0000000..b308026 --- /dev/null +++ b/proxy/nginx/conf.d/grafana.conf @@ -0,0 +1,33 @@ +# HTTP configuration +# -- Redirect all HTTP requests to HTTPS port + +server { + listen 80; # HTTP port + server_name grafana.systemsobscure.net; + location / { + return 301 https://$host$request_uri; # Variable is a placeholder for all requests to the server name + } +} + +# HTTPS configuration + +server { + listen 443 ssl; + server_name grafana.systemsobscure.net; + + # SSL configuration + ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem + ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Proxy Configuration + location / { + proxy_pass http://grafana:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/proxy/nginx/docker-compose.yml b/proxy/nginx/docker-compose.yml new file mode 100644 index 0000000..3348a3f --- /dev/null +++ b/proxy/nginx/docker-compose.yml @@ -0,0 +1,16 @@ +services: + nginx: + image: nginx:latest + ports: + - "80:80" + - "443:443" + volumes: + - ./conf.d:/etc/nginx/conf.d + - /etc/letsencrypt:/etc/letsencrypt:ro + restart: unless-stopped + networks: + - web + +networks: + web: + external: true diff --git a/services/grafana/README.md b/services/grafana/README.md index db55f6f..68266c4 100644 --- a/services/grafana/README.md +++ b/services/grafana/README.md @@ -23,3 +23,39 @@ can scrape. Node Exporter is one of these - it exposes hardware and OS metrics Loki is for storing and displaying logs. This is part of Grafana. Promtail (also part of Grafana) is for collecting the logs. + +## Explaining reverse proxy + +Yes, that's correct. Let me break down how the overall system works at the top level: + +Nginx (Your Reverse Proxy) + +Listens on public ports 80 (HTTP) and 443 (HTTPS) +Has separate config files in conf.d/ for each service +Each config file (like grafana.conf) specifies: + +The domain name (grafana.systemsobscure.net) +HTTPS certificate configuration +Redirection from HTTP to HTTPS +Which internal service and port to route requests to (e.g., grafana:3000) + +Docker Networks + +A shared external network (typically called "web") connects Nginx to all your services +Each service also has its own internal network for service-specific communication + +Services (Grafana, etc.) + +Run on their own internal ports (Grafana on 3000, etc.) +Connect to the shared "web" network so Nginx can reach them +Are NOT directly exposed to the internet + +The flow works like this: + +User requests grafana.systemsobscure.net +Request hits your server on port 80/443 +Nginx receives it, finds the matching server_name in conf.d +Nginx forwards the request to the internal Grafana container on port 3000 +Response flows back through the same path + +This setup keeps your services secure by only exposing them through the Nginx proxy, which handles all SSL termination and access control. diff --git a/services/grafana/docker-compose.yml b/services/grafana/docker-compose.yml index 7a199b7..835cf34 100644 --- a/services/grafana/docker-compose.yml +++ b/services/grafana/docker-compose.yml @@ -41,8 +41,16 @@ services: - GF_USERS_ALLOW_SIGN_UP=false ports: - "3000:3000" # For local testing; remove in production with nginx + networks: + - default + - web volumes: prometheus_data: loki_data: grafana_data: + +networks: + default: + web: + external: true