Add support for env variables within nginx.conf

- rename `config/nginx/nginx.conf` into `config/nginx/nginx.conf.template`
- expose (envsubst) the following `.env` variables into `nginx.conf.template`:
  - `WEBGIS_PUBLIC_HOSTNAME`
  - `WEBGIS_ADMIN_EMAIL` (new)
  - `WEBGIS_SSL` (new)
- new folder `config/nginx/conf/`
- simplify `README.md` steps related to HTTPS additional setup
- refactor `run_certbot.sh` (ref: #77)
-

.env.example

@@ -1,5 +1,7 @@
 # Public hostmane
 WEBGIS_PUBLIC_HOSTNAME=dev.g3wsuite.it
+WEBGIS_ADMIN_EMAIL=[email protected]
+# WEBGIS_SSL=1
 
 # Shared volume mount (docker internal: shared-volume)
 # I suggest not to use the /tmp/ folder, /tmp/ folder is cleaned at each reboot

README.md

@@ -97,10 +97,9 @@ the conf file will be mounted into docker container at runtime to PGSERVICEFILE
 
 To active https with LetsEncrypt just follow the following instructions:
 
-- uncomment ssl section within `config/nginx/nginx.conf`
-- update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` and `config/nginx/nginx.conf` files
+- toggle `WEBGIS_SSL` environment variable within your `.env` file
 - launch `sudo ./run_certbot.sh`
-- restart compose: `docker compose down && docker compose up -d`
+- restart compose: `docker compose up -d --force-recreate`
 - make sure the certs are renewed by adding a cron job with `sudo crontab -e` and add the following line:
   `0 3 * * * /<path_to_your_docker_files>/run_certbot.sh`
 

config/nginx/django → config/nginx/conf/django

@@ -1,6 +1,6 @@
 # HTTP reverse proxy server (g3w-suite)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     keepalive_timeout                   500;
@@ -21,7 +21,7 @@ server {
 
 # HTTPS (redirect)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     return 302 http://$host:8080$request_uri;

config/nginx/django_ssl → config/nginx/conf/django_ssl

@@ -1,7 +1,7 @@
 # HTTPS reverse proxy server (g3w-suite)
 server {
-  include /etc/nginx/conf.d/locations;
-  include /etc/nginx/conf.d/letsencrypt;
+  include /etc/nginx/conf.d/conf/locations;
+  include /etc/nginx/conf.d/conf/letsencrypt;
 
   location / {
     proxy_read_timeout                  120;
@@ -19,7 +19,7 @@ server {
 
 # HTTP (redirect)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     return 301 https://$host$request_uri;

config/nginx/locations → config/nginx/conf/locations

@@ -1,4 +1,4 @@
-include /etc/nginx/conf.d/error_pages;
+include /etc/nginx/conf.d/conf/error_pages;
 
 # Block *.php
 location ~\.php$ {
@@ -27,4 +27,4 @@ location /.well-known/acme-challenge/ {
   root /var/www;
 }
 
-server_name $WEBGIS_PUBLIC_HOSTNAME;
+server_name $NGINX_SERVER_NAME;

config/nginx/html/502.html

@@ -183,9 +183,9 @@ <h1 class="error-title">Bad Gateway</h1>
         </g>
     </svg>
   </main>
-  <!--# if expr="WEBGIS_ADMIN_EMAIL" -->
+  <!--# if expr="NGINX_ADMIN_EMAIL" -->
   <aside class="report-bug">
-    <a href="mailto:<!--# echo var='WEBGIS_ADMIN_EMAIL'-->?subject=[502] Bad Gateway - <!--# echo var='HOST' default=''-->&body=Bug report" style="text-decoration-line: none;" title="Bug report">🪲</a>
+    <a href="mailto:<!--# echo var='NGINX_ADMIN_EMAIL'-->?subject=[502] Bad Gateway - <!--# echo var='HOST' default=''-->&body=Bug report" style="text-decoration-line: none;" title="Bug report">🪲</a>
   </aside>
   <!--# endif -->
   <script>

config/nginx/nginx.conf.template

@@ -0,0 +1,22 @@
+client_max_body_size 200M;
+client_body_timeout  600;
+
+upstream g3w_suite {
+  ip_hash;
+  server g3w-suite:8000;
+}
+
+# Expose some ENV variables in NGINX config from docker-compose.yml
+# -----------------------------------------------------------------
+# Ref: docker-nginx/entrypoint/20-envsubst-on-templates.sh
+
+map "" $NGINX_SERVER_NAME {
+  default $WEBGIS_PUBLIC_HOSTNAME;                       # ENVSUBST
+}
+
+map "" $NGINX_ADMIN_EMAIL {
+  default $WEBGIS_ADMIN_EMAIL;                           # ENVSUBST
+}
+
+# HTTP(S) server
+include /etc/nginx/conf.d/conf/django$WEBGIS_SSL;        # ENVSUBST

docker-compose-consumer.yml

@@ -129,12 +129,19 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME=${WEBGIS_PUBLIC_HOSTNAME:-dev.g3wsuite.it}
+      - WEBGIS_ADMIN_EMAIL=${WEBGIS_ADMIN_EMAIL:[email protected]}
+      - WEBGIS_SSL=${WEBGIS_SSL:+_ssl}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
+      - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/conf.d
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d/:ro
+      - ./config/nginx:/etc/nginx/conf.d/
+      - ./config/nginx/conf:/etc/nginx/conf.d/conf/:ro
       - ./config/nginx/html:/var/www/html:ro
     logging:
       driver: "json-file"

docker-compose.yml

@@ -86,12 +86,19 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME=${WEBGIS_PUBLIC_HOSTNAME:-dev.g3wsuite.it}
+      - WEBGIS_ADMIN_EMAIL=${WEBGIS_ADMIN_EMAIL:[email protected]}
+      - WEBGIS_SSL=${WEBGIS_SSL:+_ssl}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
+      - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/conf.d
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d/:ro
+      - ./config/nginx:/etc/nginx/conf.d/
+      - ./config/nginx/conf:/etc/nginx/conf.d/conf/:ro
       - ./config/nginx/html:/var/www/html:ro
     logging:
       driver: "json-file"

run_certbot.sh

@@ -16,16 +16,25 @@ if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
     exit 1
 fi
 
-mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/"
+certs_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
+acme_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
+default_ssl_conf="https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
+default_ssl_pem="https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
+domain="$WEBGIS_PUBLIC_HOSTNAME"
 
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem"
+# STEP 1
+echo "### Downloading recommended TLS parameters ..."
+mkdir -p "$certs_folder"
+curl -s "$default_ssl_conf" > "${certs_folder}/options-ssl-nginx.conf"
+curl -s "$default_ssl_pem"  > "${certs_folder}/ssl-dhparams.pem"
 
-docker run -it --rm --name certbot \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \
+# STEP 2
+echo "### Requesting Let's Encrypt certificate for $domain ..."
+docker run -it --rm --name certbot --pull=missing \
+  -v ${certs_folder}:/etc/letsencrypt \
+  -v ${acme_folder}:/var/www/.well-known \
   certbot/certbot -t certonly \
   --agree-tos --renew-by-default \
   --no-eff-email \
   --webroot -w /var/www \
-  -d ${WEBGIS_PUBLIC_HOSTNAME}
+  -d ${domain}