thomasabishop/self-host
thomasabishop/self-host
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

proxy: set up reverse proxy

Browse source
This commit is contained in:
thomasabishop 2025-03-09 15:51:47 +00:00
parent f9684532bd
commit 2119b8c666
4 changed files with 93 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
proxy/nginx/conf.d/grafana.conf Normal file
View file

@ -0,0 +1,33 @@
# HTTP configuration
# -- Redirect all HTTP requests to HTTPS port
server {
listen 80; # HTTP port
server_name grafana.systemsobscure.net;
location / {
return 301 https://$host$request_uri; # Variable is a placeholder for all requests to the server name
}
}
# HTTPS configuration
server {
listen 443 ssl;
server_name grafana.systemsobscure.net;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Proxy Configuration
location / {
proxy_pass http://grafana:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

16
proxy/nginx/docker-compose.yml Normal file
View file

@ -0,0 +1,16 @@
services:
nginx:
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
networks:
- web
networks:
web:
external: true

36
services/grafana/README.md
View file

@ -23,3 +23,39 @@ can scrape. Node Exporter is one of these - it exposes hardware and OS metrics
Loki is for storing and displaying logs. This is part of Grafana. Promtail (also Loki is for storing and displaying logs. This is part of Grafana. Promtail (also
part of Grafana) is for collecting the logs. part of Grafana) is for collecting the logs.
## Explaining reverse proxy
Yes, that's correct. Let me break down how the overall system works at the top level:
Nginx (Your Reverse Proxy)
Listens on public ports 80 (HTTP) and 443 (HTTPS)
Has separate config files in conf.d/ for each service
Each config file (like grafana.conf) specifies:
The domain name (grafana.systemsobscure.net)
HTTPS certificate configuration
Redirection from HTTP to HTTPS
Which internal service and port to route requests to (e.g., grafana:3000)
Docker Networks
A shared external network (typically called "web") connects Nginx to all your services
Each service also has its own internal network for service-specific communication
Services (Grafana, etc.)
Run on their own internal ports (Grafana on 3000, etc.)
Connect to the shared "web" network so Nginx can reach them
Are NOT directly exposed to the internet
The flow works like this:
User requests grafana.systemsobscure.net
Request hits your server on port 80/443
Nginx receives it, finds the matching server_name in conf.d
Nginx forwards the request to the internal Grafana container on port 3000
Response flows back through the same path
This setup keeps your services secure by only exposing them through the Nginx proxy, which handles all SSL termination and access control.

8
services/grafana/docker-compose.yml
View file

@ -41,8 +41,16 @@ services:
- GF_USERS_ALLOW_SIGN_UP=false - GF_USERS_ALLOW_SIGN_UP=false
ports: ports:
- "3000:3000" # For local testing; remove in production with nginx - "3000:3000" # For local testing; remove in production with nginx
networks:
- default
- web
volumes: volumes:
prometheus_data: prometheus_data:
loki_data: loki_data:
grafana_data: grafana_data:
networks:
default:
web:
external: true