proxy: set up reverse proxy

2025-03-09 15:51:47 +00:00 · 2025-03-09 15:51:47 +00:00 · 2119b8c666
commit 2119b8c666
parent f9684532bd
4 changed files with 93 additions and 0 deletions
--- a/proxy/nginx/conf.d/grafana.conf
+++ b/proxy/nginx/conf.d/grafana.conf
@ -0,0 +1,33 @@
+# HTTP configuration
+# -- Redirect all HTTP requests to HTTPS port
+
+server {
+	listen 80; # HTTP port
+	server_name grafana.systemsobscure.net;
+	location / {
+		return 301 https://$host$request_uri; # Variable is a placeholder for all requests to the server name
+	}
+}
+
+# HTTPS configuration 
+
+server {
+	listen 443 ssl;
+	server_name grafana.systemsobscure.net;
+
+	# SSL configuration
+	ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem
+	ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;
+
+	# Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    
+	# Proxy Configuration
+  location / {
+		proxy_pass http://grafana:3000;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}
--- a/proxy/nginx/docker-compose.yml
+++ b/proxy/nginx/docker-compose.yml
@ -0,0 +1,16 @@
+services:
+  nginx:
+    image: nginx:latest
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./conf.d:/etc/nginx/conf.d
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+    restart: unless-stopped
+    networks:
+      - web
+
+networks:
+  web:
+    external: true
--- a/services/grafana/README.md
+++ b/services/grafana/README.md
@ -23,3 +23,39 @@ can scrape. Node Exporter is one of these - it exposes hardware and OS metrics

 Loki is for storing and displaying logs. This is part of Grafana. Promtail (also
 part of Grafana) is for collecting the logs.
+
+## Explaining reverse proxy
+
+Yes, that's correct. Let me break down how the overall system works at the top level:
+
+Nginx (Your Reverse Proxy)
+
+Listens on public ports 80 (HTTP) and 443 (HTTPS)
+Has separate config files in conf.d/ for each service
+Each config file (like grafana.conf) specifies:
+
+The domain name (grafana.systemsobscure.net)
+HTTPS certificate configuration
+Redirection from HTTP to HTTPS
+Which internal service and port to route requests to (e.g., grafana:3000)
+
+Docker Networks
+
+A shared external network (typically called "web") connects Nginx to all your services
+Each service also has its own internal network for service-specific communication
+
+Services (Grafana, etc.)
+
+Run on their own internal ports (Grafana on 3000, etc.)
+Connect to the shared "web" network so Nginx can reach them
+Are NOT directly exposed to the internet
+
+The flow works like this:
+
+User requests grafana.systemsobscure.net
+Request hits your server on port 80/443
+Nginx receives it, finds the matching server_name in conf.d
+Nginx forwards the request to the internal Grafana container on port 3000
+Response flows back through the same path
+
+This setup keeps your services secure by only exposing them through the Nginx proxy, which handles all SSL termination and access control.
--- a/services/grafana/docker-compose.yml
+++ b/services/grafana/docker-compose.yml
@ -41,8 +41,16 @@ services:
      - GF_USERS_ALLOW_SIGN_UP=false
    ports:
      - "3000:3000" # For local testing; remove in production with nginx
+    networks:
+      - default
+      - web

 volumes:
  prometheus_data:
  loki_data:
  grafana_data:
+
+networks:
+  default:
+  web:
+    external: true